Information About Wireshark - Cisco Catalyst 4500 series Administration Manual

Chapter 59 Configuring Wireshark
•
•
•

Information about Wireshark

Wireshark is only supported on Supervisor Engine 7-E, Supervisor Engine 7L-E, Catalyst 4500X-16,
Note
and Catalyst 4500X-32.
Wireshark is supported on VSS and the functionality is the same as a standalone switch except for a few
Note
configuration differences as detailed in the
Wireshark is a packet analyzer program, formerly known as Ethereal, which supports multiple protocols
and presents information in a text-based user interface.
To understand what happens inside a network requires the ability to capture and analyze traffic. Prior to
Cisco IOS Release XE 3.3.0SG, the Catalyst 4500 series switch offered only two features to address this
need: SPAN and debug platform packet. Both are limited. SPAN is ideal for capturing packets, but can
only deliver them by forwarding them to some specified local or remote destination; it provides no local
display or analysis support. The debug platform packet command is specific to the Catalyst 4500 series
switch and only works on packets that stem from the software process-forwarding path. Although it has
limited local display capabilities, it has no analysis support.
So the need exists for a traffic capture and analysis mechanism that is applicable to both hardware and
software forwarded traffic and that provides strong packet capture, display and analysis support,
preferably using a well known interface.
Wireshark dumps packets to a file using a well known format called .pcap, and is applied or enabled on
individual interfaces. You specify an interface in EXEC mode along with the filter and other parameters.
The Wireshark application is applied only when you enter a start command and is removed only when
Wireshark stops capturing packets either automatically or manually.
In Cisco IOS Release XE 3.3.0SG, global packet capture on Wireshark is not supported.
Note
These sections describe some key concepts for Wireshark:
•
•
•
•
•
•
OL_28731-01
Capturing at a physical port that belongs to another logical port may not be supported. For example,
capturing at EtherChannel member ports is not supported.
Limiting circular file storage by file size is not supported.
Wireshark cannot capture IPv6 packets if the capture point's class-map filter is attempting to match
one of the following:
– Extension headers followed by Hop-by-hop header (as per CSCtt16385)
– DSCP values (as per CSCtx75765)
Capture Points, page 59-6
Attachment Points, page 59-6
Filters, page 59-6
Input and Output Classification, page 59-7
Actions, page 59-8
Storing Captured Packets to Buffer in Memory, page 59-8
"Configuring Wireshark on VSS" section on page
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
Information about Wireshark
59-14.
59-5