Cisco Embedded Wireshark.

November 18, 2018

Cisco Embedded Wireshark.

I put together this quick reference guide for Cisco embedded wireshark.
I have tested the following on Catalyst 3850/9000 (may work on other platforms).

Packet capture with a duration limit of 100 seconds.

monitor capture mycap match ipv4 any any
monitor capture mycap interface GigabitEthernet1/0/48 both
! Set the duration of 100 seconds
monitor capture mycap limit duration 100

monitor capture mycap file buffer-size 100
monitor capture mycap file location flash:mycap.pcap

! Start the packet capture
monitor capture mycap start
! Stop the packet capture
monitor capture mycap stop

!remove the capture
no monitor capture mycap

Packet capture limited to 100 packets.

monitor capture mycap match ipv4 any any
monitor capture mycap interface GigabitEthernet1/0/48 both

! Set a limit of 100 packets
monitor capture mycap limit packets 100

monitor capture mycap file buffer-size 100
monitor capture mycap file location flash:mycap.pcap

! Start the packet capture
monitor capture mycap start
! Stop the packet capture
monitor capture mycap stop

!remove the capture
no monitor capture mycap

Packet capture filtered with an acl.

ip access-list extended testacl
permit ip any any

monitor capture mycap access-list testacl
monitor capture mycap interface GigabitEthernet1/0/48 both
monitor capture mycap limit packets 100
monitor capture mycap file buffer-size 100
monitor capture mycap file location flash:mycap.pcap

! Start the packet capture
monitor capture mycap start
! Stop the packet capture
monitor capture mycap stop

!remove the capture
no monitor capture mycap

Packet capture filtered with a class-map.

ip access-list extended testacl
permit ip any any

class-map match-all test-class
match access-group name testacl

monitor capture mycap class-map test-class
monitor capture mycap interface GigabitEthernet1/0/48 both
monitor capture mycap limit duration 100
monitor capture mycap file buffer-size 100
monitor capture mycap file location flash:mycap.pcap

! Start the packet capture
monitor capture mycap start
! Stop the packet capture
monitor capture mycap stop

!remove the capture
no monitor capture mycap

Viewing packet captures on the device (including display filters).

Viewing a packet capture on the device.

show monitor capture file flash:mycap.pcap

1 0.000000 192.168.60.6 -> 224.0.0.2 HSRP 142 Hello (state Standby)
2 0.000265 192.168.80.6 -> 224.0.0.2 HSRP 142 Hello (state Standby)
3 0.000354 192.168.76.6 -> 224.0.0.2 HSRP 142 Hello (state Standby)
4 0.002052 192.168.81.6 -> 224.0.0.2 HSRP 142 Hello (state Active)
5 0.002465 192.168.164.253 -> 224.0.0.2 HSRP 66 Hello (state Active)
6 0.002501 192.168.64.6 -> 224.0.0.2 HSRP 142 Hello (state Active)
7 0.002967 192.168.70.6 -> 224.0.0.2 HSRP 142 Hello (state Standby)
8 0.075313 192.168.69.7 -> 224.0.0.2 HSRP 142 Hello (state Standby)
9 0.075370 192.168.68.7 -> 224.0.0.2 HSRP 142 Hello (state Active)
10 0.075599 192.168.70.7 -> 224.0.0.2 HSRP 142 Hello (state Active)

Counting the packets in a packet capture.

show monitor capture file flash:mycap.pcap packet-count

File name: /flash/mycap.pcap
Number of packets: 1277

Displaying a specific packet (brief/detail).

show monitor capture file flash:mycap.pcap packet-number 1 detailed
   Starting the packet display ........ Press Ctrl + Shift + 6 to exit

Frame 1: 142 bytes on wire (1136 bits), 142 bytes captured (1136 bits) on interface 0
    Interface id: 0 (/tmp/epc_ws/wif_to_ts_pipe)
    Encapsulation type: Ethernet (1)
    Arrival Time: Nov 16, 2018 09:13:56.389286000 CST
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1542381236.389286000 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 142 bytes (1136 bits)
    Capture Length: 142 bytes (1136 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:vlan:ethertype:ip:udp:capwap.data:wlan:llc:ip:udp:hsrp]
Ethernet II, Src: 8c:60:4f:46:02:bc (8c:60:4f:46:02:bc), Dst: 01:00:5e:01:05:07 (01:00:5e:01:05:07)
  Destination: 01:00:5e:01:05:07 (01:00:5e:01:05:07)
    Address: 01:00:5e:01:05:07 (01:00:5e:01:05:07)
    .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
--More--

show monitor capture file flash:mycap.pcap packet-number 1 brief
Starting the packet display ........ Press Ctrl + Shift + 6 to exit

  1 0.000000 192.168.60.6 -> 224.0.0.2 HSRP 142 Hello (state Standby)

Filtering for an IP address with a display filters.

show monitor capture file flash:mycap.pcap display-filter "ip.addr==192.168.1.1"

Filtering for an DSCP value with a display filter.

show monitor capture file flash:mycap.pcap display-filter "ip.dsfield.dscp == 48"

Comments

jeya sofiaApril 16, 2020 at 3:17 AM
Excellent idea!!! I really enjoyed reading your post. Thank you for your efforts . Share more like this.
CCNA course In OMR
German Classes in Anna Nagar
RPA Training in T Nagar
Data Science Training in Porur
Software Testing Training in Chennai
SEO Training in omr
Ethical Hacking Course in OMR
AWS Training in Velachery
German Classes in T Nagar
Java course in Tambaram
ReplyDelete
Replies

Add comment

Search This Blog

Life of the Network