Packet Capture on Cisco 9300 Switches

Cisco’s 9300 line of Switches are a welcome upgrade to the line-up. Recently I discovered that they have the ability to capture packets on the Switch themselves (specifying a port) then save the file on the local flash ready for FTP export.

Note:

It is possible to store the information gleaned from a Packet Capture in the Switch Buffer. If you choose to do so, you can configure it as either circular (where information is constantly overwritten when the Buffer is full) or linear (where once the Buffer is full, no new information is saved).

Although we are able to store the Capture in the Switch Buffer, this guide will aim to export the data to a more permanent .PCAP file on the Switch.

Restrictions

Before we get started with the configuration, let’s take a look at some Packet Capture restrictions according to Cisco Documentation.

  • Layer 2 EtherChannels are not supported.
  • Only physical ports are supported
  • Packet Capture works for a minimum of 2 seconds
  • Up to 8 Captures can be configured, but only one at a time can be active

Configuring Capture Parameters

Before we get started, we need to define exactly the type of traffic we wish to capture. Here is some sample configuration for capturing IPv4 traffic on a specific Port in both directions.

 Switch# monitor capture [CAPTURE NAME] interface [INTERFACE] both
 Switch# monitor capture [CAPTURE NAME] match ipv4 any any 

Exporting Packet Capture Output to a PCAP File

By default, the Packet Capture will be saved to the Switch’s buffer. For captures that require deeper analysis, its usually preferable to export the capture to a standard .PCAP file that can be read by programs like Wireshark.

In order to save the Packet Capture to the Flash of the Switch, use the command below:

 Switch# monitor capture [CAPTURE NAME] file location flash:[NAME].pcap 

Starting the Packet Capture

With our parameters now configured, we can start our Packet Capture with the command:

 Switch# monitor capture [CAPTURE NAME] start 

Displaying Active Captures

To see the current status of our active Packet Capture, use the below command:

 Switch# show monitor capture [CAPTURE NAME] 

Stopping the Packet Capture

Once we have collected enough data for our needs, we can stop the capture using the following command:

Switch# monitor capture [CAPTURE NAME] stop

Final Thoughts

That’s it! We should now have a .PCAP file stored on the Switch Flash ready for us to export and open with a program like Wireshark.

Remember to ensure that you have sufficient space available on the Flash (though the filesizes shouldn’t be too big for short captures), and always keep an eye on the CPU of the Switch as the capture is running.

I hope this has helped.

References



Leave a Reply

Your email address will not be published.

Fill out this field
Fill out this field
Please enter a valid email address.

Subscribe to Blog

Enter your email below to subscribe to this blog.

Blog Stats

  • 47,617 hits

Me Elsewhere

Ads

Menu