- Index
- Preface
- Product Overview
- Command-Line Interfaces
- Smart Port Macros
- Virtual Switching Systems (VSS)
- Enhanced Fast Software Upgrade (eFSU)
- Fast Software Upgrades
- Stateful Switchover (SSO)
- Non-Stop Forwarding (NSF)
- RPR Supervisor Engine Redundancy
- Layer 2 LAN Port Configuration
- Flex Links
- EtherChannels
- IEEE 802.1ak MVRP and MRP
- VLAN Trunking Protocol (VTP)
- VLANs
- Private VLANs (PVLANs)
- Private Hosts
- IEEE 802.1Q Tunneling
- Layer 2 Protocol Tunneling
- Spanning Tree Protocols (STP, MST)
- Optional STP Features
- IP Unicast Layer 3 Switching
- Policy Based Routing (PBR)
- Layer 3 Interface Configuration
- Unidirectional Ethernet (UDE) and unidirectional link routing (UDLR)
- Multiprotocol Label Switching (MPLS)
- MPLS VPN Support
- Ethernet over MPLS (EoMPLS)
- IPv4 Multicast Layer 3 Features
- IPv4 Multicast IGMP Snooping
- IPv4 PIM Snooping
- IPv4 Multicast VLAN Registration (MVR)
- IPv4 IGMP Filtering
- IPv4 Router Guard
- IPv4 Multicast VPN Support
- IPv6 Multicast Layer 3 Features
- IPv6 MLD Snooping
- Netflow
- NetFlow Data Export (NDE)
- Call Home
- System Event Archive (SEA)
- Backplane Platform Monitoring
- Local SPAN, RSPAN, and ERSPAN
- SNMP IfIndex Persistence
- Top-N Reports
- Layer 2 Traceroute Utility
- Mini Protocol Analyzer
- PFC QoS
- AutoQoS
- MPLS QoS
- PFC QoS Statistics Data Export
- Cisco IOS ACL Support
- Cisco TrustSec (CTS)
- AutoSecure
- MAC Address-Based Traffic Blocking
- Port ACLs (PACLs)
- VLAN ACLs (VACLs)
- Policy-Based Forwarding (PBF)
- Denial of Service (DoS) Protection
- Control Plane Policing (CoPP)
- Dynamic Host Configuration Protocol (DHCP) Snooping
- IP Source Guard
- Dynamic ARP Inspection (DAI)
- Traffic Storm Control
- Unknown Unicast and Multicast Flood Control
- IEEE 802.1X Port-Based Authentication
- Configuring Web-Based Authentication
- Port Security
- Lawful Intercept
- Online Diagnostic Tests
Mini Protocol Analyzer
•Prerequisites for the Mini Protocol Analyzer
•Restrictions for the Mini Protocol Analyzer
•Information About the Mini Protocol Analyzer
•How to Configure the Mini Protocol Analyzer
•Configuration Examples for the Mini Protocol Analyzer
Note•For complete syntax and usage information for the commands used in this chapter, see these publications:
http://www.cisco.com/en/US/products/ps11846/prod_command_reference_list.html
•Cisco IOS Release 15.1SY supports only Ethernet interfaces. Cisco IOS Release 15.1SY does not support any WAN features or commands.
Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page:
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
Participate in the Technical Documentation Ideas forum
Prerequisites for the Mini Protocol Analyzer
None.
Restrictions for the Mini Protocol Analyzer
The PFC and any DFCs provide hardware support for analysis of IPv4 traffic. Analysis of low volume IPv6 traffic is supported in software.
Information About the Mini Protocol Analyzer
The Mini Protocol Analyzer captures network traffic from a SPAN session and stores the captured packets in a local memory buffer. Using the provided filtering options, you can limit the captured packets to:
•Packets from selected VLANs, ACLs, or MAC addresses.
•Packets of a specific EtherType.
•Packets of a specified packet size.
You can start and stop the capture using immediate commands, or you can schedule the capture to begin at a specified date and time.
The captured data can be displayed on the console, stored to a local file system, or exported to an external server using normal file transfer protocols. The format of the captured file is libpcap, which is supported by many packet analysis and sniffer programs. Details of this format can be found at the following URL:
By default, only the first 68 bytes of each packet are captured.
How to Configure the Mini Protocol Analyzer
•Configuring a Capture Session
•Filtering the Packets to be Captured
•Starting and Stopping a Capture
•Displaying and Exporting the Capture Buffer
Configuring a Capture Session
To configure a capture session using the Mini Protocol Analyzer, perform this task:
•Only one capture session is supported; multiple simultaneous capture sessions cannot be configured.
•The source interface command argument is either a single interface, or a range of interfaces described by two interface numbers (the lesser one first, separated by a dash), or a comma-separated list of interfaces and ranges.
Note When configuring a source interface list, you must enter a space before and after the comma. When configuring a source interface range, you must enter a space before and after the dash.
•The source vlan command argument is either a single VLAN number from 1 through 4094 (except reserved VLANs), or a range of VLANs described by two VLAN numbers (the lesser one first, separated by a dash), or a list of VLANs and ranges.
Note When configuring a source VLAN list, do not enter a space before or after the comma. When configuring a source VLAN range, do not enter a space before or after the dash. Note that this requirement differs from the requirement for source interface lists and ranges.
•Data capture does not begin when the capture session is configured. The capture is started by the monitor capture start or monitor capture schedule command described in the "Starting and Stopping a Capture" section.
•Although the capture buffer is linear by default, it can be made circular as a run-time option in the monitor capture start or monitor capture schedule command.
•When no hardware rate limit registers are available, the capture session is disabled.
•The source VLAN cannot be changed if a VLAN filter is configured. Remove any VLAN filters before changing the source VLAN.
Filtering the Packets to be Captured
To filter the packets to be captured by the Mini Protocol Analyzer, perform this task in capture session configuration mode:
•Several options are provided for filtering the packets to be captured. Filtering by ACL and VLAN is performed in hardware before any rate-limiting is applied; all other filters are executed in software. Software filtering can decrease the capture rate.
•The filter vlan argument is either a single VLAN number from 1 through 4094 (except reserved VLANs), or a range of VLANs described by two VLAN numbers (the lesser one first, separated by a dash), or a list of VLANs and ranges.
Note When configuring a filter VLAN list, you must enter a space before and after the comma. When configuring a filter VLAN range, you must enter a space before and after the dash. Note that this requirement differs from the requirement for source VLAN lists and ranges described in the preceding section.
•To enter an EtherType as a decimal number, enter the number (1 to 65535) with no leading zero. To enter a hexadecimal number, precede four hexadecimal characters with the prefix 0x. To enter an octal number, enter numeric digits (0 to 7) with a leading zero. For example, the 802.1Q EtherType can be entered in decimal notation as 33024, in hexadecimal as 0x8100, or in octal as 0100400.
•Enter a MAC address as three 2-byte values in dotted hexadecimal format. An example is 0123.4567.89ab.
•The no keyword removes the filter.
Note After removing a VLAN filter using the no keyword, you must exit configuration mode, reenter the capture configuration mode, and issue the source vlan command before making other capture configuration changes.
•When you configure a VLAN filter, the capture source or destination must be a VLAN. When you configure a port filter, the capture source or destination must be a port.
Starting and Stopping a Capture
The commands to start and stop a capture are not stored as configuration settings. These commands are executed from the console in EXEC mode. You can start a capture immediately or you can set a future date and time for the capture to start. The capture ends when one of the following conditions occurs:
•A stop or clear command is entered from the console.
•The capture buffer becomes full, unless it is configured as a circular buffer.
•The optionally specified number of seconds has elapsed.
•The optionally specified number of packets has been captured.
When the capture stops, the SPAN session is ended and no further capture session packets are forwarded to the processor.
When starting a packet capture, you have the option to override some configured settings.
To start, stop, or cancel a capture, perform this task:
When using these commands, note the following information:
•The format for time and date is hh:mm:ss dd mmm yyyy. The hour is specified in 24-hour notation, and the month is specified by a three-letter abbreviation. For example, to set a capture starting time of 7:30 pm on October 31, 2006, use the notation 19:30:00 31 oct 2006. The time zone is GMT.
•When you specify a capture filter ACL in the start command, the new ACL will not override any configured ACLs. The new ACL will execute in software.
Displaying and Exporting the Capture Buffer
To display the captured packets or information about the capture session, or to export the captured packets for analysis, perform this task:
Configuration Examples for the Mini Protocol Analyzer
•General Configuration Examples
•Filtering Configuration Examples
General Configuration Examples
This example shows how to minimally configure the Mini Protocol Analyzer:
Router#
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# monitor session 1 type capture
Router(config-mon-capture)# end
Router# show mon cap
Capture instance [1] :
======================
Capture Session ID : 1
Session status : up
rate-limit value : 10000
redirect index : 0x807
buffer-size : 2097152
capture state : OFF
capture mode : Linear
capture length : 68
Router#
This example shows how to configure the buffer size, session description, and rate limit:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# monitor session 1 type capture
Router(config-mon-capture)# buffer-size 4096
Router(config-mon-capture)# description "Capture from ports, no filtering."
Router(config-mon-capture)# rate-limit 20000
Router(config-mon-capture)# end
Router#
Router# show monitor capture
Capture instance [1] :
======================
Capture Session ID : 1
Session status : up
rate-limit value : 20000
redirect index : 0x807
buffer-size : 4194304
capture state : OFF
capture mode : Linear
capture length : 68
Router#
This example shows how to configure the source as a mixed list of ports:
Router(config-mon-capture)# source interface gig 3/1 - 3 , gig 3/5
This example shows how to configure the source as a mixed list of VLANs:
Router(config-mon-capture)# source vlan 123,234-245
Filtering Configuration Examples
This example shows how to configure for capturing packets with the following attributes:
•The packets belong to VLANs 123 or 234 through 245
•The packets are of 802.1Q EtherType (hexadecimal 0x8100, decimal 33024)
•The packet size is exactly 8192 bytes
•The source MAC address is 01:23:45:67:89:ab
•The packets conform to ACL number 99
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# monitor session 1 type capture
Router(config-mon-capture)# source vlan 123,234-245
Router(config-mon-capture)# filter ethertype 0x8100
Router(config-mon-capture)# filter length 8192
Router(config-mon-capture)# filter mac-address 0123.4567.89ab
Router(config-mon-capture)# filter access-group 99
Router(config-mon-capture)# end
Router# show monitor capture
Capture instance [1] :
======================
Capture Session ID : 1
Session status : up
rate-limit value : 20000
redirect index : 0x7E07
Capture vlan : 1019
buffer-size : 4194304
capture state : OFF
capture mode : Linear
capture length : 68
Sw Filters :
ethertype : 33024
src mac : 0123.4567.89ab
Hw acl : 99
Router# show monitor session 1
Session 1
---------
Type : Capture Session
Description : capture from ports
Source VLANs :
Both : 123,234-245
Capture buffer size : 4096 KB
Capture rate-limit
value : 20000
Capture filters :
ethertype : 33024
src mac : 0123.4567.89ab
acl : 99
Egress SPAN Replication State:
Operational mode : Centralized
Configured mode : Distributed (default)
Router#
This example shows how to capture packets whose size is less than 128 bytes:
Router(config-mon-capture)# filter length 0 128
This example shows how to capture packets whose size is more than 256 bytes:
Router(config-mon-capture)# filter length 256 9216
Operation Examples
This example shows how to start and stop a capture:
Router# monitor capture start
Router# monitor capture stop
Router#
This example shows how to start a capture to end after 60 seconds:
Router# monitor capture start for 60 seconds
Router#
This example shows how to start a capture at a future date and time:
Router# monitor capture schedule at 11:22:33 30 jun 2008
capture will start at : <11:22:33 UTC Mon Jun 30 2008> after 32465825 secs
Router#
This example shows how to start a capture with options to override the buffer size and to change to a circular buffer:
Router# monitor capture buffer size 65535 circular start
Router#
This example shows how to export the capture buffer to an external server and a local disk:
Router# monitor capture export buffer tftp://server/user/capture_file.cap
Router# monitor capture export buffer disk1:capture_file.cap
Display Examples
•Displaying the Capture Session Status
•Displaying the Capture Buffer Contents
Displaying the Configuration
To display the capture session configuration, enter the show monitor capture command.
Router# show monitor capture
Capture instance [1] :
======================
Capture Session ID : 1
Session status : up
rate-limit value : 10000
redirect index : 0x807
buffer-size : 2097152
capture state : OFF
capture mode : Linear
capture length : 68
This example shows how to display more details using the show monitor session n command:
Router# show monitor session 1
Session 1
---------
Type : Capture Session
Source Ports :
Both : Gi3/1-3,Gi3/5
Capture buffer size : 32 KB
Capture filters : None
Egress SPAN Replication State:
Operational mode : Centralized
Configured mode : Distributed (default)
This example shows how to display the full details using the show monitor session n detail command:
Router# show monitor session 1 detail
Session 1
---------
Type : Capture Session
Description : -
Source Ports :
RX Only : None
TX Only : None
Both : Gi3/1-3,Gi3/5
Source VLANs :
RX Only : None
TX Only : None
Both : None
Source RSPAN VLAN : None
Destination Ports : None
Filter VLANs : None
Dest RSPAN VLAN : None
Source IP Address : None
Source IP VRF : None
Source ERSPAN ID : None
Destination IP Address : None
Destination IP VRF : None
Destination ERSPAN ID : None
Origin IP Address : None
IP QOS PREC : 0
IP TTL : 255
Capture dst_cpu_id : 1
Capture vlan : 0
Capture buffer size : 32 KB
Capture rate-limit
value : 10000
Capture filters : None
Egress SPAN Replication State:
Operational mode : Centralized
Configured mode : Distributed (default)
Displaying the Capture Session Status
To display the capture session status, enter the show monitor capture status command.
Router# show monitor capture status
capture state : ON
capture mode : Linear
Number of packets
received : 253
dropped : 0
captured : 90
Displaying the Capture Buffer Contents
To display the capture session contents, enter the show monitor capture buffer command. These examples show the resulting display using several options of this command:
Router# show monitor capture buffer
1 IP: s=10.12.0.5 , d=224.0.0.10, len 60
2 346 0180.c200.000e 0012.44d8.5000 88CC 020707526F7
3 60 0180.c200.0000 0004.c099.06c5 0026 42420300000
4 60 ffff.ffff.ffff 0012.44d8.5000 0806 00010800060
5 IP: s=7.0.84.23 , d=224.0.0.5, len 116
6 IP: s=10.12.0.1 , d=224.0.0.10, len 60
Router# show monitor capture buffer detail
1 Arrival time : 09:44:30 UTC Fri Nov 17 2006
Packet Length : 74 , Capture Length : 68
Ethernet II : 0100.5e00.000a 0008.a4c8.c038 0800
IP: s=10.12.0.5 , d=224.0.0.10, len 60, proto=88
2 Arrival time : 09:44:31 UTC Fri Nov 17 2006
Packet Length : 346 , Capture Length : 68
346 0180.c200.000e 0012.44d8.5000 88CC 020707526F757463031
Router# show monitor capture buffer dump
1 IP: s=10.12.0.5 , d=224.0.0.10, len 60
08063810: 0100 5E00000A ..^...
08063820: 0008A4C8 C0380800 45C0003C 00000000 ..$H@8..E@.<....
08063830: 0258CD8F 0A0C0005 E000000A 0205EE6A .XM.....`.....nj
08063840: 00000000 00000000 00000000 00000064 ...............d
08063850: 0001000C 01000100 0000000F 0004 ..............
2 346 0180.c200.000e 0012.44d8.5000 88CC 020707526F757465720415
3 60 0180.c200.0000 0004.c099.06c5 0026 4242030000000000800000
4 60 ffff.ffff.ffff 0012.44d8.5000 0806 0001080006040001001244
5 IP: s=7.0.84.23 , d=224.0.0.5, len 116
0806FCB0: 0100 5E000005 ..^...
0806FCC0: 0015C7D7 AC000800 45C00074 00000000 ..GW,...E@.t....
0806FCD0: 01597D55 07005417 E0000005 0201002C .Y}U..T.`......,
0806FCE0: 04040404 00000000 00000002 00000010 ................
0806FCF0: 455D8A10 FFFF0000 000A1201 0000 E]............
Router# show monitor capture buffer dump nowrap
1 74 0100.5e00.000a 0008.a4c8.c038 0800 45C0003C000000
2 346 0180.c200.000e 0012.44d8.5000 88CC 020707526F7574
3 60 0180.c200.0000 0004.c099.06c5 0026 42420300000000
4 60 ffff.ffff.ffff 0012.44d8.5000 0806 00010800060400
Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page:
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
Participate in the Technical Documentation Ideas forum