Cisco Catalyst 4500 Series Software Configuration Manual page 1735

Chapter 68 Configuring Wireshark
–
• During a capture session, watch for high CPU usage and memory consumption due to Wireshark that
may impact switch performance or health. If these situations arise, stop the Wireshark session
immediately.
Avoid decoding and displaying packets from a .pcap file for a large file. Instead, transfer the .pcap
•
file to a PC and run Wireshark on the PC.
Limit the number of Wireshark instances to two or less to avoid CPU or memory resource drain.
•
You can use up to eight Wireshark instances. An active show command that decodes and displays
packets from a .pcap file or capture buffer counts as one instance.
Whenever an ACL is installed or modified on a switch in the ingress direction, for the first 15
•
seconds, the software ignores packet classification details sent by the hardware. Instead, it uses
software-based classification for the packets received by CPU. So, during this period, the system
can only capture fewer packets (compared to the time after the first 15 seconds) and CPU usage will
be high.
• To avoid packet loss, consider the following:
–
–
–
–
–
If you want to decode and display live packets in the console window, ensure that the Wireshark
•
session is bounded by a short capture duration.
A Wireshark session with either a longer duration limit or no capture duration (using a terminal with
Warning
no auto-more support using the term len 0 command) may make the console or terminal unusable.
When using Wireshark to capture live traffic that leads to high CPU, usage, consider applying a QoS
•
policy temporarily to limit the actual traffic until the capture process concludes.
All Wireshark-related commands are in EXEC mode; no configuration commands exist for
•
Wireshark.
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
You launch a capture session with ring files or capture buffer and leave it unattended for a long
time, resulting in performance or system health issues.
Use store-only (when you do not specify the display option) while capturing live packets rather
than decode and display, which is an CPU-intensive operation (especially in detailed mode).
If you use the default buffer size, packets may be dropped. Increase buffer size and avoid packet
loss.
Writing to flash disk is a CPU-intensive operation, so the capture rate may not be sufficient.
The Wireshark capture session operates normally in streaming mode where packets are both
captured and processed. However, when you specify a buffer size of at least 32 MB but less than
80MB, the session automatically turns on lock-step mode in which a Wireshark capture session
is split into two phases: capture and process. In the capture phase, the packets are stored in the
temporary buffer. The duration parameter in lock-step mode serves as capture duration rather
than session duration. When the buffer is full or the capture duration has ended, a session
transitions to the process phase, wherein it stops accepting packets and starts processing packets
in the buffer. With the second approach (lock-step mode), a higher capture throughput can be
achieved. Last, when you specify a buffer size of at least 80MB, the session turns on lock-step
mode with high-speed capture. This is similar to lock-step mode except that it captures the
packets directly from the hardware queue and passes the packet to the wireshark packet queue.
The streaming capture mode supports approximately 1500 pps; lock-step mode supports
approximately 45 Mbps (measured with 256-byte packets); lock-step mode with high speed
capture supports roughly 750Mbps (measure with 256-byte packets). When the matching traffic
rate exceeds this number, you may experience packet loss. Only one session can be started when
using high-speed capture mode.
Guidelines for Wireshark
68-3