68-6
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 68 Configuring Wireshark
Information about Wireshark
• Wireshark Features used in Switches, page 68-10
• Wireshark on VSS, page 68-11
Capture Points
A capture point is the central policy definition of the Wireshark feature. The point describes all the
characteristics associated with a given instance of Wireshark: what packets to capture, where to capture
them from, what to do with the captured packets, and when to stop. Capture points can be modified after
creation and do not become active until explicitly activated with a start command. This process is termed
activating the capture point or starting the capture point. Capture points are identified by name and may
also be manually or automatically deactivated or stopped.
Multiple capture points may be defined and activated simultaneously.
Attachment Points
An attachment point is a point in the logical packet process path associated with a capture point.
Consider an attachment point as an attribute of the capture point. Packets that impact an attachment point
are tested against the capture point's filters; packets that match are copied and sent to the capture point's
associated Wireshark instance. A specific capture point can be associated with multiple attachment
points, with limits on mixing attachment points of different types. Some restrictions apply when you
specify attachment points of different types. Attachment points are directional (input or output or both)
with the exception of the Layer 2 VLAN attachment point, which is always unidirectional.
Filters
Filters are attributes of a capture point that identify and limit the subset of traffic traveling through the
attachment point of a capture point, which is copied and passed to Wireshark. To be displayed by
Wireshark, a packet must pass through an attachment point, as well as all of the filters associated with
the capture point.
A capture point has three types of filters:
• Core system filter—The core system filter is applied by hardware, and its match criteria is limited
by hardware. This filter determines whether hardware-forwarded traffic is copied to software for
Wireshark purposes.
• Capture filter—The capture filter is applied by Wireshark. The match criteria are more granular than
those supported by the core system filter. Packets that pass the core filter but fail the capture filter
are still copied and sent to the CPU/software, but are discarded by the Wireshark process. The
capture filter syntax matches that of the display filter.
Note Wireshark on the Catalyst 4500 series switch does not use the syntax of the capture filter.
• Display filter—The display filter is applied by Wireshark, and its match criteria are similar to those
of the capture filter. Packets that fail the display filter are not displayed.
To Next Page
Loading...
