Traffic Mirroring Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Release

Selective packet capture for protocol and drops

Updated: March 2, 2026

Want to summarize with AI?

On this page

Overview

Benefits
Configuration guidelines for selective packet capture
Restrictions for Selective packet capture
Configure Selective packet capture for protocol and drops

Overview

This section explains how selective packet capture allows you to monitor specific network packets by filtering based on directions and protocol-specific attributes. Use this feature to optimize SPAN sessions, reduce mirrored traffic volume, and improve network troubleshooting efficiency.

Selective packet capture is a traffic mirroring feature that

enables you to select specific network packets for monitoring or analysis,
allows filtering based on Tx and Rx directions and protocol-specific attributes, and
supports expressions in a standard format similar to the tcpdump tool.


Feature Name	Release Information	Description
Selective packet capture for protocol and drops	Release 25.4.1	Introduced in this release on: Fixed Systems (8200 [ASIC: Q100, Q200, P100], 8700 [ASIC: P100, K100], 8010 [ASIC: A100]); Centralized Systems (8600 [ASIC: Q200]); Modular Systems (8800 [LC ASIC: Q100, Q200, P100]) Selective packet capture provides greater control over mirrored traffic by enabling the filtering and capture of specific dropped packets and protocol packets. By applying filters during the configuration of a monitor session, you can optimize SPAN packet capture to improve network troubleshooting. These filters reduce the volume of captured data, ensuring attention is focused on the most relevant packets. The feature introduces these changes. CLI: The protocol-capture and filter keywords are introduced in the monitor-session command. The filter keyword is introduced in the drops command.

Selective packet capture is applied to both dropped and protocol packets within SPAN monitor sessions by using the monitor-session command. You can configure these filters separately for dropped packets or protocol packets in each session. Filters help to target specific packets, such as those from a particular source IP address.

Benefits

Selective packet capture offers these benefits:

Increases efficiency by reducing the volume of mirrored traffic through granular filtering.
Allows you to capture specific dropped packets and protocol packets.
Diagnoses network issues more effectively.

Configuration guidelines for selective packet capture

Consider these guidelines for using Selective packet capture effectively.

Use valid pcap filter expressions to filter the captured packets.
Configure protocol-capture or drops only on supported destination types such as file, sFlow, or GRE tunnel.
Remove any incorrect attachments when setting up protocol-capture, as attachments are not supported in protocol-capture sessions.

Restrictions for Selective packet capture

These restrictions apply to Selective packet capture.

Drops and protocol-capture cannot be configured simultaneously on the same session.
For ERSPAN, rate-limit features cannot be used in conjunction with drops or protocol-capture configuration.
IPv4 broadcast address filtering is not supported.
The number of global drop and protocol capture sessions is limited.
Any attachments to monitor sessions with protocol-capture configuration are disabled and will show as errors in show monitor-session commands.

Configure Selective packet capture for protocol and drops

Use this task to capture drop or protocol packets by using SPAN sessions, applying direction, and content-based filters. This allows more targeted traffic analysis and efficient troubleshooting.

Before you begin

Verify that the router supports protocol-capture and direction-based filtering.
Ensure that the destination of monitor session is set to file, sFlow, or ERSPAN.
Prepare valid pcap filter expressions if advanced filtering is required.
Confirm that drops and protocol-capture are not configured in the same monitor session.

Follow these steps to configure Selective packet capture for protocol and drops:

Procedure

	1.	Create or identify a monitor-session for packet capture. Example: `Router(config)# monitor-session mon1 ethernet`
	2.	Set the destination for packet capture to file, sFlow, or an ERSPAN tunnel as supported. Example: `Router(config-mon)# destination file size 10000 format pcapng`
	3.	Configure selective packet capture for drop packets. `monitor-session <name> [ethernet] destination {file \| sflow \| interface <tunnel>} drops [packet-processing] [traffic-management] [rx \| tx] [filter <expression>]` Example: Capture drop packets from a particular source IP address. `Router(config)# monitor-session span1 ethernet Router(config-mon)# destination file size 10000 format pcapng Router(config-mon)# drops packet-processing rx filter ip src host 192.0.2.1 Router(config-mon)# commit`
	4.	(Optional) Validate the configuration for drop packets and check for operational errors or unsupported attachments. Example: `Router(config)# show monitor-session status detail Command Output for drop packets: Thu Jul 31 19:40:32.709 UTC Monitor-session span2 Destination File (pcapng) - Not collecting All packet-processing drops: Direction: Rx Drops filtering: PCAP filter ip src host 192.0.2.1 Source Interfaces -----------------`
	5.	Configure selective packet capture for protocol-capture. `monitor-session <name> [ethernet] destination {file \| sflow \| interface <tunnel>} protocol-capture [rx \| tx] [filter <expression>]` Example: Capture all protocol packets in the receive (Rx) direction from a specific protocol. `Router(config)# monitor-session span2 ethernet Router(config-mon)# destination file size 10000 format pcapng always-on periodic-write 10 Router(config-mon)# protocol-capture rx filter arp Router(config-mon)# commit`
	6.	(Optional) Validate the configuration for protocol-capture and check for operational errors or unsupported attachments. Example: `Router(config)# show monitor-session status detail Command Output for protocol packets: Monitor-session span2 Destination File (pcapng) - Packet collecting (always-on) Periodic write interval: 10 seconds Protocol packets: Direction: Rx PCAP filter arp Source Interfaces -----------------`
	7.	(Optional) Use show monitor-session counters command to view packet counter statistics and to monitor replicated and non-replicated packets per session.

The SPAN session captures and saves packets to the specified destination file, filtered by direction and the defined pcap filter expression. Only packets matching the configuration are mirrored and saved.

What to do next

Review the captured pcap files for analysis.
Check per-session counters to validate expected capture rates.
Remove or adjust filters as needed to refine packet capture scope.
Re-enable interface attachments if protocol-capture configuration is removed.

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Selective packet capture for protocol and drops

Overview

Benefits

Configuration guidelines for selective packet capture

Restrictions for Selective packet capture

Configure Selective packet capture for protocol and drops

Before you begin

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

What to do next

Need help?