4500 Wireshark quick setup guide

Document

Sep 13, 2012 10:32 AM
Sep 13th, 2012

The 4500 series catalyst switches with the Supervisor 7 has a new built in functionality with IOS-XE version 3.3(0) / 151.1 or higher. This built in wireshark has the ability to capture packets in the way we would traditionally use SPAN with an attached PC for capturing packets in a troubleshooting scenario.

To utilize the Wireshark feature you must meet the following conditions.

  • 4500 series Catalyst switch
  • Supervisor 7 (supervisor 6 is unsupported at this time)
  • Feature set IP Base and Enterprise Services (LAN Base is unsupported)
  • Switch CPU is not in a high utilization condition as the Wireshark feature is CPU intensive and will software switch certain packets during capture.

The following is a quick start guide to get a capture started. This is very general and you will need implement filters and buffer setting as needed to limit the excessive capture of packets if troubleshooting in a production network.

1)   Verify you meet the conditions to support the capture.

4500TEST#show version

Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software (cat4500e-UNIVERSAL-M), Version 03.03.00.SG RELEASE SOFTWARE (fc3)

<output omitted>

License Information for 'WS-X45-SUP7-E'

   License Level: entservices   Type: Permanent

   Next reboot license Level: entservices

cisco WS-C4507R+E (MPC8572) processor (revision 8) with 2097152K/20480K bytes of memory.

Processor board ID FOX1512GWG1

MPC8572 CPU at 1.5GHz, Supervisor 7

<output omitted>

4500TEST#show proc cpu history

History information for system:

   888844444222222222222222333334444422222222222222255555222222

100                                                           

90                                                            

80                                                            

70                                                            

60                                                           

50                                                            

40                                                            

30                                                            

20                                                           

10 ****                                             *****    

   0....5....1....1....2....2....3....3....4....4....5....5....

             0   5   0   5   0   5   0   5   0   5  

               CPU% per second (last 60 seconds)

2)   In this example I am capturing traffic in a TX/RX direction from port gig2/26. We will store the capture file on bootflash in a pcap file format for review from a local PC if necessary. The config is done from User EXEC mode, not global config mode.

4500TEST#monitor capture MYCAP interface g2/26 both

4500TEST#monitor capture file bootflash:MYCAP.pcap

4500TEST#monitor capture MYCAP match any start

*Sep 13 15:24:32.012: %BUFCAP-6-ENABLE: Capture Point MYCAP enabled.

3)   This will capture all traffic ingress and egress on port g2/26. This will surely fill the file very quickly with useless traffic in a production situation unless you specify the direction you are looking for and apply capture filters to narrow down the scope of interesting traffic to be captured.

4500TEST#monitor capture MYCAP start capture-filter "icmp"

This will only capture ICMP traffic in your capture file.

4)   Once the capture file either times out or fills the size quota you will see the following message.

*Sep 13 15:25:07.933: %BUFCAP-6-DISABLE_ASYNC: Capture Point MYCAP disabled. Reason : Wireshark session ended

Or you can manually stop the capture with the following command

4500TEST#monitor capture MYCAP stop

5)   Another added feature is you can view the capture from the CLI. You can view the packets with the following command. The detail option is available at the end to view the actual packet if it is required to see inside the packets in a wireshark format. Also the dump option is available to see the hex value of the packet as well.

4500TEST#show monitor capture file bootflash:MYCAP.pcap

1   0.000000 44:d3:ca:25:9c:c9 -> 01:00:0c:cc:cc:cc CDP Device ID: 4500TEST Port ID: GigabitEthernet2/26

2   0.166983 00:19:e7:c1:6a:18 -> 01:80:c2:00:00:00 STP Conf. Root = 32768/1/00:19:e7:c1:6a:00 Cost = 0 Port = 0x8018

3   0.166983 00:19:e7:c1:6a:18 -> 01:00:0c:cc:cc:cd STP Conf. Root = 32768/1/00:19:e7:c1:6a:00 Cost = 0 Port = 0x8018

4   1.067989   14.1.98.2 -> 224.0.0.2   HSRP Hello (state Standby)

5   2.173987 00:19:e7:c1:6a:18 -> 01:80:c2:00:00:00 STP Conf. Root = 32768/1/00:19:e7:c1:6a:00 Cost = 0 Port = 0x8018

6)   This can get cluttered and confusing if you didn’t use a capture-filter when starting the capture. In this case we can utilize the display-filter option to only give us specific traffic in our display. We only want to see ICMP traffic, and not the HSRP, STP, and CDP traffic seen above. As the display filter is the same format as wireshark you can find the filters online.

http://wiki.wireshark.org/DisplayFilters

4500TEST#show monitor capture file bootflash:MYCAP.pcap display-filter "icmp"

17   4.936999 14.1.98.144 -> 172.18.108.26 ICMP Echo (ping) request (id=0x0001, seq(be/le)=0/0, ttl=255)

18   4.936999 172.18.108.26 -> 14.1.98.144 ICMP Echo (ping) reply   (id=0x0001, seq(be/le)=0/0, ttl=251)

19   4.938007 14.1.98.144 -> 172.18.108.26 ICMP Echo (ping) request (id=0x0001, seq(be/le)=1/256, ttl=255)

20   4.938007 172.18.108.26 -> 14.1.98.144 ICMP Echo (ping) reply   (id=0x0001, seq(be/le)=1/256, ttl=251)

21   4.938998 14.1.98.144 -> 172.18.108.26 ICMP Echo (ping) request (id=0x0001, seq(be/le)=2/512, ttl=255)

22   4.938998 172.18.108.26 -> 14.1.98.144 ICMP Echo (ping) reply   (id=0x0001, seq(be/le)=2/512, ttl=251)

23   4.938998 14.1.98.144 -> 172.18.108.26 ICMP Echo (ping) request (id=0x0001, seq(be/le)=3/768, ttl=255)

24   4.940005 172.18.108.26 -> 14.1.98.144 ICMP Echo (ping) reply   (id=0x0001, seq(be/le)=3/768, ttl=251)

25   4.942996 14.1.98.144 -> 172.18.108.26 ICMP Echo (ping) request (id=0x0001, seq(be/le)=4/1024, ttl=255)

26   4.942996 172.18.108.26 -> 14.1.98.144 ICMP Echo (ping) reply   (id=0x0001, seq(be/le)=4/1024, ttl=251)

7)   Last you can transfer the file to a local machine and look at the pcap file as you would any other standard capture file.

4500TEST#copy bootflash: ftp://Username:Password@<ftp server address>

8)   To clean up the capture, just remove the config with the following command.

4500TEST#no monitor capture MYCAP

4500TEST#show monitor capture MYCAP

<no output>

4500TEST#

Extra settings:

By default the limit on the capture file size is 100 packets or 60 seconds in a linear file. Using the limit option on the monitor capture syntax can change this.

4500TEST#monitor cap MYCAP limit ?

duration       Limit total duration of capture in seconds

packet-length Limit the packet length to capture

packets       Limit number of packets to capture

The buffer size max is 100 MB. This can be adjusted as well as the circular/linear buffer setting as shown.

4500TEST#monitor cap MYCAP buffer ?

circular circular buffer

size     Size of buffer

The built in wireshark feature on the Sup7 IOS-XE 3.3(0) is a very powerful tool and if used correctly can save time and resources when troubleshooting in customers network. Caution must be used when utilizing the feature as it does have to potential to increase CPU utilization in high traffic situations. And should never be configured and left unattended. If used properly it is an invaluable tool to troubleshooting on the 4500 platform.

Limitations:

Due to hardware limitations it is posible to have out of order packets apear in your capture file. This is due to the separate buffers used for ingress and egress packet capturing. If you have out of order packets appear in your capture, set your buffer to both ingress. This will prevent the packets in egress getting processed before the ingress packets when the buffer is processed.

In the above example if you see out of order packets, it is recommended to change your configuration from "both" to "in" on both interfaces.

4500TEST#monitor capture MYCAP interface g2/26 both

Change the command to

4500TEST#no monitor capture MYCAP interface g2/26 both

4500TEST#monitor capture MYCAP interface g2/26 in

4500TEST#monitor capture MYCAP interface g2/27 in

                  +------------+

                  |            |

                  |    4500    |

+------+          |            |         +------+

|      +---------->in       out+--------->      |

| host |          |g2/26  g2/27|         | host |

|      <----------+out       in<---------+      |

+------+          |            |         +------+

                  |            |

                  +------------+

Reference:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/15.1/XE_330SG/configuration/guide/wireshrk.html

http://wiki.wireshark.org/DisplayFilters

Average Rating: 5 (4 ratings)

Comments

Actions

Login or Register to take actions

This Document

Posted September 13, 2012 at 10:32 AM
Stats:
Comments:2 Avg. Rating:5
Views:9052 Contributors:2
Shares:0

Related Content

Documents Leaderboard

Rank Username Points
1 177
2 64
3 60
4 50
5 23
Rank Username Points
5
0