The Embedded Packet Capture (EPC) software subsystem consumes CPU and memory resources during its operation. You must have adequate system resources for different types of operations. The following table provides some guidelines for using the system resources.

The following restrictions apply to Embedded Packet Capture (EPC):

• You cannot use VRFs, management ports, or private VLANs as attachment points.

• A VLAN interface that is in shutdown state does not support EPC.

• If you change an interface from switch port to routed port (Layer 2 to Layer 3), or vice versa, you must delete the capture point and create a new one once the interface comes back up. Stopping and starting the capture point will not work.

• Packets captured in the output direction of an interface might not reflect the changes made by the device rewrite including TTL, VLAN tag, CoS, checksum, MAC addresses, DSCP, precedent, and UP.

• Even though the minimum configurable duration for packet capture is 1 second, packet capture works for a minimum of 2 seconds.

• It is not possible to modify a capture point parameter when a capture is already active or has started.

• EPC captures multicast packets only on ingress and does not capture the replicated packets on egress.

• The rewrite information for both ingress and egress packets is not captured.

• CPU-injected packets are considered control plane packets, and these types of packets will not be captured on an interface egress capture.

• Control plane packets are not rate limited and impact performance. Use filters to limit control plane packet capture.

• DNA Advantage supports decoding of protocols such as Control and Provisioning of Wireless Access Points (CAPWAP).

• You can define up to eight capture points, but only one can be active at a time. Stop one before start the other.

• MAC filter will not capture IP packets even if it matches the MAC address. This applies to all interfaces (Layer 2 switch port, Layer 3 routed port).

• MAC ACL is only used for non-IP packets such as ARP. It won't be supported on a Layer 3 port or SVI.

• MAC filter cannot capture Layer 2 packets (ARP) on Layer 3 interfaces.

• VACL does not support IPv6-based ACLs.

• EPC cannot capture based on the underlying routing protocols in MPLS packets.

• EPC is not supported on Locator/ID Separation Protocol (LISP) interface and tunnel interface.

• EPC is not supported with Ethernet-over-MPLS (EoMPLS).

• Network Based Application Recognition (NBAR) and MAC-style class maps are not supported.

• During Wireshark packet capture, hardware forwarding happens concurrently.

• Because packet forwarding typically occurs in hardware, packets are not copied to the CPU for software processing. When performing a Wireshark packet capture, packets are copied and sent to the CPU, which increases CPU usage. .

• You might experience high CPU (or memory) usage if:

  • You leave a capture session enabled and unattended for a long period, resulting in unanticipated bursts of traffic.

  • You launch a capture session with ring files or capture buffer and leave it unattended for a long time, resulting in performance or system health issues.

• To minimize high CPU usage, follow these steps:

  • Attach only relevant ports.

  • Use a class map, and secondarily, an access list to express match conditions. If neither is viable, use an explicit, in-line filter.

  • Closely follow the filter rules. Restrict the traffic type (for example, IPv4 only) with a strict ACL instead of a relaxed ACL, which can attract unwanted traffic.

  • When using Wireshark to capture live traffic, consider applying a QoS policy temporarily to limit the actual traffic until the capture process concludes.

• Always limit packet capture to either a shorter duration or a smaller packet number. The parameters of the capture command enable you to specify the following:

  • Capture duration

  • Number of packets captured

  • File size

  • Packet segment size

• During a capture session, watch for high CPU usage and memory consumption due to Wireshark that may impact device performance or health. If these situations arise, stop the Wireshark session immediately.

• Run a capture session without limits if you know that little traffic matches the core filter.

• You can define up to eight Wireshark instances. An active show command that decodes and displays packets from a .pcap file or capture buffer counts as one instance. However, only one of the instances can be active.

• When you modify an Access Control List (ACL) that is associated with a running capture, rrestart the capture to apply the changes. Otherwise, it continues to use the original ACL as if it has not been modified.

• Writing to the flash disk is a CPU-intensive operation. If the capture rate is insufficient, consider using a buffer capture.

• Avoid decoding and displaying packets from a .pcap file for a large file. Instead, transfer the .pcap file to a PC and run Wireshark on the PC.

• If you plan to store packets to a storage file, ensure that sufficient space is available before beginning a Wireshark capture process.

• To avoid packet loss, consider the following:

  • Use store-only (when you don't specify the display option) while capturing live packets. Do not use it for decode and display, which is an CPU-intensive operation (especially in detailed mode).

  • If you have more than one capture that is storing packets in a buffer, clear the buffer before starting a new capture to avoid memory loss.

  • If you use the default buffer size and see that you're losing packets, you can increase the buffer size to avoid losing packets.

• If you want to decode and display live packets in the console window, ensure that you bound the Wireshark session by a short capture duration.

• The core filter can be an explicit filter, access list, or class map. Specifying a newer filter of these types replaces the existing one.

  Note	A core filter is required except when using a CAPWAP tunnel interface as a capture point attachment point.

• No specific order applies when defining a capture point. You can define capture point parameters in any order, provided that CLI allows this. The Wireshark CLI allows as many parameters as possible on a single line. This limits the number of commands required to define a capture point.

• All parameters except attachment points take a single value. Generally, you can replace the value with a new one by reentering the command. After user confirmation, the system accepts the new value and overrides the older one. A no form of the command is unnecessary to provide a new value, but it's necessary to remove a parameter.

• Wireshark allows you to specify one or more attachment points. To add more than one attachment point, reenter the command with the new attachment point. To remove an attachment point, use the no form of the command. You can specify an interface range as an attachment point.

  For example, enter monitor capture mycap interface GigabitEthernet1/0/1 in where GigabitEthernet1/0/1 is an attachment point. If you also need to attach interface GigabitEthernet1/0/2, enter it as monitor capture mycap interface GigabitEthernet1/0/2 in

• The action you want to perform determines which parameters are mandatory. The Wireshark CLI allows you to specify or modify any parameter prior to entering the start command. When you enter the start command, Wireshark will start only after determining that all mandatory parameters have been provided.

• If the file during creation of the capture point, Wireshark asks you if the file can be overwritten. If the file exists at the time of activating the capture point, Wireshark overwrites the existing file.

• You can terminate a Wireshark session with an explicit stop command or by entering q in automore mode. The session could terminate itself automatically when it meets a stop condition such as duration or packet capture limit is met. It can terminate if an internal error occurs, or resource is full (specifically if disk is full in file mode).

• Dropped packets won't be shown at the end of the capture. However, only the count of dropped and oversized packets are displayed.

• Wireshark is supported only on switches running DNA Advantage.

• Before starting a Wireshark capture process, ensure that CPU usage is moderate and that sufficient memory (at least 200 MB) is available. The CPU usage during Wireshark capture depends on how many packets match the specified conditions. It also depends on the intended actions for the matched packets (store, decode and display, or both).

• Wireshark does not support global packet capture.

• Wireshark does not support limiting circular file storage by file size.

• If you delete the file used by an active capture session, the capture session cannot create a new file. All further packets captured are lost. You have to restart the capture point.

• File limit is limited to the size of the flash in .

• Wireshark cannot capture packets on a destination SPAN port.

• Wireshark stops capturing when one of the attachment points (interfaces) attached to a capture point stops working. For example, if the device that is associated with an attachment point is unplugged from the device. To resume capturing, restart the capture manually.

• The streaming capture mode supports approximately 1000 pps; lock-step mode supports approximately 2 Mbps (measured with 256-byte packets). When the matching traffic rate exceeds this number, you may experience packet loss.

• You cannot change a capture point when the capture is active.

• Wireshark does not capture packets dropped by floodblock.

• A Wireshark class map allows only one ACL (IPv4, IPv6, or MAC).

• ACL logging and Wireshark are incompatible. Once you activate Wireshark, it takes priority. All traffic, including that captured by ACL logging on any ports, is redirected to Wireshark. We recommended that you deactivate ACL logging before starting Wireshark. Otherwise, Wireshark traffic will be contaminated by ACL logging traffic.

• If you capture both PACL and RACL on the same port, only one copy is sent to the CPU. If you capture a DTLS-encrypted CAPWAP interface, two copies are sent to Wireshark, one encrypted and the other decrypted. The same behavior occurs if you capture a Layer 2 interface carrying DTLS-encrypted CAPWAP traffic. The core filter is based on the outer CAPWAP header.

• The CLI for configuring Wireshark requires that the feature is executed only from EXEC mode. Actions that usually occur in configuration submode (such as defining capture points), are handled at the EXEC mode instead. All key commands are not NVGEN’d and are not synchronized to the standby Supervisor in NSF and SSO scenarios.

Embedded Wireshark is supported with the following limitations:

• Capture filters and display filters are noy supported.

• Active capture decoding is not available.

• The output format is different from previous releases.

• A Wireshark session with either a longer duration limit or no capture duration (using a terminal with no auto-more support using the term len 0 command) may make the console or terminal unusable.

• Packet length range as a filter for packet capture is not supported for non- IPv4/IPv6 packets and fragmented packets.

• Packet length range as a filter cannot be used with any other filters.