This example shows
how to use buffer capture:
Step 1: Launch a capture
session with the buffer capture option by entering:
Device# monitor capture mycap interface GigabitEthernet1/0/3 in
Device# monitor capture mycap match ipv4 any any
Device# monitor capture mycap buffer circular size 1
Device# monitor capture mycap start
Step 2: Determine whether
the capture is active by entering:
Device# show monitor capture mycap
Status Information for Capture mycap
Target Type:
Interface: GigabitEthernet1/0/3, Direction: in
Status : Active
Filter Details:
IPv4
Source IP: any
Destination IP: any
Protocol: any
Buffer Details:
Buffer Type: CIRCULAR
Buffer Size (in MB): 1
File Details:
File not associated
Limit Details:
Number of Packets to capture: 0 (no limit)
Packet Capture duration: 0 (no limit)
Packet Size to capture: 0 (no limit)
Maximum number of packets to capture per second: 1000
Packet sampling rate: 0 (no sampling)
Step 3: Display
extended capture statistics during runtime by entering:
Device# show monitor capture mycap capture-statistics
Capture statistics collected at software:
Capture duration - 88 seconds
Packets received - 1000
Packets dropped - 0
Packets oversized - 0
Packets errored - 0
Packets sent - 1000
Bytes received - 182000
Bytes dropped - 0
Bytes oversized - 0
Bytes errored - 0
Bytes sent - 114000
Step 4: Stop the
capture by entering:
Device# monitor capture mycap stop
Capture statistics collected at software (Buffer):
Capture duration - 2185 seconds
Packets received - 51500
Packets dropped - 0
Packets oversized - 0
Step 5: Display
extended capture statistics after stop by entering:
Device# show monitor capture mycap capture-statistics
Capture statistics collected at software:
Capture duration - 156 seconds
Packets received - 2000
Packets dropped - 0
Packets oversized - 0
Packets errored - 0
Packets sent - 2000
Bytes received - 364000
Bytes dropped - 0
Bytes oversized - 0
Bytes errored - 0
Bytes sent - 228000
Step 6: Determine
whether the capture is active by entering:
Device# show monitor capture mycap
Status Information for Capture mycap
Target Type:
Interface: GigabitEthernet1/0/3, Direction: in
Status : Inactive
Filter Details:
IPv4
Source IP: any
Destination IP: any
Protocol: any
Buffer Details:
Buffer Type: CIRCULAR
Buffer Size (in MB): 1
File Details:
File not associated
Limit Details:
Number of Packets to capture: 0 (no limit)
Packet Capture duration: 0 (no limit)
Packet Size to capture: 0 (no limit)
Maximum number of packets to capture per second: 1000
Packet sampling rate: 0 (no sampling)
Step 7: Display the
packets in the buffer by entering:
Device# show monitor capture mycap buffer brief
Starting the packet display ........ Press Ctrl + Shift + 6 to exit
1 0.000000 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0038, seq=40057/31132, ttl=254
2 0.000030 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0038, seq=40058/31388, ttl=254
3 0.000052 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0038, seq=40059/31644, ttl=254
4 0.000073 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0038, seq=40060/31900, ttl=254
5 0.000094 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0038, seq=40061/32156, ttl=254
6 0.000115 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0038, seq=40062/32412, ttl=254
7 0.000137 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0038, seq=40063/32668, ttl=254
8 0.000158 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0038, seq=40064/32924, ttl=254
9 0.000179 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0038, seq=40065/33180, ttl=254
10 0.000200 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0038, seq=40066/33436, ttl=254
11 0.000221 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0038, seq=40067/33692, ttl=254
12 0.000243 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0038, seq=40068/33948, ttl=254
--More--
Notice that the
packets have been buffered.
Step 8: Display the
packets in other display modes.
Device# show monitor capture mycap buffer detailed
Starting the packet display ........ Press Ctrl + Shift + 6 to exit
Frame 1: 114 bytes on wire (912 bits), 114 bytes captured (912 bits) on interface 0
Interface id: 0
Encapsulation type: Ethernet (1)
Arrival Time: Nov 6, 2015 18:10:06.297972000 UTC
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1446833406.297972000 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 114 bytes (912 bits)
Capture Length: 114 bytes (912 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:icmp:data]
Ethernet II, Src: Cisco_f3:63:46 (00:e1:6d:f3:63:46), Dst: Cisco_31:f1:c6 (00:e1:6d:31:f1:c6)
Destination: Cisco_31:f1:c6 (00:e1:6d:31:f1:c6)
Address: Cisco_31:f1:c6 (00:e1:6d:31:f1:c6)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: Cisco_f3:63:46 (00:e1:6d:f3:63:46)
Address: Cisco_f3:63:46 (00:e1:6d:f3:63:46)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 10.10.10.2 (10.10.10.2), Dst: 10.10.10.1 (10.10.10.1)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 100
Identification: 0xabdd (43997)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 254
Protocol: ICMP (1)
Header checksum: 0xe8a4 [validation disabled]
[Good: False]
[Bad: False]
Source: 10.10.10.2 (10.10.10.2)
Destination: 10.10.10.1 (10.10.10.1)
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0
Checksum: 0xa620 [correct]
Identifier (BE): 56 (0x0038)
Identifier (LE): 14336 (0x3800)
Sequence number (BE): 40057 (0x9c79)
Sequence number (LE): 31132 (0x799c)
Data (72 bytes)
0000 00 00 00 00 0b 15 30 63 ab cd ab cd ab cd ab cd ......0c........
0010 ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd ................
0020 ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd ................
0030 ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd ................
0040 ab cd ab cd ab cd ab cd ........
Data: 000000000b153063abcdabcdabcdabcdabcdabcdabcdabcd...
[Length: 72]
Frame 2: 114 bytes on wire (912 bits), 114 bytes captured (912 bits) on interface 0
Device# show monitor capture mycap buffer dump
Starting the packet display ........ Press Ctrl + Shift + 6 to exit
0000 00 e1 6d 31 f1 c6 00 e1 6d f3 63 46 08 00 45 00 ..m1....m.cF..E.
0010 00 64 ab dd 00 00 fe 01 e8 a4 0a 0a 0a 02 0a 0a .d..............
0020 0a 01 08 00 a6 20 00 38 9c 79 00 00 00 00 0b 15 ..... .8.y......
0030 30 63 ab cd ab cd ab cd ab cd ab cd ab cd ab cd 0c..............
0040 ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd ................
0050 ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd ................
0060 ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd ................
0070 ab cd ..
0000 00 e1 6d 31 f1 c6 00 e1 6d f3 63 46 08 00 45 00 ..m1....m.cF..E.
0010 00 64 ab de 00 00 fe 01 e8 a3 0a 0a 0a 02 0a 0a .d..............
0020 0a 01 08 00 a6 1d 00 38 9c 7a 00 00 00 00 0b 15 .......8.z......
0030 30 65 ab cd ab cd ab cd ab cd ab cd ab cd ab cd 0e..............
0040 ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd ................
0050 ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd ................
0060 ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd ................
0070 ab cd
Step 9: Clear the
buffer by entering:
Device# monitor capture mycap clear
Note |
NOTE -
Clearing the buffer deletes the buffer along with the contents.
|
Note |
If you require
the buffer contents to be displayed, run the clear commands after show
commands.
|
Step 10: Restart the
traffic, wait for 10 seconds, then display the buffer contents by entering:
Note |
We cannot run
show from buffer during an active capture. Capture should be stopped before
running show from buffer. We can however run a show on a pcap file during an
active capture in both file and buffer mode. In file mode, we can display the
packets in the current capture session's pcap file as well when the capture is
active.
|
Device# monitor capture mycap start
Switch# show monitor capture mycap
Status Information for Capture mycap
Target Type:
Interface: GigabitEthernet1/0/3, Direction: in
Status : Active
Filter Details:
IPv4
Source IP: any
Destination IP: any
Protocol: any
Buffer Details:
Buffer Type: CIRCULAR
Buffer Size (in MB): 1
File Details:
File not associated
Limit Details:
Number of Packets to capture: 0 (no limit)
Packet Capture duration: 0 (no limit)
Packet Size to capture: 0 (no limit)
Maximum number of packets to capture per second: 1000
Packet sampling rate: 0 (no sampling)
Step 11: Stop the
packet capture and display the buffer contents by entering:
Device# monitor capture mycap stop
Capture statistics collected at software (Buffer):
Capture duration - 111 seconds
Packets received - 5000
Packets dropped - 0
Packets oversized - 0
Step 12: Determine
whether the capture is active by entering:
Device# show monitor capture mycap
Status Information for Capture mycap
Target Type:
Interface: GigabitEthernet1/0/3, Direction: in
Status : Inactive
Filter Details:
IPv4
Source IP: any
Destination IP: any
Protocol: any
Buffer Details:
Buffer Type: CIRCULAR
Buffer Size (in MB): 1
File Details:
File not associated
Limit Details:
Number of Packets to capture: 0 (no limit)
Packet Capture duration: 0 (no limit)
Packet Size to capture: 0 (no limit)
Maximum number of packets to capture per second: 1000
Packet sampling rate: 0 (no sampling)
Step 13: Display the
packets in the buffer by entering:
Device# show monitor capture mycap buffer brief
Starting the packet display ........ Press Ctrl + Shift + 6 to exit
1 0.000000000 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0039, seq=0/0, ttl=254
2 0.000030000 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0039, seq=1/256, ttl=254
3 0.000051000 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0039, seq=2/512, ttl=254
4 0.000072000 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0039, seq=3/768, ttl=254
5 0.000093000 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0039, seq=4/1024, ttl=254
6 0.000114000 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0039, seq=5/1280, ttl=254
7 0.000136000 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0039, seq=6/1536, ttl=254
8 0.000157000 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0039, seq=7/1792, ttl=254
9 0.000178000 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0039, seq=8/2048, ttl=254
10 0.000199000 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0039, seq=9/2304, ttl=254
11 0.000220000 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0039, seq=10/2560, ttl=254
12 0.000241000 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0039, seq=11/2816, ttl=254
--More‹
Step 14: Store the
buffer contents to the mycap.pcap file in the internal flash: storage device by
entering:
Device# monitor capture mycap export flash:mycap.pcap
Exported Successfully
Note |
The current
implementation of export is such that when the command is run, export is
"started" but not complete when it returns the prompt to the user. So we have
to wait for a message display on the console from Wireshark before it can run a
display of packets in the file.
|
Step 15: Display
capture packets from the file by entering:
Device# show monitor capture file flash:mycap.pcap
Starting the packet display ........ Press Ctrl + Shift + 6 to exit
1 0.000000000 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0039, seq=0/0, ttl=254
2 0.000030000 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0039, seq=1/256, ttl=254
3 0.000051000 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0039, seq=2/512, ttl=254
4 0.000072000 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0039, seq=3/768, ttl=254
5 0.000093000 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0039, seq=4/1024, ttl=254
6 0.000114000 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0039, seq=5/1280, ttl=254
7 0.000136000 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0039, seq=6/1536, ttl=254
8 0.000157000 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0039, seq=7/1792, ttl=254
9 0.000178000 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0039, seq=8/2048, ttl=254
10 0.000199000 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0039, seq=9/2304, ttl=254
11 0.000220000 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0039, seq=10/2560, ttl=254
12 0.000241000 10.10.10.2 -> 10.10.10.1 ICMP 114 Echo (ping) request id=0x0039, seq=11/2816, ttl=254
--More--
Step 16: Delete the
capture point by entering:
Device# no monitor capture mycap