Activating And Deactivating Wireshark Capture Points - Cisco Catalyst 4500 Series Configuration Manual

Feature Interactions

Activating and Deactivating Wireshark Capture Points

After a Wireshark capture point has been defined with its attachment points, filters, actions, and other
options, it must be activated. Until the capture point is activated, it does not actually capture packets.
Before a capture point is activated, some sanity checks are performed. A capture point cannot be
activated if it has neither a core system filter nor attachment points defined. Attempting to activate a
capture point that generates an error.
The capture and display filters are specified as needed.
After Wireshark capture points are activated, they can be deactivated in multiple ways. A capture point
that is storing only packets to a .pcap file can be halted manually or configured with time or packet
limits, after which the capture point halts automatically. Only packets that pass the Wireshark capture
filter are counted against the packet limit threshold.
When a Wireshark capture point is activated, a fixed rate filter is applied automatically in the hardware
so that the CPU is not flooded with Wireshark-directed packets. The disadvantage of the rate filter is that
you cannot capture contiguous packets beyond the established rate even if more resources are available.
Feature Interactions
This section describes how Wireshark features function in the Catalyst 4500 series switch environment:
•
•
•
•
•
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
56-6
Layer 2 security features—Packets that are dropped by Layer 2 security features (such as port
security, MAC address filtering, and spanning tree) are not captured by Wireshark. This differs from
the behavior of SPAN.
Classification-based security features—Packets that are dropped by input classification-based
security features (such as ACLs and IPSG) are not caught by Wireshark capture points that are
connected to attachment points at the same layer. In contrast, packets that are dropped by output
classification-based security features are caught by Wireshark capture points that are connected to
attachment points at the same layer. The logical model is that the Wireshark attachment point occurs
after the security feature lookup on the input side, and symmetrically before the security feature
lookup on the output side.
Wireshark capture policies connected to Layer 2 attachment points in the input direction capture
packets dropped by Layer 3 classification-based security features. Symmetrically, Wireshark
capture policies attached to Layer 3 attachment points in the output direction capture packets
dropped by Layer 2 classification-based security features.
Routed ports and Layer 3 port channels—When a routed port or Layer 3 port channel is used as a
Wireshark attachment point, the The policy that is applied to capture the packets is treated as
attached at Layer 3. Wireshark only captures packets that are being routed by the interface.
VLANs—When a VLAN is used as a Wireshark attachment point, packets are captured in both input
and output directions. A packet that is bridged in the VLAN generates two copies, one on input and
one on output.
Private VLANs—Secondary PVLANs are disallowed as Wireshark attachment points. Using a
primary PVLAN as a Wireshark attachment point enables capture of packets in the primary PVLAN
and all associated secondary PVLANs. The entire PV domain becomes the attachment point.
Chapter 56 Configuring Wireshark
OL-25340-01