Catalyst 4500 Series Switches Wireshark Feature Configuration Example

Introduction

This document describes how to configure the Wireshark feature for Cisco Catalyst 4500 Series switches.

Prerequisites

Requirements

In order to utilize the Wireshark feature, you must meet these conditions:

• The system must utilize a Cisco Catalyst 4500 Series switch.
• The switch must run Supervisor Engine 7-E (Supervisor Engine 6 is unsupported at this time).
• The feature must have a set IP Base and Enterprise Services (LAN Base is unsupported at this time).
• The switch CPU cannot have a high utilization condition, as the Wireshark feature is CPU-intensive and software-switches certain packets in the capture process.

Components Used

The information in this document is based on Cisco Catalyst 4500 Series switches that run Supervisor Engine 7-E.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Background Information

The Cisco Catalyst 4500 Series switches that run Supervisor Engine 7-E have a new built-in functionality with Cisco IOS^?-XE Versions 3.3(0) / 151.1 or later. This built-in Wireshark feature has the ability to capture packets in a way that replaces the traditional use of Switch Port Analyzer (SPAN) with an attached PC in order to capture packets in a troubleshooting scenario.

Configure

This section serves as a quick-start guide in order to begin a capture. The information provided is very general, and you must implement filters and buffer settings as needed in order to limit the excessive capture of packets if you operate in a production network.

Complete these steps in order to configure the Wireshark feature:

1. Verify that you meet the conditions in order to support the capture. (Reference the Requirements section for more details.) Enter these commands and verify the output:
   

   4500TEST#show version
   
   Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software 
    (cat4500e-UNIVERSAL-M), Version 03.03.00.SG RELEASE SOFTWARE (fc3)
   
   <output omitted>
   
   License Information for 'WS-X45-SUP7-E'
    License Level: entservices   Type: Permanent
    Next reboot license Level: entservices
   
   cisco WS-C4507R+E (MPC8572) processor (revision 8)
    with 2097152K/20480K bytes of memory.
   
   Processor board ID FOX1512GWG1
   
   MPC8572 CPU at 1.5GHz, Supervisor 7
   
   <output omitted>
   
   4500TEST#show proc cpu history
   
   History information for system:
   
       888844444222222222222222333334444422222222222222255555222222
   100
    90
    80
    70
    60
    50
    40
    30
    20
    10 ****                                                       ****
     0.....5.....1.....1.....2.....2.....3.....3.....4.....4.....5....5
                 0     5     0     5     0     5     0     5     0    5   
   
                       CPU% per second (last 60 seconds)

2. Traffic is captured in a TX/RX direction from port gig2/26 in this example. Store the capture file on bootflash in a pcap file format for review from a local PC, if necessary:

   Note: Ensure that you perform the configuration from User EXEC mode, not Global Configuration mode.

   4500TEST#monitor capture MYCAP interface g2/26 both
   4500TEST#monitor capture file bootflash:MYCAP.pcap
   4500TEST#monitor capture MYCAP match any start
   
   *Sep 13 15:24:32.012: %BUFCAP-6-ENABLE: Capture Point MYCAP enabled.

3. This captures all traffic ingress and egress on port g2/26. It also fills the file very quickly with useless traffic in a production situation, unless you specify the direction and apply capture filters in order to narrow the scope of the traffic that is captured. Enter this command in order to apply a filter:
   

   4500TEST#monitor capture MYCAP start capture-filter "icmp"

   Note: This ensures that you only capture Internet Control Message Protocol (ICMP) traffic in your capture file.

4. Once the capture file times-out, or fills the size quota, you receive this message:

   *Sep 13 15:25:07.933: %BUFCAP-6-DISABLE_ASYNC:
    Capture Point MYCAP disabled. Reason : Wireshark session ended

   Enter this command in order to manually stop the capture:

   4500TEST#monitor capture MYCAP stop

5. You can view the capture from the CLI. Enter this command in order to view the packets:

   4500TEST#show monitor capture file bootflash:MYCAP.pcap
   
     1   0.000000 44:d3:ca:25:9c:c9 -> 01:00:0c:cc:cc:cc CDP
         Device ID: 4500TEST  Port ID: GigabitEthernet2/26 
     2   0.166983 00:19:e7:c1:6a:18 -> 01:80:c2:00:00:00 STP
         Conf. Root = 32768/1/00:19:e7:c1:6a:00  Cost = 0  Port = 0x8018
     3   0.166983 00:19:e7:c1:6a:18 -> 01:00:0c:cc:cc:cd STP
         Conf. Root = 32768/1/00:19:e7:c1:6a:00  Cost = 0  Port = 0x8018
     4   1.067989    14.1.98.2 -> 224.0.0.2    HSRP Hello (state Standby)
     5   2.173987 00:19:e7:c1:6a:18 -> 01:80:c2:00:00:00 STP
         Conf. Root = 32768/1/00:19:e7:c1:6a:00  Cost = 0  Port = 0x8018

   Note: The detail option is available at the end in order to view the packet in a Wireshark format. Also, the dump option is available in order to see the Hex value of the packet.

6. The capture file becomes cluttered if you do not use a capture-filter when you begin the capture. In this case, utilize the display-filter option in order to show specific traffic in the display. You only want to view ICMP traffic, not the Hot Standby Router Protocol (HSRP), Spanning Tree Protocol (STP), and Cisco Discovery Protocol (CDP) traffic shown in the previous output. The display-filter uses the same format as Wireshark, so you can find the filtersonline.
   
   

   4500TEST#show monitor capture file bootflash:MYCAP.pcap display-filter "icmp"
   
    17   4.936999  14.1.98.144 -> 172.18.108.26 ICMP Echo
         (ping) request  (id=0x0001, seq(be/le)=0/0, ttl=255)
    18   4.936999 172.18.108.26 -> 14.1.98.144  ICMP Echo
         (ping) reply    (id=0x0001, seq(be/le)=0/0, ttl=251)
    19   4.938007  14.1.98.144 -> 172.18.108.26 ICMP Echo
         (ping) request  (id=0x0001, seq(be/le)=1/256, ttl=255)
    20   4.938007 172.18.108.26 -> 14.1.98.144  ICMP Echo
         (ping) reply    (id=0x0001, seq(be/le)=1/256, ttl=251)
    21   4.938998  14.1.98.144 -> 172.18.108.26 ICMP Echo
         (ping) request  (id=0x0001, seq(be/le)=2/512, ttl=255)
    22   4.938998 172.18.108.26 -> 14.1.98.144  ICMP Echo
         (ping) reply    (id=0x0001, seq(be/le)=2/512, ttl=251)
    23   4.938998  14.1.98.144 -> 172.18.108.26 ICMP Echo
         (ping) request  (id=0x0001, seq(be/le)=3/768, ttl=255)
    24   4.940005 172.18.108.26 -> 14.1.98.144  ICMP Echo
         (ping) reply    (id=0x0001, seq(be/le)=3/768, ttl=251)
    25   4.942996  14.1.98.144 -> 172.18.108.26 ICMP Echo
         (ping) request  (id=0x0001, seq(be/le)=4/1024, ttl=255)
    26   4.942996 172.18.108.26 -> 14.1.98.144  ICMP Echo
         (ping) reply    (id=0x0001, seq(be/le)=4/1024, ttl=251)

7. Transfer the file to a local machine, and look at the pcap file as you would any other standard capture file. Enter one of these commands in order to complete the transfer:
   

   4500TEST#copy bootflash: ftp://Username:Password@<ftp server address>
   4500TEST#copy bootflash: tftp:

8. In order to clean up the capture, remove the configuration with these commands:
   

   4500TEST#no monitor capture MYCAP
   4500TEST#show monitor capture MYCAP
   
   <no output>
   
   4500TEST#

Additional Settings

By default, the size limit of the capture file is 100 packets, or 60 seconds in a linear file. In order to change the size limit, use the limit option in the monitor capture syntax:

4500TEST#monitor cap MYCAP limit ?

duration       Limit total duration of capture in seconds
packet-length  Limit the packet length to capture
packets        Limit number of packets to capture

The buffer maximum size is 100 MB. This is adjusted, as well as the circular/linear buffer setting, with this command:

4500TEST#monitor cap MYCAP buffer ?

circular  circular buffer
size      Size of buffer

The built-in Wireshark feature is a very powerful tool if used correctly. It saves time and resources when you troubleshoot a network. However, exercise caution when you utilize the feature, because it might increase CPU utilization in high-traffic situations. Never configure the tool and leave it unattended.

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

Due to hardware limitations, you might receive out-of-order packets in the capture file. This is due to the separate buffers used for the ingress and egress packet captures. If you have out-of-order packets in your capture, set both of your buffers to ingress. This prevents the packets in egress from processing before the ingress packets when the buffer is processed.

If you see out-of-order packets, it is recommended that you change your configuration from both to in on both interfaces.

Here is the previous command:

4500TEST#monitor capture MYCAP interface g2/26 both

Change the command to these:

4500TEST#monitor capture MYCAP interface g2/26 in

4500TEST#monitor capture MYCAP interface g2/27 in

                  +------------+
                  |            |
                  |    4500    |
+------+          |            |         +------+
|      +---------->in       out+--------->      |
| host |          |g2/26  g2/27|         | host |
|      <----------+out       in<---------+      |
+------+          |            |         +------+
                  |            |
                  +------------+

Related Information

• Catalyst 4500 Series Switch Software Configuration Guide, Release IOS XE 3.3.0SG and IOS 15.1(1)SG - Configuring Wireshark
• Technical Support & Documentation - Cisco Systems