In this post , we present practically verified and working - Cisco switch command line option for capturing packet traces for a specific interface port , which may be analyzed using Wireshark.
Enabling and capturing trace on a cisco switch includes below points.
Enabling and capturing trace on a cisco switch includes below points.
- Defining an access list to restrict any specific hosts .
- Defining a capture trace buffer
- Attaching an access list filter to this trace buffer
- Defining any specific interfaces for capture
- Start the capture
- Stop the capture and download the pcap file for analysis
Command line for the above are as below -
Creating an Access list
SW1# config terminal
SW1(config)#ip access-list standard acl1
SW1(config-std-nacl)#permit any
SW1(config-std-nacl)#exit
SW1#
Defining a trace capture buffer
SW1#monitor capture trace1 buffer size 1
Attaching an access list filter to this trace buffer
SW1#monitor capture trace1 access-list acl1
Defining any specific interfaces for capture
SW1#monitor capture trace1 interface GigabitEthernet 1/0/2 both
Start the capture for a duration and stop
SW1#monitor capture trace1 start
SW1#
SW1#monitor capture trace1 stop
Viewing the captured file details
SW1#show monitor capture trace1 buffer brief
0.000000 1.1.1.2 -> 224.0.0.5 OSPF Hello Packet
0.376979 1.1.1.2 -> 224.0.0.18 VRRP Announcement (v2)
1.214985 1.1.1.2 -> 224.0.0.2 HSRP Hello (state Active)
View the capture rules & parameters
SW1#show monitor capture trace1 parameter
monitor capture trace1 interface GigabitEthernet1/0/2 both
monitor capture trace1 access-list acl1
monitor capture trace1 buffer size 1
SW1#show monitor capture trace1
Status Information for Capture trace1
Target Type:
Interface: GigabitEthernet1/0/2, Direction: both
Status : Inactive
Filter Details:
Access-list: acl1
Buffer Details:
Buffer Type: LINEAR (default)
Buffer Size (in MB): 1
File Details:
File not associated
Limit Details:
Number of Packets to capture: 0 (no limit)
Packet Capture duration: 0 (no limit)
Packet Size to capture: 0 (no limit)
Packets per second: 0 (no limit)
Packet sampling rate: 0 (no sampling)
Copying the buffer content to a pcap file for analysis
SW1#monitor capture trace1 export flash:/trace1.pcap
Exported Successfully
Downloading the file from switch
SW1(config)#
SW1(config)#ip ftp username backup
SW1(config)#ip ftp password backup
SW1(config)#
SW1#copy flash:/trace1.pcap ftp:
Address or name of remote host []? 192.168.40.100
Destination filename [trace1.pcap]?
Writing trace1.pcap !
2511 bytes copied in 2.156 secs (1165 bytes/sec)
To disable the capture rules , follow the standard option to execute the same commands with a 'no' prefix.
Hope its useful to some beginners.