Equipements supportés :

  • Supervisor Engine 7-E
  • Supervisor Engine 7L-E
  • Catalyst 3850
  • Catalyst 3650
  • Wireless LAN Controller 5700 Series
  • Catalyst 4500X-16
  • Catalyst 4500X-32

Avec un IOS-XE 3.3.0(SE) minimum.

Utilisation :

Exemple 1

Définition du point de capture :

1 Switch# monitor capture mycap interface GigabitEthernet1/0/1 in
2 Switch# monitor capture mycap match ipv4 any any
3 Switch# monitor capture mycap limit duration 60 packets 100
4 Switch# monitor capture mycap file location flash:mycap.pcap

Le point de capture aura les caractèristiques suivantes :

  • trafic entrant sur l'interface G1/0/1
  • on match tout l'IPv4
  • on limite la trace à 60 secondes ou 100 packets
  • on stocke la capture mycap.pcap sur la flash

Vérification des paramètres :

1 Switch# show monitor capture mycap parameter
2 monitor capture mycap interface GigabitEthernet1/0/1 in
3 monitor capture mycap match ipv4  any any
4 monitor capture mycap file location flash:mycap.pcap
5 monitor capture mycap limit packets 100 duration 60

ou

 1 Switch# show monitor capture mycap
 2 
 3 Status Information for Capture mycap
 4 Target Type:
 5 Interface: GigabitEthernet1/0/1, Direction: in
 6 Status : Inactive
 7 Filter Details:
 8 IPv4
 9 Source IP:  any
10 Destination IP:  any
11 Protocol: any
12 Buffer Details:
13 Buffer Type: LINEAR (default)
14 File Details:
15 Associated file name: flash:mycap.pcap
16 Limit Details:
17 Number of Packets to capture: 100
18 Packet Capture duration: 60
19 Packet Size to capture: 0 (no limit)
20 Packets per second: 0 (no limit)
21 Packet sampling rate: 0 (no sampling)

Démarrage de la trace :

1 Switch# monitor capture mycap start

Arrêt de la trace :

1 Switch# monitor capture mycap stop

Exemple 2 :

Définition du point de capture en une seule ligne :

1 Switch#monitor capture MonPCAP interface G1/1 both match ipv4 any any file location bootflash:monpcap.pcap limit duration 1

Au vu de la limite de 1 seconde de capture, l'arrêt de cette dernière ne sera pas nécessaire.

Afficher la taille de la capture

1 Switch#dir bootflash:

Suppression du point de capture

1 Switch#no monitor capture MonPCAP

Afficher la capture :

En mode résumé

1 Switch#show monitor capture file bootflash:monpcap.pcap
2 1   0.000000 1.1.1.1 -> 1.1.1.2 SSH Encrypted response packet len=52
3 2   0.001007 1.1.1.1 -> 1.1.1.2 SSH Encrypted response packet len=68
4 3   0.003006 1.1.1.1 -> 1.1.1.3 Syslog LOCAL7.ERR: 450: Jan  6 08:31:06.488: %IOSXE-3-PLATFORM: 1 process init: /etc/init/jobs.d/epc_MonPCAP_3_13:1: Unknown stanza
5 4   0.003006 1.1.1.1 -> 1.1.1.3 Syslog LOCAL7.INFO: 451: Jan  6 08:31:07.495: %BUFCAP-6-ENABLE: Capture Point MonPCAP enabled.
6 5   0.102000 2.2.2.2 -> 3.3.3.3 SMB Trans2 Response<unknown>
7 <SNiP>

En mode détail

 1 Switch#show monitor capture file bootflash:monpcap.pcap detailed
 2 Frame 1: 106 bytes on wire (848 bits), 106 bytes captured (848 bits)
 3 Arrival Time: Jan  6, 2015 07:31:07.500965000 UTC
 4 Epoch Time: 1420529467.500965000 seconds
 5 [Time delta from previous captured frame: 0.000000000 seconds]
 6 [Time delta from previous displayed frame: 0.000000000 seconds]
 7 [Time since reference or first frame: 0.000000000 seconds]
 8 Frame Number: 1
 9 Frame Length: 106 bytes (848 bits)
10 Capture Length: 106 bytes (848 bits)
11 [Frame is marked: False]
12 [Frame is ignored: False]
13 [Protocols in frame: eth:ip:tcp:ssh]
14 Ethernet II, Src: 00:76:f3:ee:fd:01 (00:76:f3:ee:fd:01), Dst: 00:30:33:02:01:13 (00:30:33:02:01:13)
15 Destination: 00:30:33:02:01:13 (00:30:33:02:01:13)
16 Address: 00:30:33:02:01:13 (00:30:33:02:01:13)
17 .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
18 .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
19 Source: 00:76:f3:ee:fd:01 (00:76:f3:ee:fd:01)
20 Address: 00:76:f3:ee:fd:01 (00:76:f3:ee:fd:01)
21 .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
22 .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
23 Type: IP (0x0800)
24 Internet Protocol, Src: 1.1.1.1 (1.1.1.1), Dst: 1.1.1.2 (1.1.1.2)
25 Version: 4
26 Header length: 20 bytes
27 Differentiated Services Field: 0xc0 (DSCP 0x30: Class Selector 6; ECN: 0x00)
28 1100 00.. = Differentiated Services Codepoint: Class Selector 6 (0x30)
29 .... ..0. = ECN-Capable Transport (ECT): 0
30 .... ...0 = ECN-CE: 0
31 Total Length: 92
32 Identification: 0x6a32 (27186)
33 Flags: 0x00
34 0... .... = Reserved bit: Not set
35 .0.. .... = Don't fragment: Not set
36 ..0. .... = More fragments: Not set
37 Fragment offset: 0
38 Time to live: 255
39 Protocol: TCP (6)
40 Header checksum: 0xbed9 [correct]
41 [Good: True]
42 [Bad: False]
43 Source: 1.1.1.1 (1.1.1.1)
44 Destination: 1.1.1.2 (1.1.1.2)
45 Transmission Control Protocol, Src Port: ssh (22), Dst Port: 3990 (3990), Seq: 1, Ack: 1, Len: 52
46 Source port: ssh (22)
47 Destination port: 3990 (3990)
48 [Stream index: 0]
49 Sequence number: 1    (relative sequence number)
50 [Next sequence number: 53    (relative sequence number)]
51 Acknowledgement number: 1    (relative ack number)
52 Header length: 20 bytes
53 Flags: 0x18 (PSH, ACK)
54 0... .... = Congestion Window Reduced (CWR): Not set
55 .0.. .... = ECN-Echo: Not set
56 ..0. .... = Urgent: Not set
57 ...1 .... = Acknowledgement: Set
58 .... 1... = Push: Set
59 .... .0.. = Reset: Not set
60 .... ..0. = Syn: Not set
61 .... ...0 = Fin: Not set
62 Window size: 4024
63 Checksum: 0x54db [validation disabled]
64 [Good Checksum: False]
65 [Bad Checksum: False]
66 [SEQ/ACK analysis]
67 [Number of bytes in flight: 52]
68 SSH Protocol
69 Encrypted Packet: 6468ab871f60a7370bcb4204234254ed4f2d8db03b22e38c...
70 
71 Frame 2: 122 bytes on wire (976 bits), 122 bytes captured (976 bits)
72 Arrival Time: Jan  6, 2015 07:31:07.501972000 UTC
73 Epoch Time: 1420529467.501972000 seconds
74 [Time delta from previous captured frame: 0.001007000 seconds]
75 [Time delta from previous displayed frame: 0.001007000 seconds]
76 [Time since reference or first frame: 0.001007000 seconds]
77 Frame Number: 2
78 Frame Length: 122 bytes (976 bits)
79 Capture Length: 122 bytes (976 bits)
80 <SNiP>

En mode dump

 1 Switch#sh monitor capture file bootflash:monpcap.pcap dump
 2   1   0.000000 1.1.1.1 -> 1.1.1.2 SSH Encrypted response packet len=52
 3 
 4 0000  00 11 22 33 44 55 00 02 ee 22 ee ee 07 00 45 c0   ..^...........E.
 5 0010  00 5e 67 32 00 00 ff 06 be d8 c0 a8 07 28 c0 a8   .\z2.........(..
 6 0020  09 57 00 16 0f 96 93 4c bf 78 43 f6 21 66 50 18   .W.....L.xC. fP.
 7 0030  0f b8 54 db 00 33 64 68 ab 87 1f 60 a7 37 0b cb   ..T...eh...`.7..
 8 0040  42 04 33 42 54 ed 4e 2d 8d b0 3b 22 e3 8c e2 5e   B.#BT.7-..;"...^
 9 0050  d1 df 17 99 f9 be 08 cd f8 0a 7a b8 ad ee 25 d2   ...x......z...%.
10 0060  30 11 37 ad e1 df 22 ee c6 13                     0.9..."...
11 
12   2   0.001007 1.1.1.1 -> 1.1.1.2 SSH Encrypted response packet len=68
13 
14 0000  00 11 22 33 44 55 00 02 ee 22 ee ee 07 00 45 c0   ..^...........E.
15 0010  00 5e 67 32 00 00 ff 06 be d8 c0 a8 07 28 c0 a8   .le3.........(..
16 <SNiP>

Appliquer un filtre d'affichage

1 Switch#show monitor capture file bootflash:monpcap.pcap display-filter "ip.addr == 1.1.1.1"
2 1   0.000000 1.1.1.1 -> 1.1.1.2 SSH Encrypted response packet len=52
3 2   0.001007 1.1.1.1 -> 1.1.1.2 SSH Encrypted response packet len=68

Syntaxe des filtres

Autres commandes :

Capture via une ACL nommée :

1 Switch#monitor capture MonPCAP access-list mon-acl
2 Switch#monitor capture MonPCAP start
3 ...
4 
5 Switch#monitor capture MonPCAP stop 

Permet d'affiner un filtre de capture.

Supression de la capture

1 Switch#delete bootflash:monpcap.pcap
2 Delete filename [monpcap.pcap]?
3 Delete bootflash:/monpcap.pcap? [confirm]

Ressources :

Cisco - Configuring Wireshark