monitor capture (interface/control plane)
To configure monitor capture points specifying an attachment point and the packet flow direction or add more attachment points to a capture point, use the monitor capture command in privileged EXEC mode. To disable the monitor capture with the specified attachment point and the packet flow direction or disable one of multiple attachment points on a capture point, use the no form of this command.
monitor capture { capture-name} { interface interface-type interface-id | control-plane } { in | out | both }
no monitor capture { capture-name} { interface interface-type interface-id | control-plane } { in | out | both }
Syntax Description
capture-name |
The name of the capture to be defined. |
||
interface interface-type interface-id |
|
||
control-plane |
Specifies the control plane as an attachment point. |
||
in | out | both |
Specifies the traffic direction to be captured. |
Command Default
A Wireshark capture is not configured.
Command Modes
Privileged EXEC
Command History
Release |
Modification |
---|---|
Cisco IOS XE 3.3SE |
This command was introduced. |
Usage Guidelines
Once an attachment point has been associated with a capture point using this command, the only way to change its direction is to remove the attachment point using the no form of the command and reattach the attachment point with the new direction. An attachment point's direction cannot be overridden.
If an attachment point is removed from a capture point and only one attachment point is associated with it, the capture point is effectively deleted.
Multiple attachment points can be associated with a capture point by re-running this command with another attachment point. An example is provided below.
Multiple capture points can be defined, but only one can be active at a time. In other words, you have to stop one before you can start the other.
Packets captured in the output direction of an interface might not reflect the changes made by switch rewrite (includes TTL, VLAN tag, CoS, checksum, MAC addresses, DSCP, precedent, UP, etc.).
No specific order applies when defining a capture point; you can define capture point parameters in any order. The Wireshark CLI allows as many parameters as possible on a single line. This limits the number of commands required to define a capture point.
Neither VRFs, management ports, nor private VLANs can be used as attachment points.
Wireshark cannot capture packets on a destination SPAN port.
When a VLAN is used as a Wireshark attachment point, packets are captured in the input direction only.
Wireless (CAPWAP) Usage Considerations
The only form of wireless capture is a CAPWAP tunnel capture.
When capturing CAPWAP tunnels, no other interface types can be used as attachment points on the same capture point.. Also, the only different type of attachment point allowed on the same capture point is the control plane. The combination of control plane and CAPWAP tunnel attachment points should be able to capture all wireless-related traffic.
Capturing multiple CAPWAP tunnels is supported. ACLs for each CAPWAP tunnel will be combined and sent to the switch as a single ACL.
Core filters will not be applied and can be omitted when capturing a CAPWAP tunnel. When control plane and CAPWAP tunnels are mixed, the core filter will not be applied on the control plane packets either.
To capture a CAPWAP non-data tunnel, capture traffic on the management VLAN and apply an appropriate ACL to filter the traffic. Note that this ACL will be combined with the core filter ACL and assigned to the switch as a single ACL.
Examples
To define a capture point using a physical interface as an attachment point:
Switch# monitor capture mycap interface GigabitEthernet1/0/1 in
Switch# monitor capture mycap match ipv4 any any
Note |
The second command defines the core filter for the capture point. This is required for a functioning capture point unless you are using a CAPWAP tunneling attachment point in your capture point. If you are using CAPWAP tunneling attachment points in your capture point, you cannot use core filters. |
To define a capture point with multiple attachment points:
Switch# monitor capture mycap interface GigabitEthernet1/0/1 in
Switch# monitor capture mycap match ipv4 any any
Switch# monitor capture mycap control-plane in
Switch# show monitor capture mycap parameter
monitor capture mycap interface GigabitEthernet1/0/1 in
monitor capture mycap control-plane in
To remove an attachment point from a capture point defined with multiple attachment points:
Switch# show monitor capture mycap parameter
monitor capture mycap interface GigabitEthernet1/0/1 in
monitor capture mycap control-plane in
Switch# no monitor capture mycap control-plane
Switch# show monitor capture mycap parameter
monitor capture mycap interface GigabitEthernet1/0/1 in
To define a capture point with a CAPWAP attachment point:
Switch# show capwap summary
CAPWAP Tunnels General Statistics:
Number of Capwap Data Tunnels = 1
Number of Capwap Mobility Tunnels = 0
Number of Capwap Multicast Tunnels = 0
Name APName Type PhyPortIf Mode McastIf
------ -------------------------------- ---- --------- --------- -------
Ca0 AP442b.03a9.6715 data Gi3/0/6 unicast -
Name SrcIP SrcPort DestIP DstPort DtlsEn MTU Xact
------ --------------- ------- --------------- ------- ------ ----- ----
Ca0 10.10.14.32 5247 10.10.14.2 38514 No 1449 0
Switch# monitor capture mycap interface capwap 0 both
Switch# monitor capture mycap file location flash:mycap.pcap
Switch# monitor capture mycap file buffer-size 1
Switch# monitor capture mycap start
*Aug 20 11:02:21.983: %BUFCAP-6-ENABLE: Capture Point mycap enabled.on
Switch# show monitor capture mycap parameter
monitor capture mycap interface capwap 0 in
monitor capture mycap interface capwap 0 out
monitor capture mycap file location flash:mycap.pcap buffer-size 1
Switch#
Switch# show monitor capture mycap
Status Information for Capture mycap
Target Type:
Interface: CAPWAP,
Ingress:
0
Egress:
0
Status : Active
Filter Details:
Capture all packets
Buffer Details:
Buffer Type: LINEAR (default)
File Details:
Associated file name: flash:mycap.pcap
Size of buffer(in MB): 1
Limit Details:
Number of Packets to capture: 0 (no limit)
Packet Capture duration: 0 (no limit)
Packet Size to capture: 0 (no limit)
Packets per second: 0 (no limit)
Packet sampling rate: 0 (no sampling)
Switch#
Switch# show monitor capture file flash:mycap.pcap
1 0.000000 00:00:00:00:00:00 -> 3c:ce:73:39:c6:60 IEEE 802.11 Probe Request, SN=0, FN=0, Flags=........
2 0.499974 00:00:00:00:00:00 -> 3c:ce:73:39:c6:60 IEEE 802.11 Probe Request, SN=0, FN=0, Flags=........
3 2.000000 00:00:00:00:00:00 -> 3c:ce:73:39:c6:60 IEEE 802.11 Probe Request, SN=0, FN=0, Flags=........
4 2.499974 00:00:00:00:00:00 -> 3c:ce:73:39:c6:60 IEEE 802.11 Probe Request, SN=0, FN=0, Flags=........
5 3.000000 00:00:00:00:00:00 -> 3c:ce:73:39:c6:60 IEEE 802.11 Probe Request, SN=0, FN=0, Flags=........
6 4.000000 00:00:00:00:00:00 -> 3c:ce:73:39:c6:60 IEEE 802.11 Probe Request, SN=0, FN=0, Flags=........
7 4.499974 00:00:00:00:00:00 -> 3c:ce:73:39:c6:60 IEEE 802.11 Probe Request, SN=0, FN=0, Flags=........
8 5.000000 00:00:00:00:00:00 -> 3c:ce:73:39:c6:60 IEEE 802.11 Probe Request, SN=0, FN=0, Flags=........
9 5.499974 00:00:00:00:00:00 -> 3c:ce:73:39:c6:60 IEEE 802.11 Probe Request, SN=0, FN=0, Flags=........
10 6.000000 00:00:00:00:00:00 -> 3c:ce:73:39:c6:60 IEEE 802.11 Probe Request, SN=0, FN=0, Flags=........
11 8.000000 00:00:00:00:00:00 -> 3c:ce:73:39:c6:60 IEEE 802.11 Probe Request, SN=0, FN=0, Flags=........
12 9.225986 10.10.14.2 -> 10.10.14.32 DTLSv1.0 Application Data
13 9.225986 10.10.14.2 -> 10.10.14.32 DTLSv1.0 Application Data
14 9.225986 10.10.14.2 -> 10.10.14.32 DTLSv1.0 Application Data
15 9.231998 10.10.14.2 -> 10.10.14.32 DTLSv1.0 Application Data
16 9.231998 10.10.14.2 -> 10.10.14.32 DTLSv1.0 Application Data
17 9.231998 10.10.14.2 -> 10.10.14.32 DTLSv1.0 Application Data
18 9.236987 10.10.14.2 -> 10.10.14.32 DTLSv1.0 Application Data
19 10.000000 00:00:00:00:00:00 -> 3c:ce:73:39:c6:60 IEEE 802.11 Probe Request, SN=0, FN=0, Flags=........
20 10.499974 00:00:00:00:00:00 -> 3c:ce:73:39:c6:60 IEEE 802.11 Probe Request, SN=0, FN=0, Flags=........
21 12.000000 00:00:00:00:00:00 -> 3c:ce:73:39:c6:60 IEEE 802.11 Probe Request, SN=0, FN=0, Flags=........
22 12.239993 10.10.14.2 -> 10.10.14.32 DTLSv1.0 Application Data
23 12.244997 10.10.14.2 -> 10.10.14.32 DTLSv1.0 Application Data
24 12.244997 10.10.14.2 -> 10.10.14.32 DTLSv1.0 Application Data
25 12.250994 10.10.14.2 -> 10.10.14.32 DTLSv1.0 Application Data
26 12.256990 10.10.14.2 -> 10.10.14.32 DTLSv1.0 Application Data
27 12.262987 10.10.14.2 -> 10.10.14.32 DTLSv1.0 Application Data
28 12.499974 00:00:00:00:00:00 -> 3c:ce:73:39:c6:60 IEEE 802.11 Probe Request, SN=0, FN=0, Flags=........
29 12.802012 10.10.14.3 -> 10.10.14.255 NBNS Name query NB WPAD.<00>
30 13.000000 00:00:00:00:00:00 -> 3c:ce:73:39:c6:60 IEEE 802.11 Probe Request, SN=0, FN=0, Flags=........