No specific order applies when defining a capture point; you can define capture point parameters in any order.
The Wireshark CLI allows as many parameters as possible on a single line. This limits the number of commands
required to define a capture point.
Neither VRFs, management ports, nor private VLANs can be used as attachment points.
Wireshark cannot capture packets on a destination SPAN port.
When a VLAN is used as a Wireshark attachment point, packets are captured in the input direction only.
Examples
To define a capture point using a physical interface as an attachment point:
Device# monitor capture mycap interface GigabitEthernet1/0/1 in
Device# monitor capture mycap match ipv4 any any
The second command defines the core filter for the capture point. This is required for a functioning capture
point unless you are using a CAPWAP tunneling attachment point in your capture point.
If you are using CAPWAP tunneling attachment points in your capture point, you cannot use core filters.
Note
To define a capture point with multiple attachment points:
Device# monitor capture mycap interface GigabitEthernet1/0/1 in
Device# monitor capture mycap match ipv4 any any
Device# monitor capture mycap control-plane in
Device# show monitor capture mycap parameter
monitor capture mycap interface GigabitEthernet1/0/1 in
monitor capture mycap control-plane in
To remove an attachment point from a capture point defined with multiple attachment points:
Device# show monitor capture mycap parameter
monitor capture mycap interface GigabitEthernet1/0/1 in
monitor capture mycap control-plane in
Device# no monitor capture mycap control-plane
Device# show monitor capture mycap parameter
monitor capture mycap interface GigabitEthernet1/0/1 in
To define a capture point with a CAPWAP attachment point:
Device# show capwap summary
CAPWAP Tunnels General Statistics:
Number of Capwap Data Tunnels = 1
Number of Capwap Mobility Tunnels = 0
Number of Capwap Multicast Tunnels = 0
Name APName Type PhyPortIf Mode McastIf
------ -------------------------------- ---- --------- --------- -------
Ca0 AP442b.03a9.6715 data Gi3/0/6 unicast -
Name SrcIP SrcPort DestIP DstPort DtlsEn MTU Xact
------ --------------- ------- --------------- ------- ------ ----- ----
Ca0 10.10.14.32 5247 10.10.14.2 38514 No 1449 0
Device# monitor capture mycap interface capwap 0 both
Device# monitor capture mycap file location flash:mycap.pcap
Device# monitor capture mycap file buffer-size 1
Device# monitor capture mycap start
*Aug 20 11:02:21.983: %BUFCAP-6-ENABLE: Capture Point mycap enabled.on
Device# show monitor capture mycap parameter
monitor capture mycap interface capwap 0 in
monitor capture mycap interface capwap 0 out
Command Reference, Cisco IOS XE Everest 16.5.1a (Catalyst 3650 Switches)
491
monitor capture (interface/control plane)
To Next Page
Loading...
Need help?
General