59-8
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL_28731-01
Chapter 59 Configuring Wireshark
Information about Wireshark
On the input side, the Wireshark capture feature is placed in the forwarding override result type,
prioritized above the other FO features (such as multicast local source capture, PBR and ingress WCCP).
The packets captured by Wireshark are before any redirection by PBR or WCCP. Because security ACLs
are applied ahead of FO-related features, packets that are dropped by security ACLs are not captured by
Wireshark.
On the output side, the Wireshark capture feature is placed in the forwarding override result type,
prioritized below the other FO features (such as egress WCCP). Wireshark captures packets only if the
other egress FO features do not apply.
Actions
Wireshark can be invoked on live traffic or on a previously existing .pcap file. When invoked on live
traffic, it can perform four types of actions on packets that pass its capture and display filters:
• Captures to buffer in memory to decode and analyze and store
• Stores to a .pcap file
• Decodes and displays
• Stores and displays
When invoked on a .pcap file only, only the decode and display action is applicable.
Storing Captured Packets to Buffer in Memory
Packets can be stored in the capture buffer in memory for subsequent decode, analysis, or storage to a
.pcap file.
The capture buffer can be linear or circular mode. In linear mode, new packets are discarded when the
buffer is full. In circular mode, if the buffer is full, the oldest packet are discarded to accommodate the
new packet. Although the buffer can also be cleared when needed, this mode is mainly used for
debugging network traffic.
Storing Captured Packets to a .pcap File
Wireshark can store captured packets to a .pcap file. The capture file can be located on the following
storage devices:
• Catalyst 4500 series switch on-board flash storage (bootflash:)
• external flash disk (slot:)
• USB drive (usb0:)
Note Do not attempt to use Wireshark with any other devices.
When configuring a Wireshark capture point, you can associate a filename. When the capture point is
activated, Wireshark creates a file with the specified name and writes packets to it. If the file already
exists when the file is associated or the capture point is activated, Wireshark queries you as to whether
the file can be overwritten. Only one capture point may be associated with a given filename.
To Next Page
Loading...
Need help?
General
