Chapter 56 Configuring Wireshark - Cisco Catalyst 4500 Series Configuration Manual

About Wireshark
display or analysis support. The debug platform packet command is specific to the Catalyst 4500 series
switch and only works on packets that stem from the software process-forwarding path. Although it has
limited local display capabilities, it has no analysis support.
So the need exists for a traffic capture and analysis mechanism that is applicable to both hardware and
software forwarded traffic and that provides strong packet capture, display and analysis support,
preferably using a well known interface.
Wireshark dumps packets to a file using a well known format called .pcap, and is applied or enabled on
individual interfaces. You specify an interface in EXEC mode along with the filter and other parameters.
The Wireshark application is applied only when you enter a start command and is removed only when
Wireshark stops capturing packets either automatically or manually.
In Cisco IOS Release XE 3.3.0SG, global packet capture on Wireshark is not supported.
Note
These sections describe some key concepts for Wireshark:
•
•
•
•
•
Capture Points
A capture point is the central policy definition of the Wireshark feature. The point describes all the
characteristics associated with a given instance of Wireshark: what packets to capture, where to capture
them from, what to do with the captured packets, and when to stop. Capture points can be modified after
creation and do not become active until explicitly activated with a start command. This process is
termed activating the capture point or starting the capture point. Capture points are identified by name
and may also be manually or automatically deactivated or stopped.
Multiple capture points may be defined and activated simultaneously.
Attachment Points: Interfaces and traffic directions
An attachment point is a point in the logical packet process path associated with a capture point.
Consider an attachment point as an attribute of the capture point. Packets that impact an attachment point
are tested against the capture point's filters; packets that match are copied and sent to the capture point's
associated Wireshark instance. A specific capture point can be associated with multiple attachment
points, with limits on mixing attachment points of different types. Some restrictions apply when you
specify attachment points of different types. Attachment points are directional (input or output or both)
with the exception of the Layer 2 VLAN attachment point, which is always bidirectional.
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
56-2
Capture Points, page 56-2
Attachment Points: Interfaces and traffic directions, page 56-2
Filters, page 56-3
Actions, page 56-4
Storing Captured Packets to Buffer in Memory, page 56-4
Chapter 56 Configuring Wireshark
OL-25340-01