Equipements supportés :

  • Supervisor Engine 7-E
  • Supervisor Engine 7L-E
  • Catalyst 3850
  • Catalyst 3650
  • Wireless LAN Controller 5700 Series
  • Catalyst 4500X-16
  • Catalyst 4500X-32

Avec un IOS-XE 3.3.0(SE) minimum.

Utilisation :

Exemple 1

Définition du point de capture :

Switch# monitor capture mycap interface GigabitEthernet1/0/1 in
Switch# monitor capture mycap match ipv4 any any
Switch# monitor capture mycap limit duration 60 packets 100
Switch# monitor capture mycap file location flash:mycap.pcap

Le point de capture aura les caractèristiques suivantes :

  • trafic entrant sur l’interface G1/0/1
  • on match tout l’IPv4
  • on limite la trace à 60 secondes ou 100 packets
  • on stocke la capture mycap.pcap sur la flash

Vérification des paramètres :

Switch# show monitor capture mycap parameter
monitor capture mycap interface GigabitEthernet1/0/1 in
monitor capture mycap match ipv4  any any
monitor capture mycap file location flash:mycap.pcap
monitor capture mycap limit packets 100 duration 60

ou

Switch# show monitor capture mycap

Status Information for Capture mycap
Target Type:
Interface: GigabitEthernet1/0/1, Direction: in
Status : Inactive
Filter Details:
IPv4
Source IP:  any
Destination IP:  any
Protocol: any
Buffer Details:
Buffer Type: LINEAR (default)
File Details:
Associated file name: flash:mycap.pcap
Limit Details:
Number of Packets to capture: 100
Packet Capture duration: 60
Packet Size to capture: 0 (no limit)
Packets per second: 0 (no limit)
Packet sampling rate: 0 (no sampling)

Démarrage de la trace :

Switch# monitor capture mycap start

Arrêt de la trace :

Switch# monitor capture mycap stop

Exemple 2 :

Définition du point de capture en une seule ligne :

Switch#monitor capture MonPCAP interface G1/1 both match ipv4 any any file location bootflash:monpcap.pcap limit duration 1

Au vu de la limite de 1 seconde de capture, l’arrêt de cette dernière ne sera pas nécessaire.

Afficher la taille de la capture

Switch#dir bootflash:

Suppression du point de capture

Switch#no monitor capture MonPCAP

Afficher la capture :

En mode résumé

Switch#show monitor capture file bootflash:monpcap.pcap
1   0.000000 1.1.1.1 -> 1.1.1.2 SSH Encrypted response packet len=52
2   0.001007 1.1.1.1 -> 1.1.1.2 SSH Encrypted response packet len=68
3   0.003006 1.1.1.1 -> 1.1.1.3 Syslog LOCAL7.ERR: 450: Jan  6 08:31:06.488: %IOSXE-3-PLATFORM: 1 process init: /etc/init/jobs.d/epc_MonPCAP_3_13:1: Unknown stanza
4   0.003006 1.1.1.1 -> 1.1.1.3 Syslog LOCAL7.INFO: 451: Jan  6 08:31:07.495: %BUFCAP-6-ENABLE: Capture Point MonPCAP enabled.
5   0.102000 2.2.2.2 -> 3.3.3.3 SMB Trans2 Response<unknown>
<SNiP>

En mode détail

Switch#show monitor capture file bootflash:monpcap.pcap detailed
Frame 1: 106 bytes on wire (848 bits), 106 bytes captured (848 bits)
Arrival Time: Jan  6, 2015 07:31:07.500965000 UTC
Epoch Time: 1420529467.500965000 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 106 bytes (848 bits)
Capture Length: 106 bytes (848 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:tcp:ssh]
Ethernet II, Src: 00:76:f3:ee:fd:01 (00:76:f3:ee:fd:01), Dst: 00:30:33:02:01:13 (00:30:33:02:01:13)
Destination: 00:30:33:02:01:13 (00:30:33:02:01:13)
Address: 00:30:33:02:01:13 (00:30:33:02:01:13)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: 00:76:f3:ee:fd:01 (00:76:f3:ee:fd:01)
Address: 00:76:f3:ee:fd:01 (00:76:f3:ee:fd:01)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 1.1.1.1 (1.1.1.1), Dst: 1.1.1.2 (1.1.1.2)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0xc0 (DSCP 0x30: Class Selector 6; ECN: 0x00)
1100 00.. = Differentiated Services Codepoint: Class Selector 6 (0x30)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 92
Identification: 0x6a32 (27186)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 255
Protocol: TCP (6)
Header checksum: 0xbed9 [correct]
[Good: True]
[Bad: False]
Source: 1.1.1.1 (1.1.1.1)
Destination: 1.1.1.2 (1.1.1.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 3990 (3990), Seq: 1, Ack: 1, Len: 52
Source port: ssh (22)
Destination port: 3990 (3990)
[Stream index: 0]
Sequence number: 1    (relative sequence number)
[Next sequence number: 53    (relative sequence number)]
Acknowledgement number: 1    (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgement: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 4024
Checksum: 0x54db [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
[SEQ/ACK analysis]
[Number of bytes in flight: 52]
SSH Protocol
Encrypted Packet: 6468ab871f60a7370bcb4204234254ed4f2d8db03b22e38c...

Frame 2: 122 bytes on wire (976 bits), 122 bytes captured (976 bits)
Arrival Time: Jan  6, 2015 07:31:07.501972000 UTC
Epoch Time: 1420529467.501972000 seconds
[Time delta from previous captured frame: 0.001007000 seconds]
[Time delta from previous displayed frame: 0.001007000 seconds]
[Time since reference or first frame: 0.001007000 seconds]
Frame Number: 2
Frame Length: 122 bytes (976 bits)
Capture Length: 122 bytes (976 bits)
<SNiP>

En mode dump

Switch#sh monitor capture file bootflash:monpcap.pcap dump
  1   0.000000 1.1.1.1 -> 1.1.1.2 SSH Encrypted response packet len=52

0000  00 11 22 33 44 55 00 02 ee 22 ee ee 07 00 45 c0   ..^...........E.
0010  00 5e 67 32 00 00 ff 06 be d8 c0 a8 07 28 c0 a8   .\z2.........(..
0020  09 57 00 16 0f 96 93 4c bf 78 43 f6 21 66 50 18   .W.....L.xC. fP.
0030  0f b8 54 db 00 33 64 68 ab 87 1f 60 a7 37 0b cb   ..T...eh...`.7..
0040  42 04 33 42 54 ed 4e 2d 8d b0 3b 22 e3 8c e2 5e   B.#BT.7-..;"...^
0050  d1 df 17 99 f9 be 08 cd f8 0a 7a b8 ad ee 25 d2   ...x......z...%.
0060  30 11 37 ad e1 df 22 ee c6 13                     0.9..."...

  2   0.001007 1.1.1.1 -> 1.1.1.2 SSH Encrypted response packet len=68

0000  00 11 22 33 44 55 00 02 ee 22 ee ee 07 00 45 c0   ..^...........E.
0010  00 5e 67 32 00 00 ff 06 be d8 c0 a8 07 28 c0 a8   .le3.........(..
<SNiP>

Appliquer un filtre d’affichage

Switch#show monitor capture file bootflash:monpcap.pcap display-filter "ip.addr == 1.1.1.1"
1   0.000000 1.1.1.1 -> 1.1.1.2 SSH Encrypted response packet len=52
2   0.001007 1.1.1.1 -> 1.1.1.2 SSH Encrypted response packet len=68

Syntaxe des filtres

Autres commandes :

Capture via une ACL nommée :

Switch#monitor capture MonPCAP access-list mon-acl
Switch#monitor capture MonPCAP start
...

Switch#monitor capture MonPCAP stop

Permet d’affiner un filtre de capture.

Supression de la capture

Switch#delete bootflash:monpcap.pcap
Delete filename [monpcap.pcap]?
Delete bootflash:/monpcap.pcap? [confirm]

Ressources :

Cisco - Configuring Wireshark