- Index
- Preface
- Product Overview
- Command-Line Interfaces
- Smart Port Macros
- Virtual Switching Systems (VSS)
- Enhanced Fast Software Ugrade (eFSU)
- NSF with SSO Supervisor Engine Redundancy
- RPR Supervisor Engine Redundancy
- Interface Configuration
- UniDirectional Link Detection (UDLD)
- Power Management and Environmental Monitoring
- EnergyWise
- Online Diagnostics
- Onboard Failure Logging
- Switch Fabric Functionality
- Cisco IP Phone Support
- Power over Ethernet
- Layer 2 LAN Ports
- Flex Links
- EtherChannels
- mLACP for Server Access
- IEEE 802.1ak MVRP and MRP
- VLAN Trunking Protocol (VTP)
- VLANs
- Private VLANs (PVLANs)
- Private Hosts
- IEEE 802.1Q Tunneling
- Layer 2 Protocol Tunneling
- STP and MST
- Optional STP Features
- Layer 3 Interface Configuration
- Unidirectional Ethernet (UDE) and unidirectional link routing (UDLR)
- Multiprotocol Label Switching (MPLS)
- L2VPN Advanced VPLS (A-VPLS)
- IP Unicast Layer 3 Switching
- IPv6 Multicast Layer 3 Switching
- MLD Snooping for IPv6 Multicast Traffic
- IPv4 Multicast Layer 3 Switching
- IGMP Snooping and MVR for IPv4 Multicast Traffic
- Configuring MVR for IPv4 Multicast Traffic
- IPv4 IGMP Filtering and Router Guard
- PIM Snooping
- IPv4 Multicast VPN Support
- PFC QoS
- AutoQoS
- MPLS QoS
- PFC QoS Statistics Data Export
- Network Security
- AutoSecure
- Cisco IOS ACL Support
- Cisco TrustSec (CTS)
- Port ACLs (PACLs) and VLAN ACLs (VACLs)
- Denial of Service Protection
- Control Plane Policing (CoPP)
- DHCP Snooping
- IP Source Guard
- Dynamic ARP Inspection
- Traffic Storm Control
- Unknown Unicast and Multicast Flood Control
- Network Admission Control (NAC)
- IEEE 802.1X Port-Based Authentication
- Web-Based Authentication
- Port Security
- NetFlow
- NetFlow Data Export (NDE)
- Call Home
- System Event Archive (SEA)
- Backplane Platform Monitoring
- SPAN, RSPAN, and ERSPAN
- SNMP IfIndex Persistence
- Top-N Reports
- Layer 2 Traceroute Utility
- Mini Protocol Analyzer
- Ethernet Services Line Cards
- Online Diagnostic Tests
- Acronyms
Using the Mini Protocol Analyzer
This chapter describes how to use the Mini Protocol Analyzer on the Catalyst 6500 series switches. Release 12.2(33)SXI and later releases support the Mini Protocol Analyzer feature.
Note For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Master Command List, at this URL:
http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
Participate in the Technical Documentation Ideas forum
Understanding How the Mini Protocol Analyzer Works
The Mini Protocol Analyzer captures network traffic from a SPAN session and stores the captured packets in a local memory buffer. Using the provided filtering options, you can limit the captured packets to:
- Packets from selected VLANs, ACLs, or MAC addresses.
- Packets of a specific EtherType.
- Packets of a specified packet size.
You can start and stop the capture using immediate commands, or you can schedule the capture to begin at a specified date and time.
The captured data can be displayed on the console, stored to a local file system, or exported to an external server using normal file transfer protocols. The format of the captured file is libpcap, which is supported by many packet analysis and sniffer programs. Details of this format can be found at the following URL:
By default, only the first 68 bytes of each packet are captured.
Configuring the Mini Protocol Analyzer
To configure a capture session using the Mini Protocol Analyzer, perform this task:
When configuring a capture session, note the following information:
- Only one capture session is supported; multiple simultaneous capture sessions cannot be configured.
- The source interface command argument is either a single interface, or a range of interfaces described by two interface numbers (the lesser one first, separated by a dash), or a comma-separated list of interfaces and ranges.
Note When configuring a source interface list, you must enter a space before and after the comma. When configuring a source interface range, you must enter a space before and after the dash.
- The source vlan command argument is either a single VLAN number from 1 through 4094 (except reserved VLANs), or a range of VLANs described by two VLAN numbers (the lesser one first, separated by a dash), or a list of VLANs and ranges.
Note When configuring a source VLAN list, do not enter a space before or after the comma. When configuring a source VLAN range, do not enter a space before or after the dash. Note that this requirement differs from the requirement for source interface lists and ranges.
- Data capture does not begin when the capture session is configured. The capture is started by the monitor capture start or monitor capture schedule command described in the “Starting and Stopping a Capture” section.
- Although the capture buffer is linear by default, it can be made circular as a run-time option in the monitor capture start or monitor capture schedule command.
- When no hardware rate limit registers are available, the capture session is disabled.
- For releases earlier than 12.2(33)SXI4, when the fabric switching mode is truncated, you cannot enter an MPA configuration, because the truncated fabric switching mode does not support the MPA rate limiter.
- From release 12.2(33)SXI4 and later, when the fabric switching mode is truncated, you can enter an MPA configuration, but the default rate limiter and, if configured, the MPA rate limiter are not active.
- When the switching mode is truncated on a supervisor without a DFC, MPA does not capture all the packets.
Note Ignore the Rate-limiter is not configurable system message.
- The source VLAN cannot be changed if a VLAN filter is configured. Remove any VLAN filters before changing the source VLAN.
Filtering the Packets to be Captured
Several options are provided for filtering the packets to be captured. Filtering by ACL and VLAN is performed in hardware before any rate-limiting is applied; all other filters are executed in software. Software filtering can decrease the capture rate.
To filter the packets to be captured by the Mini Protocol Analyzer, perform this task in capture session configuration mode:
When configuring capture filtering, note the following information:
- The filter vlan argument is either a single VLAN number from 1 through 4094 (except reserved VLANs), or a range of VLANs described by two VLAN numbers (the lesser one first, separated by a dash), or a list of VLANs and ranges.
Note When configuring a filter VLAN list, you must enter a space before and after the comma. When configuring a filter VLAN range, you must enter a space before and after the dash. Note that this requirement differs from the requirement for source VLAN lists and ranges described in the preceding section.
- To enter an EtherType as a decimal number, enter the number (1 to 65535) with no leading zero. To enter a hexadecimal number, precede four hexadecimal characters with the prefix 0x. To enter an octal number, enter numeric digits (0 to 7) with a leading zero. For example, the 802.1Q EtherType can be entered in decimal notation as 33024, in hexadecimal as 0x8100, or in octal as 0100400.
- Enter a MAC address as three 2-byte values in dotted hexadecimal format. An example is 0123.4567.89ab.
- The no keyword removes the filter.
Note After removing a VLAN filter using the no keyword, you must exit configuration mode, reenter the capture configuration mode, and issue the source vlan command before making other capture configuration changes.
Starting and Stopping a Capture
The commands to start and stop a capture are not stored as configuration settings. These commands are executed from the console in EXEC mode. You can start a capture immediately or you can set a future date and time for the capture to start. The capture ends when one of the following conditions occurs:
- A stop or clear command is entered from the console.
- The capture buffer becomes full, unless it is configured as a circular buffer.
- The optionally specified number of seconds has elapsed.
- The optionally specified number of packets has been captured.
When the capture stops, the SPAN session is ended and no further capture session packets are forwarded to the processor.
When starting a packet capture, you have the option to override some configured settings.
To start, stop, or cancel a capture, perform this task:
When using these commands, note the following information:
- The format for time and date is hh:mm:ss dd mmm yyyy. The hour is specified in 24-hour notation, and the month is specified by a three-letter abbreviation. For example, to set a capture starting time of 7:30 pm on October 31, 2006, use the notation 19:30:00 31 oct 2006. The time zone is GMT.
- When you specify a capture filter ACL in the start command, the new ACL will not override any configured ACLs. The new ACL will execute in software.
Displaying and Exporting the Capture Buffer
To display the captured packets or information about the capture session, or to export the captured packets for analysis, perform this task:
Mini Protocol Analyzer Configuration, Operation, and Display Examples
This section provides examples for configuring the Mini Protocol Analyzer, for starting and stopping a capture session, and for displaying the results of a capture session.
General Configuration Examples
This example shows how to minimally configure the Mini Protocol Analyzer:
This example shows how to configure the buffer size, session description, and rate limit:
This example shows how to configure the source as a mixed list of ports:
This example shows how to configure the source as a mixed list of VLANs:
Filtering Configuration Examples
This example shows how to configure for capturing packets with the following attributes:
- The packets belong to VLANs 123 or 234 through 245
- The packets are of 802.1Q EtherType (hexadecimal 0x8100, decimal 33024)
- The packet size is exactly 8192 bytes
- The source MAC address is 01:23:45:67:89:ab
- The packets conform to ACL number 99
Router(config-mon-capture)# filter ethertype 0x8100
This example shows how to capture packets whose size is less than 128 bytes:
Router(config-mon-capture)# filter length 0 128
This example shows how to capture packets whose size is more than 256 bytes:
Router(config-mon-capture)# filter length 256 9216
Operation Examples
This example shows how to start and stop a capture:
This example shows how to start a capture to end after 60 seconds:
This example shows how to start a capture at a future date and time:
This example shows how to start a capture with options to override the buffer size and to change to a circular buffer:
This example shows how to export the capture buffer to an external server and a local disk:
Display Examples
These examples show how to display configuration information, session status, and capture buffer contents.
Displaying the Configuration
To display the capture session configuration, enter the show monitor capture command.
This example shows how to display more details using the show monitor session n command:
This example shows how to display the full details using the show monitor session n detail command:
Displaying the Capture Session Status
To display the capture session status, enter the show monitor capture status command.
Displaying the Capture Buffer Contents
To display the capture session contents, enter the show monitor capture buffer command. These examples show the resulting display using several options of this command:
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
Participate in the Technical Documentation Ideas forum