56-12
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
OL-25340-01
Chapter 56 Configuring Wireshark
Notes Specific to the Wireshark CLI
You can use up to eight Wireshark instances. An active show command that decodes and displays
packets from a .pcap file or capture buffer counts as one instance.
• Whenever an ACL is installed or modified on a switch in the ingress direction, for the first 15
seconds, the software ignores packet classification details sent by the hardware. Instead, it uses
software-based classification for the packets received by CPU. So, during this period, the system
can only capture fewer packets (compared to the time after the first 15 seconds) and CPU usage will
be high.
Note In the egress direction, packets are not captured for the first 15 seconds.
• To avoid packet loss, consider the following:
–
Use store-only (when you do not specify the display option) while capturing live packets rather
than Decode and display, which is an CPU-intensive operation (especially in detailed mode).
–
If you use the default buffer size, packets may be dropped. Increase buffer size and avoid packet
loss.
–
Writing to flash disk is a CPU-intensive operation, so the capture rate may not be sufficient.
–
The Wireshark capture session operates normally in streaming mode where packets are both
captured and processed. However, when you specify a buffer size of at least 32 MB, the session
automatically turns on lock-step mode in which a Wireshark capture session is split into two
phases: capture and process. In the capture phase, the packets are stored in the temporary buffer.
The duration parameter in lock-step mode serves as capture duration rather than session
duration. When the buffer is full or the capture duration has ended, a session transitions to the
process phase, in which it stops accepting packets and starts processing packets in the buffer.
With the second approach (lock-step mode), a higher capture throughput can be achieved.
–
The streaming capture mode supports approximately 1500 pps; lock-step mode supports
roughly 45 Mbps (measured with 256-byte packets). When the matching traffic rate exceeds this
number, you may experience packet loss.
• If you want to decode and display live packets in the console window, ensure that the Wireshark
session is bounded by a short capture duration. A Wireshark session with either a longer duration
limit or no capture duration (using a terminal with no auto-more support using the term len 0
command) may make the console or terminal unusable.
• Do not launch a capture session with ring files or capture buffer and leave it unattended for a long
time. This may lead to performance or system health issues because of high CPU or memory usage.
• When using Wireshark to capture live traffic that leads to high CPU usage, consider applying a QoS
policy temporarily to limit the actual traffic until the capture process concludes.
Notes Specific to the Wireshark CLI
• All Wireshark-related commands are in EXEC mode; no configuration commands exist for
Wireshark.
If you need to use access list or class-map in the Wireshark CLI, you must define an access list and
class map with configuration commands.
• No specific order applies when defining a capture point; you can define capture point parameters in
any order, provided that CLI allows this. The Wireshark CLI allows as many parameters as possible
on a single line. This limits the number of commands required to define a capture point.
To Next Page
Loading...
Need help?
General
