56-3
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
OL-25340-01
Chapter 56 Configuring Wireshark
About Wireshark
Filters
Filters are attributes of a capture point that identify and limit the subset of traffic traveling through the
attachment point of a capture point, which is copied and passed to Wireshark. To be displayed by
Wireshark, a packet must pass through an attachment point, as well as all of the filters associated with
the capture point.
A capture point has three types of filters:
• Core system filter—The core system filter is applied by hardware, and its match criteria is limited
by hardware. This filter determines whether hardware-forwarded traffic is copied to software for
Wireshark purposes.
• Capture filter—The capture filter is applied by Wireshark. The match criteria are more granular than
those supported by the core system filter. Packets that pass the core filter but fail the capture filter
are still copied and sent to the CPU/software, but are discarded by the Wireshark process. The
capture filter syntax matches that of the display filter.
Note Wireshark on the Catalyst 4500 series switch does not use the syntax of the capture filter.
• Display filter—The display filter is applied by Wireshark, and its match criteria are similar to those
of the capture filter. Packets that fail the display filter are not displayed.
Core System Filter
You can specify core system filter match criteria by using the class map or ACL, or explicitly by using
the CLI.
In some installations, you need to obtain authorization to modify the switch configuration, which can
lead to extended delays if the approval process is lengthy. This would limit the ability of network
administrators to monitor and analyze traffic. To address this situation, Wireshark supports explicit
specification of core system filter match criteria from the EXEC mode CLI. The disadvantage is that the
match criteria that you can specify is a limited subset of what class map supports, such as MAC, IP
source and destination addresses, ether-type, IP protocol, and TCP/UDP source and destination ports.
If you prefer to use configuration mode, you can define ACLs or have class maps refer capture points to
them. Explicit and ACL-based match criteria are used internally to construct class maps and policy
maps. These implicitly constructed class maps are not reflected in the switch running-config and are not
NVGEN’d.
Note The configuration of ACL and class-map are part of the system and not aspects of the Wireshark feature
Capture Filter
The capture filter allows you to direct Wireshark to further filter incoming packets based on various
conditions. Wireshark applies the capture filter immediately on receipt of the packet; packets that fail
the capture filter are neither stored nor displayed.
A switch receives this parameter and passes it unchanged to Wireshark. Because Wireshark parses the
application filter definition, the defining syntax is the one provided by the Wireshark display filter. This
syntax and that of standard Cisco IOS differ, which allows you to specify ACL match criteria that cannot
be expressed with standard syntax.
To Next Page
Loading...
