Packet capture tool - Wireshark - is available on Cisco 4500x platform.
It allows for capturing the traffic and saved it to .pcap files, display the capture traffic and do the filtration for more detailed view.
Basic terminology used with working with Wireshark on 4500x platform:
Capture point - central policy definition of the Wireshark feature. The point describes all the characteristics of Wireshark instance - what packets should be captured, where the packets should be captured from, what to do with captured packets, when to stop the capture. Capture points need to be started with start command.
Attachement point - point in the logical packet process path, associated with capture point. It describes where the packets should be captured from ( interface TenGigabitEthernet 1/1/4 for example)
Filters - attributes of capture point. They define what should be captured.
Example1 - capturing traffic on 4500x standalone device:
!To define on which interface packets should be captured and in which direction (in and out in this !example)
monitor capture mycap1 interface TenGigabitEthernet 1/1/4 both
!Specify which packets should be captured
monitor capture mycap1 match ipv4 host 192.168.1.200 host 192.168.1.201
!To define how long capture should be active - (120 seconds) or how many packets should be !captured - (30 packets)
monitor capture mycap1 limit packets 30 duration 120
!Define where to store the captured packets
monitor capture mycap1 file location bootflash:mycap1.pcap
!Start the capture point
monitor capture mycap1 start
!Stop the capture point
monitor capture mycap1 stop
!For displaying the captured traffic
show monitor capture file bootflash:mycap1.pcap
!For removing the added configuration
no monitor capture mycap1
Wireshark can also be used with VSS configuration in place. When attachment point of the capture is present in the VSS active switch - the usage is the same as in the standalone platform (presented in Example1).
If the attachment point of the capture is present in the VSS standby switch - configuration need to be done on the VSS standby and VSS active device. The captured packets are copied to Wireshark from VSS standby to the VSS active device in such a scenario (through VSL link). Capture points need to be defined and started in VSS standby and VSS active device.
Example2 - capture when attachement point is on VSS standby device:
On VSS active switch:
monitor capture mycap1 interface TenGigabitEthernet 2/1/4 both
monitor capture mycap1 match ipv4 host 192.168.1.200 host 192.168.1.201
monitor capture mycap1 limit packets 30 duration 120
monitor capture mycap1 file location bootflash:mycap1.pcap
!Command to switch to VSS standby device
remote login module VSS_standby_module_number
On VSS standby switch:
monitor capture mycap1 interface TenGigabitEthernet 2/1/4 both
monitor capture mycap1 match ipv4 host 192.168.1.200 host 192.168.1.201
monitor capture mycap1 limit packets 30 duration 120
monitor capture mycap1 file location bootflash:mycap1.pcap
monitor capture mycap1 start
exit
On VSS active switch:
monitor capture mycap1 start
After the capture is done - stop the capture and remove the capture points from VSS active and VSS standby device. Captured packets can be displayed from the VSS active device.
On VSS active switch:
monitor capture mycap1 stop
no monitor capture mycap1
!For displaying the captured traffic
show monitor capture file bootflash:mycap1.pcap
!Command to switch to VSS standby device
remote login module VSS_standby_module_number
On VSS standby switch:
monitor capture mycap1 stop
no monitor capture mycap1
No comments:
Post a Comment