Best Practices - Cisco Catalyst 4500 Series Configuration Manual

Chapter 56 Configuring Wireshark
•

Best Practices

Consider the following best practices:
•
•
•
•
•
•
•
•
•
•
•
•
OL-25340-01
Wireshark cannot capture IPv6 packets if the capture point's class-map filter is attempting to match
one of the following:
– Extension headers followed by Hop-by-hop header (as per CSCtt16385)
DSCP values (as per CSCtx75765)
–
During Wireshark packet capture, hardware forwarding happens concurrently.
Before starting a Wireshark capture process, ensure that CPU usage is moderate and that sufficient
memory (at least 200 MB) is available.
If you plan to store packets to a storage file, ensure that sufficient space is available before
beginning a Wireshark capture process.
The CPU usage during Wireshark capture depends on how many packets match the specified
conditions and on the intended actions for the matched packets (store, decode and display, or both).
Limit packet capture with parameters of the capture point command (like packet number and
capture duration).
Because packet forwarding typically occurs in hardware, packets are not copied to the CPU for
software processing. For Wireshark packet capture, packets are copied and delivered to the CPU,
which causes an increase in CPU usage.
To avoid high CPU, do the following:
– Attach only relevant ports.
– Use a class map, and secondarily, an access list to express match conditions. If neither is viable,
use an explicit, in-line filter.
– Adhere closely to the filter rules. Restrict the traffic type (such as, IPv4 only) with a restrictive,
rather than relaxed ACL, which elicits unwanted traffic.
Always limit packet capture to either a shorter duration or a smaller packet number. The parameters
of the capture command enable you to specify the following:
– Capture duration
– Number of packets captured
– File size
– Packet segment size
Run a capture session without limits if you know that very little traffic matches the core filter.
Do not leave a capture session enabled and unattended for a long period of time, because
unanticipated bursts of traffic could increase the CPU usage.
During a capture session, watch for high CPU usage and memory consumption due to Wireshark
that may impact switch performance or health. If these situations arise, stop the Wireshark session
immediately.
Avoid decoding and displaying packets from a .pcap file for a large file. Instead, transfer the .pcap
file to a PC and run Wireshark on the PC.
Limit the number of Wireshark instances to two or less to avoid CPU or memory resource drain.
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
Best Practices
56-11