59-7
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL_28731-01
Chapter 59 Configuring Wireshark
Information about Wireshark
Core System Filter
You can specify core system filter match criteria by using the class map or ACL, or explicitly by using
the CLI.
In some installations, you need to obtain authorization to modify the switch configuration, which can
lead to extended delays if the approval process is lengthy. This would limit the ability of network
administrators to monitor and analyze traffic. To address this situation, Wireshark supports explicit
specification of core system filter match criteria from the EXEC mode CLI. The disadvantage is that the
match criteria that you can specify is a limited subset of what class map supports, such as MAC, IP
source and destination addresses, ether-type, IP protocol, and TCP/UDP source and destination ports.
If you prefer to use configuration mode, you can define ACLs or have class maps refer capture points to
them. Explicit and ACL-based match criteria are used internally to construct class maps and policy maps.
These implicitly constructed class maps are not reflected in the switch running-config and are not
NVGEN’d.
Note The ACL and class map configuration are part of the system and not aspects of the Wireshark feature.
Capture Filter
The capture filter allows you to direct Wireshark to further filter incoming packets based on various
conditions. Wireshark applies the capture filter immediately on receipt of the packet; packets that fail
the capture filter are neither stored nor displayed.
A switch receives this parameter and passes it unchanged to Wireshark. Because Wireshark parses the
application filter definition, the defining syntax is the one provided by the Wireshark display filter. This
syntax and that of standard Cisco IOS differ, which allows you to specify ACL match criteria that cannot
be expressed with standard syntax.
Note The capture filter syntax matches that of the Wireshark display filter. The syntax for capture and display
filters are identical in the Wireshark implementation on the Catalyst 4500 series switch.
Display Filter
With the display filter, you can direct Wireshark to further narrow the set of packets to display when
decoding and displaying from a .pcap file. Because the syntax of the display filter is identical to the
capture filter, the display filter is superfluous if a capture filter is also defined.
For more details on the syntax of capture and display filters, go to
http://wiki.wireshark.org/DisplayFilters
Input and Output Classification
There are four classification results for input and output classification. In the input direction, they are
ordered role-based, security, QoS, and forwarding override. In the output direction they are ordered
forwarding override, role-based, security, and QoS.
To Next Page
Loading...
Need help?
General
