Cisco’s 9300 line of Switches are a welcome upgrade to the line-up. Recently I discovered that they have the ability to capture packets on the Switch themselves (specifying a port) then save the file on the local flash ready for FTP export.
Note:
It is possible to store the information gleaned from a Packet Capture in the Switch Buffer. If you choose to do so, you can configure it as either circular (where information is constantly overwritten when the Buffer is full) or linear (where once the Buffer is full, no new information is saved).
Although we are able to store the Capture in the Switch Buffer, this guide will aim to export the data to a more permanent .PCAP file on the Switch.
Restrictions
Before we get started with the configuration, let’s take a look at some Packet Capture restrictions according to Cisco Documentation.
- Layer 2 EtherChannels are not supported.
- Only physical ports are supported
- Packet Capture works for a minimum of 2 seconds
- Up to 8 Captures can be configured, but only one at a time can be active
Configuring Capture Parameters
Before we get started, we need to define exactly the type of traffic we wish to capture. Here is some sample configuration for capturing IPv4 traffic on a specific Port in both directions.
Switch# monitor capture [CAPTURE NAME] interface [INTERFACE] both
Switch# monitor capture [CAPTURE NAME] match ipv4 any any
Exporting Packet Capture Output to a PCAP File
By default, the Packet Capture will be saved to the Switch’s buffer. For captures that require deeper analysis, its usually preferable to export the capture to a standard .PCAP file that can be read by programs like Wireshark.
In order to save the Packet Capture to the Flash of the Switch, use the command below:
Switch# monitor capture [CAPTURE NAME] file location flash:[NAME].pcap
Starting the Packet Capture
With our parameters now configured, we can start our Packet Capture with the command:
Switch# monitor capture [CAPTURE NAME] start
Displaying Active Captures
To see the current status of our active Packet Capture, use the below command:
Switch# show monitor capture [CAPTURE NAME]
Stopping the Packet Capture
Once we have collected enough data for our needs, we can stop the capture using the following command:
Switch# monitor capture [CAPTURE NAME] stop
Final Thoughts
That’s it! We should now have a .PCAP file stored on the Switch Flash ready for us to export and open with a program like Wireshark.
Remember to ensure that you have sufficient space available on the Flash (though the filesizes shouldn’t be too big for short captures), and always keep an eye on the CPU of the Switch as the capture is running.
I hope this has helped.