Troubleshoot Missing Packets in a Packet Capture in Cisco IOS XE
Available Languages
Introduction
This document describes how to troubleshoot missing packets in an Embedded Packet Capture (EPC).
Prerequisites
Requirements
Be familiar with Embedded Packet Capture in Cisco IOS® XE. This is described at Configure and Capture Embedded Packet on Software.
Components Used
The examples from this article are based on Cisco IOS XE routers.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
There are scenarios where it is vital to capture all the packets passing through a router, however, the Cisco IOS XE system has a default punt policer mechanism to protect control plane.
This mechanism can drop some of the captured packets if the policy limitation is reached.
In addition, there is an option that you can configure to increase the number of packets per second (pps) to be captured.
These two elements plays a crucial role in the amount of packets successfully captured.
Note: The default values of these parameters can be platform and version dependent. Ensure to check the platform and version relevant notes, and if needed, contact Cisco TAC for further assistance.
Troubleshooting
The Punt Policer
This policer controls the packets that are punted to the control plane.
Use the command show platform hardware qfp active infrastructure punt statistics type punt-drop to see detailed statistics of packets being dropped due to this punt control mechanism.
The command will be displayed in different categories. The category you need to focus on is the PUNT_PER_CAUSE_POLICER.
This is the category that includes the EPC cause which refers to the Embedded Packet Capture feature.
---- show platform hardware qfp active infrastructure punt statistics type punt-drop ----
Punt Drop Statistics
Number of punt causes = 165
<snip>
Drop Counter ID 11 Drop Counter Name PUNT_PER_CAUSE_POLICER
Counter ID Punt Cause Name Packets
---------------------------------------------------------------------
<snip>
075 EPC 994641 Overall, statistics show the number of punt packets received and transmitted among the punt causes can be seen with command show platform hardware qfp active infrastructure punt statistics type per-cause.
---- show platform hardware qfp active infrastructure punt statistics type per-cause ----
Global Per Cause Statistics
Number of punt causes = 165
Per Punt Cause Statistics
Packets Packets
Counter ID Punt Cause Name Received Transmitted
------------------------------------------------------------------------------------------------
<snip>
075 EPC 1527458 532817 This gives an idea of which type of punt causes are mostly consuming the punt path.
The command show platform software punt-policer gives a snapshot of configured pps, conformed packets, dropped packets by policer, and configured burst in packets for various punt causes. In this case the focus is the EPC punt cause.
Router#show platform software punt-policer
Per Punt-Cause Policer Configuration and Packet Counters
Punt Config Rate(pps) Conform Packets Dropped Packets Config Burst(pkts) Config Alert
Cause Description Normal High Normal High Normal High Normal High Normal High
-------------------------------------------------------------------------------------------------------------------------------------------------------------
<snip>
75 EPC 40000 1000 0 0 0 0 40000 1000 Off Off
Note: Keep in mind that default values for configured rate and configured burst packets can vary among platforms and versions.
The punt policer packets per second and number of burst packets for a punt cause category can be modify using command platform punt-policer epc <10-32000> [<1-100000000>].
Note: Be cautious about changing the default configured punt values since the punt policer is a control plane protection mechanism.
The Packets per Second (pps) Embeded Packet Capture Parameter
The packets per second parameter limits the number of packets per second to capture.
The packets per second parameter within the embedded packet capture configuration can be indicated with the command
monitorcapturecapture-namelimit[durationseconds][everynumber][packet-lengthsize][packetsnumber][ppsnumber]
Note: Ensure to align the punt policer packet per second configuration with the pps paramter configuration of the EPC. Keeping the defaults is advisable.
Detailed information about available parameters for the embedded packet capture can be found at Cisco IOS Embedded Packet Capture Command Reference.
QFP Utlization
Use the punt policer show commands to verify if the EPC cause category has drops.
If you do not see the EPC value increasing, then, different reason can cause the missing packets such as interface congestion, platform limitation and so on.
Use the command show platform hardware active qfp datapath utilization summary before starting the capture to see the number of packets per second. Configure the packets per second parameter value in both the punt policer and the embedded packet capture.
Router#show platform hardware qfp active datapath utilization summary
CPP 0: 5 secs 1 min 5 min 60 min
Input: Total (pps) 0 0 0 0
(bps) 200 400 392 200
Output: Total (pps) 2 1 1 0
(bps) 15016 9136 9144 4080
Processing: Load (pct) 1 1 1 1
Router#
Best Practices
To have better capturing results, use the the command monitor capture capture-name access-list access-list-name. This allows you to capture only relevant traffic increasing the number of packets successfully captured.
Alternatives like Switched Port Analyzer (SPAN) based tools can be used instead to have better capturing results in terms of packets captured.
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.0 |
23-Jan-2025 |
Initial Release |
Feedback