56-13
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
OL-25340-01
Chapter 56 Configuring Wireshark
Monitoring Wireshark
• All parameters except attachment points take a single value. Generally, you can replace the value
with a new one by reentering the command. After user confirmation, the system accepts the new
value and overrides the older one. A no form of the command is unnecessary to provide a new value;
it is necessary to remove a parameter.
• Wireshark allows you to specify one or more attachment points. To add more than one attachment
point, re-enter the command with the new attachment point. To remove an attachment point, use the
no form. You can specify an interface range as an attachment point.
• You cannot modify any parameters of a capture point while a session is active. To modify any
parameter, stop the session, make the changes, and restart the session. Because an access list is
generic to a switch and unrelated to the Wireshark process, it is alterable during a Wireshark session.
• The action you want to perform determines which parameters are mandatory. The Wireshark CLI
allows you to specify or modify any parameter prior to entering the start command. When you issue
the start command, Wireshark will start only after determining that all mandatory parameters have
been provided.
• If the capture file already exists, it provides a warning and receives confirmation before
proceeding.This prevents you from mistakenly overwriting a file.
• The core filter can be an explicit filter, access list, or class map. Specifying a newer filter of these
types replaces the existing one.
• You can terminate a Wireshark session with an explicit stop command or by entering q in automore
mode. The session could terminate itself automatically when a stop condition such as duration or
packet capture limit is met.
Monitoring Wireshark
The commands in the following table are used to monitor Wireshark.
Configuration Examples for Wireshark
Displaying a Brief Output from a .pcap File
You can display the output from a .pcap file by entering:
Switch# show monitor capture file bootflash:mycap.pcap
1 0.000000 10.1.1.140 -> 20.1.1.2 UDP Source port: 20001 Destination port: 20002
2 1.000000 10.1.1.141 -> 20.1.1.2 UDP Source port: 20001 Destination port: 20002
3 2.000000 10.1.1.142 -> 20.1.1.2 UDP Source port: 20001 Destination port: 20002
4 3.000000 10.1.1.143 -> 20.1.1.2 UDP Source port: 20001 Destination port: 20002
Table 56-2 Wireshark Monitoring Commands
Command Purpose
show monitor capture point name
Displays the capture point state, so that you can see what capture points
are defined, what their attributes are, and whether they are active. When
capture point name is specified, it displays specific capture point's
details.
show monitor capture file name
[display-filter filter-string] [brief |
detailed | dump]
Activates Wireshark using an existing .pcap file as the source for
packets. If no display filter is specified, then all the packets in the file
are displayed. The default display mode is brief.
To Next Page
Loading...
