59-9
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL_28731-01
Chapter 59 Configuring Wireshark
Information about Wireshark
If the destination of the Wireshark writing process is full, Wireshark fails with partial data in the file.
You must ensure that there is sufficient space in the file system before you start the capture session. With
Cisco IOS Release IOS XE 3.3.0SG, the file system full status is not detected for some storage devices.
You can reduce the required storage space by retaining only a segment, instead of the entire packet.
Typically, you do not require details beyond the first 64 or 128 bytes. The default behavior is to store the
entire packet.
To avoid possible packet drops when processing and writing to the file system, Wireshark can optionally
use a memory buffer to temporarily hold packets as they arrive. Memory buffer size can be specified
when the capture point is associated with a .pcap file.
Decoding and Displaying Packets
Wireshark can decode and display packets to the console. This functionality is possible for capture points
applied to live traffic and for capture points applied to a previously existing .pcap file.
Note Decoding and displaying packets may be CPU intensive.
Wireshark can decode and display packet details for a wide variety of packet formats. The details are
displayed by entering the monitor capture name start command with one of the following keyword
options, which place you into a display and decode mode:
• brief—Displays one line per packet (the default).
• detailed—Decodes and displays all the fields of all the packets whose protocols are supported.
Detailed mode require more CPU than the other two modes.
• (hexadecimal) dump—Displays one line per packet as a hexadecimal dump of the packet data and
the printable characters of each packet.
When we enter the capture command with the decode and display option, the Wireshark output is
returned to Cisco IOS and displayed on the console unchanged.
Displaying Live Traffic
Wireshark receives copies of packets from the Catalyst 4500 series switch core system. Wireshark
applies its capture and display filters to discard uninteresting packets, and then decodes and displays the
remaining packets.
Displaying from the .pcap File
Wireshark can decode and display packets from a previously stored .pcap file and direct the display filter
to selectively displayed packets. A capture filter is not applicable in this situation.
Storing and Displaying Packets
Functionally, this mode is a combination of the previous two modes. Wireshark stores packets in the
specified .pcap file and decodes and displays them to the console. Only the core and capture filters are
applicable here.
To Next Page
Loading...
Need help?
General
