4500 Wireshark quick setup guide

Document

Dec 31, 2014 2:37 AM
Sep 13th, 2012

Introduction

The 4500 series catalyst switches with the Supervisor 7 has a new built in functionality with IOS-XE version 3.3(0) / 151.1 or higher. This built in wireshark has the ability to capture packets in the way we would traditionally use SPAN with an attached PC for capturing packets in a troubleshooting scenario.

Wireshark feature conditions

To utilize the Wireshark feature you must meet the following conditions.

  • 4500 series Catalyst switch
  • Supervisor 7 (supervisor 6 is unsupported at this time)
  • Feature set IP Base and Enterprise Services (LAN Base is unsupported)
  • Switch CPU is not in a high utilization condition as the Wireshark feature is CPU intensive and will software switch certain packets during capture.

The following is a quick start guide to get a capture started. This is very general and you will need implement filters and buffer setting as needed to limit the excessive capture of packets if troubleshooting in a production network.

Verify and Capture

1)   Verify you meet the conditions to support the capture.

4500TEST#show version
Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software (cat4500e-UNIVERSAL-M), Version 03.03.00.SG RELEASE SOFTWARE (fc3)
<output omitted>

License Information for 'WS-X45-SUP7-E'
   License Level: entservices   Type: Permanent
   Next reboot license Level: entservices

cisco WS-C4507R+E (MPC8572) processor (revision 8) with 2097152K/20480K bytes of memory.

Processor board ID FOX1512GWG1
MPC8572 CPU at 1.5GHz, Supervisor 7
<output omitted>
4500TEST#show proc cpu history
History information for system:
   888844444222222222222222333334444422222222222222255555222222
100                                                            
90                                                             
80                                                             
70                                                             
60                                                            
50                                                             
40                                                             
30                                                             
20                                                            
10 ****                                             *****     

   0....5....1....1....2....2....3....3....4....4....5....5....
             0   5   0   5   0   5   0   5   0   5   
               CPU% per second (last 60 seconds)

2)   In this example I am capturing traffic in a TX/RX direction from port gig2/26. We will store the capture file on bootflash in a pcap file format for review from a local PC if necessary. The config is done from User EXEC mode, not global config mode.

4500TEST#monitor capture MYCAP interface g2/26 both
4500TEST#monitor capture file bootflash:MYCAP.pcap
4500TEST#monitor capture MYCAP match any start
 *Sep 13 15:24:32.012: %BUFCAP-6-ENABLE: Capture Point MYCAP enabled.

3)   This will capture all traffic ingress and egress on port g2/26. This will surely fill the file very quickly with useless traffic in a production situation unless you specify the direction you are looking for and apply capture filters to narrow down the scope of interesting traffic to be captured.

4500TEST#monitor capture MYCAP start capture-filter "icmp"

This will only capture ICMP traffic in your capture file.

4)   Once the capture file either times out or fills the size quota you will see the following message.

*Sep 13 15:25:07.933: %BUFCAP-6-DISABLE_ASYNC: Capture Point MYCAP disabled. Reason : Wireshark session ended

Or you can manually stop the capture with the following command

4500TEST#monitor capture MYCAP stop

5)   Another added feature is you can view the capture from the CLI. You can view the packets with the following command. The detail option is available at the end to view the actual packet if it is required to see inside the packets in a wireshark format. Also the dump option is available to see the hex value of the packet as well.

4500TEST#show monitor capture file bootflash:MYCAP.pcap 

1   0.000000 44:d3:ca:25:9c:c9 -> 01:00:0c:cc:cc:cc CDP Device ID: 4500TEST Port ID: GigabitEthernet2/26 
2   0.166983 00:19:e7:c1:6a:18 -> 01:80:c2:00:00:00 STP Conf. Root = 32768/1/00:19:e7:c1:6a:00 Cost = 0 Port = 0x8018
3   0.166983 00:19:e7:c1:6a:18 -> 01:00:0c:cc:cc:cd STP Conf. Root = 32768/1/00:19:e7:c1:6a:00 Cost = 0 Port = 0x8018
4   1.067989   14.1.98.2 -> 224.0.0.2   HSRP Hello (state Standby)
5   2.173987 00:19:e7:c1:6a:18 -> 01:80:c2:00:00:00 STP Conf. Root = 32768/1/00:19:e7:c1:6a:00 Cost = 0 Port = 0x8018

6)   This can get cluttered and confusing if you didn't use a capture-filter when starting the capture. In this case we can utilize the display-filter option to only give us specific traffic in our display. We only want to see ICMP traffic, and not the HSRP, STP, and CDP traffic seen above. As the display filter is the same format as wireshark you can find the filters online.

http://wiki.wireshark.org/DisplayFilters

4500TEST#show monitor capture file bootflash:MYCAP.pcap display-filter "icmp"
17   4.936999 14.1.98.144 -> 172.18.108.26 ICMP Echo (ping) request (id=0x0001, seq(be/le)=0/0, ttl=255)
18   4.936999 172.18.108.26 -> 14.1.98.144 ICMP Echo (ping) reply   (id=0x0001, seq(be/le)=0/0, ttl=251)
19   4.938007 14.1.98.144 -> 172.18.108.26 ICMP Echo (ping) request (id=0x0001, seq(be/le)=1/256, ttl=255)
20   4.938007 172.18.108.26 -> 14.1.98.144 ICMP Echo (ping) reply   (id=0x0001, seq(be/le)=1/256, ttl=251)
21   4.938998 14.1.98.144 -> 172.18.108.26 ICMP Echo (ping) request (id=0x0001, seq(be/le)=2/512, ttl=255)
22   4.938998 172.18.108.26 -> 14.1.98.144 ICMP Echo (ping) reply   (id=0x0001, seq(be/le)=2/512, ttl=251)
23   4.938998 14.1.98.144 -> 172.18.108.26 ICMP Echo (ping) request (id=0x0001, seq(be/le)=3/768, ttl=255)
24   4.940005 172.18.108.26 -> 14.1.98.144 ICMP Echo (ping) reply   (id=0x0001, seq(be/le)=3/768, ttl=251)
25   4.942996 14.1.98.144 -> 172.18.108.26 ICMP Echo (ping) request (id=0x0001, seq(be/le)=4/1024, ttl=255)
26   4.942996 172.18.108.26 -> 14.1.98.144 ICMP Echo (ping) reply   (id=0x0001, seq(be/le)=4/1024, ttl=251)

7)   Last you can transfer the file to a local machine and look at the pcap file as you would any other standard capture file.

4500TEST#copy bootflash: ftp://Username:Password@<ftp server address>

8)   To clean up the capture, just remove the config with the following command.

4500TEST#no monitor capture MYCAP
4500TEST#show monitor capture MYCAP
<no output>
4500TEST#

Extra settings

By default the limit on the capture file size is 100 packets or 60 seconds in a linear file. Using the limit option on the monitor capture syntax can change this.

4500TEST#monitor cap MYCAP limit ?
duration       Limit total duration of capture in seconds
packet-length Limit the packet length to capture
packets       Limit number of packets to capture

The buffer size max is 100 MB. This can be adjusted as well as the circular/linear buffer setting as shown.

4500TEST#monitor cap MYCAP buffer ?
circular circular buffer
size     Size of buffer

The built in wireshark feature on the Sup7 IOS-XE 3.3(0) is a very powerful tool and if used correctly can save time and resources when troubleshooting in customers network. Caution must be used when utilizing the feature as it does have to potential to increase CPU utilization in high traffic situations. And should never be configured and left unattended. If used properly it is an invaluable tool to troubleshooting on the 4500 platform.

Limitations

Due to hardware limitations it is possible to have out of order packets appear in your capture file. This is due to the separate buffers used for ingress and egress packet capturing. If you have out of order packets appear in your capture, set your buffer to both ingress. This will prevent the packets in egress getting processed before the ingress packets when the buffer is processed.

In the above example if you see out of order packets, it is recommended to change your configuration from "both" to "in" on both interfaces.

4500TEST#monitor capture MYCAP interface g2/26 both

Change the command to

4500TEST#no monitor capture MYCAP interface g2/26 both
4500TEST#monitor capture MYCAP interface g2/26 in
4500TEST#monitor capture MYCAP interface g2/27 in


                  +------------+

                  |            |

                  |    4500    |

+------+          |            |         +------+

|      +---------->in       out+--------->      |

| host |          |g2/26  g2/27|         | host |

|      <----------+out       in<---------+      |

+------+          |            |         +------+

                  |            |

                  +------------+

Reference

Overall Rating: 5 (4 ratings)
Richard Primm Sat, 03/16/2013 - 18:11

Great Doc!

jawestbr Fri, 03/28/2014 - 12:08

Great document, Denny! Very clear, and easy to understand.

Actions

Login or Register to take actions

This Document

Posted September 13, 2012 at 10:32 AM
Updated December 31, 2014 at 2:37 AM
Stats:

Related Content

 

Documents Leaderboard

Rank Username Points
1
TCC_2
244
2
Andrew Gossett
120
3
ashirkar
96
4
Adam Casella
79
5
SunilKhanna
75
Rank Username Points
TCC_2
1