- Title
- Table of Contents
- Preface
- Product Overview
- Command-Line Interfaces
- Configuring the Switch for the First Time
- Administering the Switch
- Configuring the Cisco IOS XE In Service Software Upgrade Process
- Configuring Interfaces
- Checking Port Status and Connectivity
- Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 8-E
- Configuring Cisco NSF with SSO Supervisor Engine Redundancy
- Environmental Monitoring and Power Management
- Configuring Power over Ethernet
- Configuring the Catalyst 4500 Series Switch with Cisco Network Assistant
- Configuring VLANs, VTP, and VMPS
- Configuring IP Unnumbered Interface
- Configuring Layer 2 Ethernet Interfaces
- Configuring SmartPort Macros
- Configuring Cisco IOS Auto Smartport Macros
- Configuring STP and MST
- Configuring Flex Links and MAC Address-Table Move Update
- Configuring Resilient Ethernet Protocol
- Configuring Optional STP Features
- Configuring EtherChannel and Link State Tracking
- Configuring IGMP Snooping and Filtering
- Configuring IPv6 MLD Snooping
- Configuring 802.1Q Tunneling, VLAN Mapping, and Layer 2 Protocol Tunneling
- Configuring CDP
- Configuring LLDP, LLDP-MED, and Location Service
- Configuring UDLD
- Configuring Unidirectional Ethernet
- Configuring Layer 3 Interfaces
- Configuring Cisco Express Forwarding
- Configuring Unicast Reverse Path Forwarding
- Configuring IP Multicast
- Configuring ANCP Client
- Configuring Policy-Based Routing
- Configuring VRF-lite
- Configuring Quality of Service
- Configuring Voice Interfaces
- Configuring Private VLANs
- Configuring MACsec Encryption
- Configuring 802.1X Port-Based Authentication
- Configuring the PPPoE Intermediate Agent
- Configuring Web-Based Authentication
- Configuring Port Security
- Configuring Control Plane Policing and Layer 2 Control Packet QoS
- Configuring Dynamic ARP Inspection
- Support for IPv6
- Configuring DHCP Snooping, IP Source Guard, and IPSG for Static Hosts
- Configuring Network Security with ACLs
- Port Unicast and Multicast Flood Blocking
- Configuring Storm Control
- Configuring Wireshark
- Configuring SPAN and RSPAN
- Configuring Enhanced Object Tracking
- Configuring System Message Logging
- Onboard Failure Logging (OBFL)
- Configuring SNMP
- Configuring Flexible NetFlow
- Configuring Ethernet OAM and CFM
- Configuring Y.1731 (AIS and RDI)
- Configuring Call Home
- Configuring Cisco IOS IP SLA Operations
- Configuring RMON
- Performing Diagnostics
- Configuring WCCP Version 2 Services
- ROM Monitor
- Configuring MIB Support
- Acronyms and Abbreviations
- Index
- About Wireshark
- Feature Interactions
- Configuring Wireshark
- Guidelines and Restrictions
- Best Practices
- Notes Specific to the Wireshark CLI
- Monitoring Wireshark
Configuring Wireshark
The Catalyst 4500 series switch supports Wireshark, a packet analyzer program, formerly known as Ethereal, which supports multiple protocols and presents information in a text-based user interface.
This chapter includes these sections:
- About Wireshark
- Feature Interactions
- Configuring Wireshark
- Guidelines and Restrictions
- Monitoring Wireshark
- Usage Examples for Wireshark
Note For complete syntax and usage information for the switch commands used in this chapter, first look at the Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location:
http://www.cisco.com/en/US/products/hw/switches/ps4324/index.html
If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location:
http://www.cisco.com/en/US/products/ps6350/index.html
About Wireshark
To understand what happens inside a network requires the ability to capture and analyze traffic. Prior to Cisco IOS Release XE 3.3.0SG, the Catalyst 4500 series switch offered only two features to address this need: SPAN and debug platform packet. Both are limited. SPAN is ideal for capturing packets, but can only deliver them by forwarding them to some specified local or remote destination; it provides no local display or analysis support. The debug platform packet command is specific to the Catalyst 4500 series switch and only works on packets that stem from the software process-forwarding path. Although it has limited local display capabilities, it has no analysis support.
So the need exists for a traffic capture and analysis mechanism that is applicable to both hardware and software forwarded traffic and that provides strong packet capture, display and analysis support, preferably using a well known interface.
Wireshark dumps packets to a file using a well known format called .pcap, and is applied or enabled on individual interfaces. You specify an interface in EXEC mode along with the filter and other parameters. The Wireshark application is applied only when you enter a start command and is removed only when Wireshark stops capturing packets either automatically or manually.
Note In Cisco IOS Release XE 3.3.0SG, global packet capture on Wireshark is not supported.
These sections describe some key concepts for Wireshark:
- Capture Points
- Attachment Points: Interfaces and traffic directions
- Filters
- Actions
- Storing Captured Packets to Buffer in Memory
Capture Points
A capture point is the central policy definition of the Wireshark feature. The point describes all the characteristics associated with a given instance of Wireshark: what packets to capture, where to capture them from, what to do with the captured packets, and when to stop. Capture points can be modified after creation and do not become active until explicitly activated with a start command. This process is termed activating the capture point or starting the capture point. Capture points are identified by name and may also be manually or automatically deactivated or stopped.
Multiple capture points may be defined and activated simultaneously.
Attachment Points: Interfaces and traffic directions
An attachment point is a point in the logical packet process path associated with a capture point. Consider an attachment point as an attribute of the capture point. Packets that impact an attachment point are tested against the capture point's filters; packets that match are copied and sent to the capture point's associated Wireshark instance. A specific capture point can be associated with multiple attachment points, with limits on mixing attachment points of different types. Some restrictions apply when you specify attachment points of different types. Attachment points are directional (input or output or both) with the exception of the Layer 2 VLAN attachment point, which is always bidirectional.
Filters
Filters are attributes of a capture point that identify and limit the subset of traffic traveling through the attachment point of a capture point, which is copied and passed to Wireshark. To be displayed by Wireshark, a packet must pass through an attachment point, as well as all of the filters associated with the capture point.
A capture point has three types of filters:
- Core system filter—The core system filter is applied by hardware, and its match criteria is limited by hardware. This filter determines whether hardware-forwarded traffic is copied to software for Wireshark purposes.
- Capture filter—The capture filter is applied by Wireshark. The match criteria are more granular than those supported by the core system filter. Packets that pass the core filter but fail the capture filter are still copied and sent to the CPU/software, but are discarded by the Wireshark process. The capture filter syntax matches that of the display filter.
Note Wireshark on the Catalyst 4500 series switch does not use the syntax of the capture filter.
Core System Filter
You can specify core system filter match criteria by using the class map or ACL, or explicitly by using the CLI.
In some installations, you need to obtain authorization to modify the switch configuration, which can lead to extended delays if the approval process is lengthy. This would limit the ability of network administrators to monitor and analyze traffic. To address this situation, Wireshark supports explicit specification of core system filter match criteria from the EXEC mode CLI. The disadvantage is that the match criteria that you can specify is a limited subset of what class map supports, such as MAC, IP source and destination addresses, ether-type, IP protocol, and TCP/UDP source and destination ports.
If you prefer to use configuration mode, you can define ACLs or have class maps refer capture points to them. Explicit and ACL-based match criteria are used internally to construct class maps and policy maps. These implicitly constructed class maps are not reflected in the switch running-config and are not NVGEN’d.
Note The configuration of ACL and class-map are part of the system and not aspects of the Wireshark feature
Capture Filter
The capture filter allows you to direct Wireshark to further filter incoming packets based on various conditions. Wireshark applies the capture filter immediately on receipt of the packet; packets that fail the capture filter are neither stored nor displayed.
A switch receives this parameter and passes it unchanged to Wireshark. Because Wireshark parses the application filter definition, the defining syntax is the one provided by the Wireshark display filter. This syntax and that of standard Cisco IOS differ, which allows you to specify ACL match criteria that cannot be expressed with standard syntax.
Note The capture filter syntax matches that of the Wireshark display filter. The syntax for capture and display filters are identical in the Wireshark implementation on the Catalyst 4500 series switch.
Display Filter
With the display filter, you can direct Wireshark to further narrow the set of packets to display when decoding and displaying from a .pcap file. Because the syntax of the display filter is identical to the capture filter, the display filter is superfluous if a capture filter is also defined.
For more details on the syntax of capture and display filters, go to
http://wiki.wireshark.org/DisplayFilters
Actions
Wireshark can be invoked on live traffic or on a previously existing .pcap file. When invoked on live traffic, it can perform four types of actions on packets that pass its capture and display filters:
- Captures to buffer in memory to decode and analyze and store
- Stores to a .pcap file
- Decodes and displays
- Stores and displays
When invoked on a .pcap file only, only the decode and display action is applicable.
Storing Captured Packets to Buffer in Memory
Packets can be stored in the capture buffer in memory for subsequent decode, analysis, or storage to a .pcap file.
The capture buffer can be linear or circular mode. In linear mode, new packets are discarded when the buffer is full. In circular mode, if the buffer is full, the oldest packet are discarded to accommodate the new packet. Although the buffer can also be cleared when needed, this mode is mainly used for debugging network traffic.
Storing Captured Packets to a .pcap File
Wireshark can store captured packets to a .pcap file. The capture file can be located on the following storage devices:
- Catalyst 4500 series switch on-board flash storage (bootflash:)
- external flash disk (slot:)
- USB drive (usb0:)
Note Do not attempt to use Wireshark with any other devices.
When configuring a Wireshark capture point, you can associate a filename. When the capture point is activated, Wireshark creates a file with the specified name and writes packets to it. If the file already exists when the file is associated or the capture point is activated, Wireshark queries you as to whether the file can be overwritten. Only one capture point may be associated with a given filename.
If the destination of the Wireshark writing process is full, Wireshark fails with partial data in the file. You must ensure that there is sufficient space in the file system before you start the capture session. With Cisco IOS Release IOS XE 3.3.0SG, the file system full status is not detected for some storage devices.
You can reduce the required storage space by retaining only a segment, instead of the entire packet. Typically, you do not require details beyond the first 64 or 128 bytes. The default behavior is to store the entire packet.
To avoid possible packet drops when processing and writing to the file system, Wireshark can optionally use a memory buffer to temporarily hold packets as they arrive. Memory buffer size can be specified when the capture point is associated with a .pcap file.
Decoding and Displaying Packets
Wireshark can decode and display packets to the console. This functionality is possible for capture points applied to live traffic and for capture points applied to a previously existing .pcap file.
Note Decoding and displaying packets may be CPU intensive.
Wireshark can decode and display packet details for a wide variety of packet formats. The details are displayed by entering the monitor capture name start command with one of the following keyword options, which place you into a display and decode mode:
- brief—Displays one line per packet (the default).
- detailed—Decodes and displays all the fields of all the packets whose protocols are supported. Detailed mode require more CPU than the other two modes.
- (hexadecimal) dump—Displays one line per packet as a hexadecimal dump of the packet data and the printable characters of each packet.
When we enter the capture command with the decode and display option, the Wireshark output is returned to Cisco IOS and displayed on the console unchanged.
Displaying Live Traffic
Wireshark receives copies of packets from the Catalyst 4500 series switch core system. Wireshark applies its capture and display filters to discard uninteresting packets, and then decodes and displays the remaining packets.
Displaying from .pcap File
Wireshark can decode and display packets from a previously stored .pcap file and direct the display filter to selectively displayed packets. A capture filter is not applicable in this situation.
Storing and Displaying Packets
Functionally, this mode is a combination of the previous two modes. Wireshark stores packets in the specified .pcap file and decodes and displays them to the console. Only the core and capture filters are applicable here.
Activating and Deactivating Wireshark Capture Points
After a Wireshark capture point has been defined with its attachment points, filters, actions, and other options, it must be activated. Until the capture point is activated, it does not actually capture packets.
Before a capture point is activated, some sanity checks are performed. A capture point cannot be activated if it has neither a core system filter nor attachment points defined. Attempting to activate a capture point that generates an error.
The capture and display filters are specified as needed.
After Wireshark capture points are activated, they can be deactivated in multiple ways. A capture point that is storing only packets to a .pcap file can be halted manually or configured with time or packet limits, after which the capture point halts automatically. Only packets that pass the Wireshark capture filter are counted against the packet limit threshold.
When a Wireshark capture point is activated, a fixed rate filter is applied automatically in the hardware so that the CPU is not flooded with Wireshark-directed packets. The disadvantage of the rate filter is that you cannot capture contiguous packets beyond the established rate even if more resources are available.
Feature Interactions
This section describes how Wireshark features function in the Catalyst 4500 series switch environment:
- Layer 2 security features—Packets that are dropped by Layer 2 security features (such as port security, MAC address filtering, and spanning tree) are not captured by Wireshark. This differs from the behavior of SPAN.
- Classification-based security features—Packets that are dropped by input classification-based security features (such as ACLs and IPSG) are not caught by Wireshark capture points that are connected to attachment points at the same layer. In contrast, packets that are dropped by output classification-based security features are caught by Wireshark capture points that are connected to attachment points at the same layer. The logical model is that the Wireshark attachment point occurs after the security feature lookup on the input side, and symmetrically before the security feature lookup on the output side.
Wireshark capture policies connected to Layer 2 attachment points in the input direction capture packets dropped by Layer 3 classification-based security features. Symmetrically, Wireshark capture policies attached to Layer 3 attachment points in the output direction capture packets dropped by Layer 2 classification-based security features.
- Routed ports and Layer 3 port channels—When a routed port or Layer 3 port channel is used as a Wireshark attachment point, the The policy that is applied to capture the packets is treated as attached at Layer 3. Wireshark only captures packets that are being routed by the interface.
- VLANs—When a VLAN is used as a Wireshark attachment point, packets are captured in both input and output directions. A packet that is bridged in the VLAN generates two copies, one on input and one on output.
- Private VLANs—Secondary PVLANs are disallowed as Wireshark attachment points. Using a primary PVLAN as a Wireshark attachment point enables capture of packets in the primary PVLAN and all associated secondary PVLANs. The entire PV domain becomes the attachment point.
- Redirection features—In the input direction, features traffic redirected by Layer 3 (such as PBR and WCCP), are logically later than Layer 3 Wireshark attachment points. Wireshark captures these packets even though they might later be redirected out another Layer 3 interface. Symmetrically, output features redirected by Layer 3 (such as egress WCCP) are logically prior to Layer 3 Wireshark attachment points, and Wireshark will not capture them.
- Classification copy features—Features that generate copies of packets from the role-based and Security lookup types are compatible with Wireshark. Multiple copies of these packets are generated.
- SPAN—Wireshark cannot capture packets on interface configured as a SPAN source or destination.
There are four classification results for input and output classification. In the input direction, they are ordered role-based, security, QoS, and forwarding override. In the output direction they are ordered forwarding override, role-based, security, and QoS.
On the input side, the Wireshark capture feature is placed in the forwarding override result type, prioritized above the other FO features (such as multicast local source capture, PBR and ingress WCCP). The packets captured by Wireshark are before any redirection by PBR or WCCP. Because security ACLs are applied ahead of FO-related features, packets that are dropped by security ACLs are not captured by Wireshark.
On the output side, the Wireshark capture feature is placed in the forwarding override result type, prioritized below the other FO features (such as egress WCCP). Wireshark captures packets only if the other egress FO features do not apply.
Configuring Wireshark
The CLI for configuring Wireshark requires that the feature be executed only from EXEC mode. Actions that usually occur in configuration submode (such as defining capture points), are handled at the EXEC mode instead. All key commands are not NVGEN’d and are not synchronized to the standby supervisor in NSF and SSO scenarios.
The following sections describe how to configure Wireshark:
- Default Wireshark Configuration
- Wireshark Configuration Guidelines
- Defining, Modifying, or Deleting a Capture Point
- Activating and Deactivating a Capture Point
Default Wireshark Configuration
Table 53-1 shows the default Wireshark configuration.
Defining, Modifying, or Deleting a Capture Point
Although listed in sequence, the steps to specify values for the options can be executed in any order. You can also specify them in one, two, or several lines. Except for attachment points, which can be multiple, you can replace any value with a more recent value by respecifying the same option, in the following order:
Step 1 Define the name that identifies the capture point.
Step 2 Specify the attachment point with which the capture point is associated.
Multiple attachment points can be specified. Range support is also available both for adding and removing attachment points.
Step 3 Define the core system filter, defined either explicitly, through ACL or through a class map.
Step 4 Specify the session limit (in seconds or packets captured).
Step 5 Specify the packet segment length to be retained by Wireshark.
Step 6 Specify the file association, if the capture point intends to capture packets rather than merely display them.
Step 7 Specify the size of the memory buffer used by Wireshark to handle traffic bursts.
To filter the capture point, use the following commands:
To define a capture point, use the following commands:
To clear the buffer contents, use the following command
To start and stop a capture point, use the following command:
Activating and Deactivating a Capture Point
A capture point cannot be activated unless an attachment point and a core system filter have been defined and the associated filename (if any) does not already exist. A capture point with no associated filename can only be activated to display. If no capture or display filters are specified, all of the packets captured by the core system filter are displayed. The default display mode is brief.
To activate or deactivate a capture point, perform these tasks:
Guidelines and Restrictions
- When packet capture is enabled in the input direction, the matching packets undergo software-based lookup in the CPU for the first 15 seconds. During this time, CPU usage is high and capture rate is low.
- When packet capture is enabled in the output direction, packets are not captured in the first 15 seconds.
- Packets captured in the output direction of an interface might not reflect the changes made by switch rewrite (includes TTL, VLAN tag, CoS, checksum, and MAC addresses).
- Capturing at a physical port that belongs to another logical port may not be supported. For example, capturing at EtherChannel member ports is not supported.
- Limiting circular file storage by file size is not supported.
- Wireshark cannot capture IPv6 packets if the capture point's class-map filter is attempting to match one of the following:
– Extension headers followed by Hop-by-hop header (as per CSCtt16385)
Best Practices
Consider the following best practices:
- During Wireshark packet capture, hardware forwarding happens concurrently.
- Before starting a Wireshark capture process, ensure that CPU usage is moderate and that sufficient memory (at least 200 MB) is available.
- If you plan to store packets to a storage file, ensure that sufficient space is available before beginning a Wireshark capture process.
- The CPU usage during Wireshark capture depends on how many packets match the specified conditions and on the intended actions for the matched packets (store, decode and display, or both).
- Limit packet capture with parameters of the capture point command (like packet number and capture duration).
- Because packet forwarding typically occurs in hardware, packets are not copied to the CPU for software processing. For Wireshark packet capture, packets are copied and delivered to the CPU, which causes an increase in CPU usage.
To avoid high CPU, do the following:
– Use a class map, and secondarily, an access list to express match conditions. If neither is viable, use an explicit, in-line filter.
– Adhere closely to the filter rules. Restrict the traffic type (such as, IPv4 only) with a restrictive, rather than relaxed ACL, which elicits unwanted traffic.
- Always limit packet capture to either a shorter duration or a smaller packet number. The parameters of the capture command enable you to specify the following:
- Run a capture session without limits if you know that very little traffic matches the core filter.
- Do not leave a capture session enabled and unattended for a long period of time, because unanticipated bursts of traffic could increase the CPU usage.
- During a capture session, watch for high CPU usage and memory consumption due to Wireshark that may impact switch performance or health. If these situations arise, stop the Wireshark session immediately.
- Avoid decoding and displaying packets from a .pcap file for a large file. Instead, transfer the .pcap file to a PC and run Wireshark on the PC.
- Limit the number of Wireshark instances to two or less to avoid CPU or memory resource drain.
You can use up to eight Wireshark instances. An active show command that decodes and displays packets from a .pcap file or capture buffer counts as one instance.
- Whenever an ACL is installed or modified on a switch in the ingress direction, for the first 15 seconds, the software ignores packet classification details sent by the hardware. Instead, it uses software-based classification for the packets received by CPU. So, during this period, the system can only capture fewer packets (compared to the time after the first 15 seconds) and CPU usage will be high.
Note In the egress direction, packets are not captured for the first 15 seconds.
– Use store-only (when you do not specify the display option) while capturing live packets rather than Decode and display, which is an CPU-intensive operation (especially in detailed mode).
– If you use the default buffer size, packets may be dropped. Increase buffer size and avoid packet loss.
– Writing to flash disk is a CPU-intensive operation, so the capture rate may not be sufficient.
– The Wireshark capture session operates normally in streaming mode where packets are both captured and processed. However, when you specify a buffer size of at least 32 MB, the session automatically turns on lock-step mode in which a Wireshark capture session is split into two phases: capture and process. In the capture phase, the packets are stored in the temporary buffer. The duration parameter in lock-step mode serves as capture duration rather than session duration. When the buffer is full or the capture duration has ended, a session transitions to the process phase, in which it stops accepting packets and starts processing packets in the buffer. With the second approach (lock-step mode), a higher capture throughput can be achieved.
– The streaming capture mode supports approximately 1500 pps; lock-step mode supports roughly 45 Mbps (measured with 256-byte packets). When the matching traffic rate exceeds this number, you may experience packet loss.
- If you want to decode and display live packets in the console window, ensure that the Wireshark session is bounded by a short capture duration. A Wireshark session with either a longer duration limit or no capture duration (using a terminal with no auto-more support using the term len 0 command) may make the console or terminal unusable.
- Do not launch a capture session with ring files or capture buffer and leave it unattended for a long time. This may lead to performance or system health issues because of high CPU or memory usage.
- When using Wireshark to capture live traffic that leads to high CPU usage, consider applying a QoS policy temporarily to limit the actual traffic until the capture process concludes.
Notes Specific to the Wireshark CLI
If you need to use access list or class-map in the Wireshark CLI, you must define an access list and class map with configuration commands.
- No specific order applies when defining a capture point; you can define capture point parameters in any order, provided that CLI allows this. The Wireshark CLI allows as many parameters as possible on a single line. This limits the number of commands required to define a capture point.
- All parameters except attachment points take a single value. Generally, you can replace the value with a new one by reentering the command. After user confirmation, the system accepts the new value and overrides the older one. A no form of the command is unnecessary to provide a new value; it is necessary to remove a parameter.
- Wireshark allows you to specify one or more attachment points. To add more than one attachment point, re-enter the command with the new attachment point. To remove an attachment point, use the no form. You can specify an interface range as an attachment point.
- You cannot modify any parameters of a capture point while a session is active. To modify any parameter, stop the session, make the changes, and restart the session. Because an access list is generic to a switch and unrelated to the Wireshark process, it is alterable during a Wireshark session.
- The action you want to perform determines which parameters are mandatory. The Wireshark CLI allows you to specify or modify any parameter prior to entering the start command. When you issue the start command, Wireshark will start only after determining that all mandatory parameters have been provided.
- If the capture file already exists, it provides a warning and receives confirmation before proceeding.This prevents you from mistakenly overwriting a file.
- The core filter can be an explicit filter, access list, or class map. Specifying a newer filter of these types replaces the existing one.
- You can terminate a Wireshark session with an explicit stop command or by entering q in automore mode. The session could terminate itself automatically when a stop condition such as duration or packet capture limit is met.
Monitoring Wireshark
The commands in the following table are used to monitor Wireshark.
Usage Examples for Wireshark
Example 1: Simple Capture and Display
Let us say we want to monitor traffic in the Layer 3 interface Gigabit 3/1:
Step 1 Define a capture point to match on the relevant traffic by entering:
Note To avoid high CPU utilization, we have set a low packet count and duration as limits.
Step 2 Confirm that the capture point has been correctly defined by entering:
Step 3 Start the capture process and display the results.
Step 4 Delete the capture point:
Example 2: Simple Capture and Store
This example shows how to capture packets to a filter.
Step 1 Define a capture point to match on the relevant traffic and associate it to a file.
Step 2 Confirm that the capture point has been correctly defined.
Step 4 After sufficient time has passed, stop the capture.
Note Alternatively, you can allow the capture operation stop automatically after the time has elapsed or the packet count has been met.
The mycap.pcap file now contains the captured packets.
Step 6 Delete the capture point.
Example 3: Using Buffer Capture
This example shows how to use buffer capture:
Step 1 Launch a capture session with the buffer capture option:
Step 2 Determine whether the capture is active.
Step 3 Display the packets in the buffer.
Notice that the packets have now been buffered.
Step 4 Display the packets in other display modes.
Step 5 Clear the buffer once, wait for 10 seconds, then stop the traffic:
Wait for 10 seconds and stop the traffic again.
Confirm that the same set of packets are displayed after this time gap.
Step 6 Clear the packets from the buffer.
Step 7 Confirm that the buffer is now empty.
Step 8 Display the buffer contents.
Step 9 Restart the traffic, wait about 10 seconds, then display buffer contents.
Step 10 Store the buffer contents to the mycap1.pcap file in the internal bootflash: storage device.
Step 11 Ensure that the file has been created and that it contains the packets.
Step 12 Stop the packet capture and display the buffer contents.
Step 13 Clear the buffer and then try to display packets from the buffer.
Step 14 Delete the capture point.
Example 4: Capture Sessions
The following examples show how to start or stop a capture session in various modes:
Switch# monitor capture mycap start capture-filter "udp.port == 20001" display display-filter "udp.port == 20002"
Feedback