Homework SourseHow can you configure Wireshark to always recognize port 444
How can you configure Wireshark to always recognize port 444 as an SSL/TLS port?
Solution
General configuration :
How to Configure Wireshark
To configure Wireshark, follow these general steps:
Step 1 Define, modify or delete a capture point.
Step 2 Activate or deactivate a capture point.
Default Wireshark Configuration
Table 58-1 shows the default Wireshark configuration.
Table 58-1
Feature
Default Wireshark Configuration
Duration
Packets Packet-length
File size
Ring file storage Buffer storage mode
Default Setting
No limit
No limit
No limit (full packet)
No limit
No
Linear
Software Configuration Guide—Release IOS XE 3.5.0E and IOS 15.2(1)E
OL_28731-01
58-11
How to Configure Wireshark
Chapter 58
Configuring Wireshark
Defining, Modifying, or Deleting a Capture Point
Step 1 Step 2
Step 3 Step 4 Step 5 Step 6
Step 7
Although listed in sequence, the steps to specify values for the options can be executed in any order. You can also specify them in one, two, or several lines. Except for attachment points, which can be multiple, you can replace any value with a more recent value by redefining the same option, in the following order:
Define the name that identifies the capture point.
Specify the attachment point with which the capture point is associated.
Multiple attachment points can be specified. Range support is also available both for adding and removing attachment points.
Define the core system filter, defined either explicitly, through ACL or through a class map.
Specify the session limit (in seconds or packets captured).
Specify the packet segment length to be retained by Wireshark.
Specify the file association, if the capture point intends to capture packets rather than merely display them.
Specify the size of the memory buffer used by Wireshark to handle traffic bursts.
To filter the capture point, use the following commands:
Command
Purpose
[no] monitor capture mycap match {any | mac mac-match-string | ipv4 ipv4-match-string | ipv6 ipv6-match-string}
Defines an explicitly in-line core filter.
To remove the filter, use the no form of this command.
[no] monitor capture mycap match mac {src-mac-addr src-mac-mask | any | host src-mac-addr} | {dest-mac-addr dest-mac-mask | any | host dest-mac-addr}
Specifies use of a filter for MAC.
To remove the filter, use the no form of this command.
[no] monitor capture mycap match {ipv4 | ipv6} [src-prefix/length | any | host src-ip-addr] [dest-prefix/length | any | host dest-ip-addr]
[no] monitor capture mycap match {ipv4 | ipv6} proto {tcp | udp} [src-prefix/length | any | host src-ip-addr] [eq | gt | lt | neq <0-65535>] [dest-prefix/length | any | host dest-ip-addr] [eq | gt | lt | neq <0-65535>]
Specifies a filter for IPv4/IPv6, use one of the formats. To remove the filters, use the no form of this command.
To define a capture point, use the following commands:
Command
Purpose
monitor capture name [{interface name | vlan num | control-plane} {in | out | both}
Specifies one or more attachment points with direction.
To remove the attachment point, use the no form of this command.
Software Configuration Guide—Release IOS XE 3.5.0E and IOS 15.2(1)E
58-12
OL_28731-01
Chapter 58 Configuring Wireshark
How to Configure Wireshark
Command
Purpose
monitor capture name [[file location filename [buffer-size <1-100>] [ring <2-10>] [size <1-100>]] | [buffer [circular] size <1-100>]]
Specifies the capture destination.
To remove the details, use the no form of this command.
[no] monitor capture name limit {duration seconds] [packet-length size] [packets num]
Specifies capture limits.
To remove the limits, use the no form of this command.
To clear the buffer contents, use the following command
Command
Purpose
monitor capture [clear | export filename]
Clears capture buffer contents or stores the packets to a file.
To start and stop a capture point, use the following command:
Command
Purpose
monitor capture name start [capture-filter filter-string] [display [display-filter filter-string]] [brief | detailed | dump | stop]
To start or stop a capture point, use the monitor capture command.
Examples
Associating or Disassociating a Capture File
Switch# monitor capture point mycap file location bootdisk:mycap.pcap Switch# no monitor capture mycap file
Specifying a Memory Buffer Size for Packet Burst Handling
Switch# monitor capture mycap buffer-size 1000000
Defining an Explicit Core System Filter to Match Both IPv4 and IPv6 TCP Traffic
Switch# monitor capture mycap match any protocol tcp
Defining a Core System Filter Using an Existing ACL or Class Map
Switch# monitor capture mycap match access-list myacl Switch# monitor capture mycap match class-map mycm
Activating and Deactivating a Capture Point
A capture point cannot be activated unless an attachment point and a core system filter have been defined and the associated filename (if any) does not already exist. A capture point with no associated filename can only be activated to display. If no capture or display filters are specified, all of the packets captured by the core system filter are displayed. The default display mode is brief.
Software Configuration Guide—Release IOS XE 3.5.0E and IOS 15.2(1)E
OL_28731-01
58-13
Monitoring Wireshark
Chapter 58
Configuring Wireshark
To activate or deactivate a capture point, perform these tasks:
Command
Purpose
monitor capture name start [capture-filter filter-string] [display [display-filter filter-string]] [brief | detailed | dump]
monitor capture name stop Example:
Switch# monitor capture mycap start capture-filter \"net 10.1.1.0 0.0.0.255 and port 80\"
Switch# monitor capture mycap start display display-filter \"net 10.1.1.0 0.0.0.255 and port 80\"
Activates a capture point. Deactivates a capture point.
Configuring Wireshark on VSS
To configure Wireshark in the VSS standby switch, use the remote login command:
Switch_VSS# remote login module 11
Connecting to standby virtual console
Type \"exit\" or \"quit\" to end this session
Switch_VSS-standby-console# monitor capture mycap match any interface gi2/1/1 in file location bootflash:text.pcap
Monitoring Wireshark
The commands in the following table are used to monitor Wireshark.
Table 58-2 Wireshark Monitoring Commands
Command
Purpose
show monitor capture point name
Displays the capture point state so that you can see what capture points are defined, what their attributes are, and whether they are active. When capture point name is specified, it displays specific capture point\'s details.
show monitor capture file name [display-filter filter-string] [brief | detailed | dump]
Activates Wireshark using an existing .pcap file as the source for packets. If no display filter is specified, all of the packets in the file are displayed. The default display mode is brief.
Configuration Examples for Wireshark Example: Displaying a Brief Output from a .pcap File
You can display the output from a .pcap file by entering:
Switch# show monitor capture file bootflash:mycap.pcap
Software Configuration Guide—Release IOS XE 3.5.0E and IOS 15.2(1)E
58-14
OL_28731-01
Chapter 58 Configuring Wireshark
Software Configuration Guide—Release IOS XE 3.5.0E and IOS 15.2(1)E
Configuration Examples for Wireshark
1 0.000000
2 1.000000
3 2.000000
4 3.000000
5 4.000000
6 5.000000
7 6.000000
8 7.000000
9 8.000000
10 9.000000
11 10.000000
12 11.000000
13 12.000000
14 13.000000
15 14.000000
16 15.000000
17 16.000000
18 17.000000
19 18.000000
20 19.000000
21 20.000000
22 21.000000
23 22.000000
24 23.000000
25 24.000000
26 25.000000
27 26.000000
28 27.000000
29 28.000000
30 29.000000
31 30.000000
32 31.000000
33 32.000000
34 33.000000
35 34.000000
36 35.000000
37 36.000000
38 37.000000
39 38.000000
40 39.000000
41 40.000000
42 41.000000
43 42.000000
44 43.000000
45 44.000000
46 45.000000
47 46.000000
48 47.000000
49 48.000000
50 49.000000
51 50.000000
52 51.000000
53 52.000000
54 53.000000
55 54.000000
56 55.000000
57 56.000000
58 57.000000
59 58.000000
UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002 UDP Source port: 20001 Destination port: 20002
Example: Displaying Detailed Output from a .pcap File
You can display the detailed .pcap file output by entering:
Switch# show monitor capture file bootflash:mycap.pcap detailed
Frame 1: 256 bytes on wire (2048 bits), 256 bytes captured (2048 bits)
OL_28731-01
58-15
Software Configuration Guide—Release IOS XE 3.5.0E and IOS 15.2(1)E
Chapter 58
Configuring Wireshark
Configuration Examples for Wireshark
Ethernet II, Src: 00:00:00:00:03:01 (00:00:00:00:03:01), Dst: 54:75:d0:3a:85:3f (54:75:d0:3a:85:3f)
[Good: True]
0000 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f ................ 0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................ 0020 202122232425262728292a2b2c2d2e2f !\"#$%&\'()*+,-./ 0030 30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f 0123456789:;<=>? 0040 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f @ABCDEFGHIJKLMNO 0050 50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f PQRSTUVWXYZ[\\]^_ 0060 60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f `abcdefghijklmno 0070 70 71 72 73 74 75 76 77 78 79 7a 7b 7c 7d 7e 7f pqrstuvwxyz{|}~. 0080 80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f ................ 0090 90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f ................ 00a0 a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 aa ab ac ad ae af ................ 00b0 b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 ba bb bc bd be bf ................ 00c0 c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 ca cb cc cd ce cf ................ 00d0 d0 d1 ..
58-16
OL_28731-01
Chapter 58 Configuring Wireshark
Software Configuration Guide—Release IOS XE 3.5.0E and IOS 15.2(1)E
Configuration Examples for Wireshark
Example: Displaying a Hexadecimal Dump Output from a .pcap File
You can display the hexadecimal dump output by entering:
Switch# show monitor capture file bootflash:mycap.pcap dump
1 0.000000 10.1.1.140 -> 20.1.1.2 UDP Source port: 20001 Destination port:
20002
0000 54 75 d0 3a 85 3f 00 00 00 00 03 01 08 00 45 00 Tu.:.?........E. 0010 00 ee 00 00 00 00 40 11 59 70 0a 01 01 8c 14 01 ......@.Yp...... 0020 01 02 4e 21 4e 22 00 da 6e 2b 00 01 02 03 04 05 ..N!N\"..n+...... 0030 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 ................ 0040 161718191a1b1c1d1e1f202122232425 ..........!\"#$% 0050 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 &\'()*+,-./012345 0060 36 37 38 39 3a 3b 3c 3d 3e 3f 40 41 42 43 44 45 6789:;<=>?@ABCDE 0070 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 FGHIJKLMNOPQRSTU 0080 56 57 58 59 5a 5b 5c 5d 5e 5f 60 61 62 63 64 65 VWXYZ[\\]^_`abcde 0090 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 fghijklmnopqrstu 00a0 76 77 78 79 7a 7b 7c 7d 7e 7f 80 81 82 83 84 85 vwxyz{|}~....... 00b0 86 87 88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 ................ 00c0 96 97 98 99 9a 9b 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 ................ 00d0 a6 a7 a8 a9 aa ab ac ad ae af b0 b1 b2 b3 b4 b5 ................ 00e0 b6 b7 b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 ................ 00f0 c6 c7 c8 c9 ca cb cc cd ce cf d0 d1 03 b0 7f 42 ...............B
0000 54 75 d0 3a 85 3f 00 00 00 00 03 01 08 00 45 00 Tu.:.?........E. 0010 00 ee 00 00 00 00 40 11 59 6f 0a 01 01 8d 14 01 ......@.Yo...... 0020 01 02 4e 21 4e 22 00 da 6e 2a 00 01 02 03 04 05 ..N!N\"..n*...... 0030 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 ................ 0040 161718191a1b1c1d1e1f202122232425 ..........!\"#$% 0050 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 &\'()*+,-./012345 0060 36 37 38 39 3a 3b 3c 3d 3e 3f 40 41 42 43 44 45 6789:;<=>?@ABCDE 0070 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 FGHIJKLMNOPQRSTU 0080 56 57 58 59 5a 5b 5c 5d 5e 5f 60 61 62 63 64 65 VWXYZ[\\]^_`abcde 0090 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 fghijklmnopqrstu 00a0 76 77 78 79 7a 7b 7c 7d 7e 7f 80 81 82 83 84 85 vwxyz{|}~....... 00b0 86 87 88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 ................ 00c0 96 97 98 99 9a 9b 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 ................ 00d0 a6 a7 a8 a9 aa ab ac ad ae af b0 b1 b2 b3 b4 b5 ................ 00e0 b6 b7 b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 ................ 00f0 c6 c7 c8 c9 ca cb cc cd ce cf d0 d1 95 2c c3 3f .............,.?
0000 54 75 d0 3a 85 3f 00 00 00 00 03 01 08 00 45 00 Tu.:.?........E. 0010 00 ee 00 00 00 00 40 11 59 6e 0a 01 01 8e 14 01 ......@.Yn...... 0020 01 02 4e 21 4e 22 00 da 6e 29 00 01 02 03 04 05 ..N!N\"..n)...... 0030 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 ................ 0040 161718191a1b1c1d1e1f202122232425 ..........!\"#$% 0050 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 &\'()*+,-./012345 0060 36 37 38 39 3a 3b 3c 3d 3e 3f 40 41 42 43 44 45 6789:;<=>?@ABCDE 0070 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 FGHIJKLMNOPQRSTU 0080 56 57 58 59 5a 5b 5c 5d 5e 5f 60 61 62 63 64 65 VWXYZ[\\]^_`abcde 0090 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 fghijklmnopqrstu 00a0 76 77 78 79 7a 7b 7c 7d 7e 7f 80 81 82 83 84 85 vwxyz{|}~....... 00b0 86 87 88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 ................ 00c0 96 97 98 99 9a 9b 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 ................ 00d0 a6 a7 a8 a9 aa ab ac ad ae af b0 b1 b2 b3 b4 b5 ................ 00e0 b6 b7 b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 ................
OL_28731-01
58-17
Software Configuration Guide—Release IOS XE 3.5.0E and IOS 15.2(1)E
Chapter 58
Configuring Wireshark
Usage Examples for Wireshark
0000 54 75 d0 3a 85 3f 00 00 00 00 03 01 08 00 45 00 Tu.:.?........E. 0010 00 ee 00 00 00 00 40 11 59 6d 0a 01 01 8f 14 01 ......@.Ym...... 0020 01 02 4e 21 4e 22 00 da 6e 28 00 01 02 03 04 05 ..N!N\"..n(...... 0030 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 ................ 0040 161718191a1b1c1d1e1f202122232425 ..........!\"#$% 0050 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 &\'()*+,-./012345
Example: Displaying Packets from a .pcap File with a Display Filter
You can display the .pcap file packets output by entering:
Switch# show monitor capture file bootflash:mycap.pcap display-filter \"ip.src == 10.1.1.140\" dump
0000 54 75 d0 3a 85 3f 00 00 00 00 03 01 08 00 45 00 Tu.:.?........E. 0010 00 ee 00 00 00 00 40 11 59 70 0a 01 01 8c 14 01 ......@.Yp...... 0020 01 02 4e 21 4e 22 00 da 6e 2b 00 01 02 03 04 05 ..N!N\"..n+...... 0030 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 ................ 0040 161718191a1b1c1d1e1f202122232425 ..........!\"#$% 0050 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 &\'()*+,-./012345 0060 36 37 38 39 3a 3b 3c 3d 3e 3f 40 41 42 43 44 45 6789:;<=>?@ABCDE 0070 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 FGHIJKLMNOPQRSTU 0080 56 57 58 59 5a 5b 5c 5d 5e 5f 60 61 62 63 64 65 VWXYZ[\\]^_`abcde 0090 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 fghijklmnopqrstu 00a0 76 77 78 79 7a 7b 7c 7d 7e 7f 80 81 82 83 84 85 vwxyz{|}~....... 00b0 86 87 88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 ................ 00c0 96 97 98 99 9a 9b 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 ................ 00d0 a6 a7 a8 a9 aa ab ac ad ae af b0 b1 b2 b3 b4 b5 ................ 00e0 b6 b7 b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 ................ 00f0 c6 c7 c8 c9 ca cb cc cd ce cf d0 d1 03 b0 7f 42 ...............B
Usage Examples for Wireshark Example: Simple Capture and Display
Step 1
Step 2
This example shows how to monitor traffic in the Layer 3 interface Gigabit 3/1: Define a capture point to match on the relevant traffic by entering:
Switch# monitor capture mycap interface gi 3/1 in match ipv4 any any Switch# monitor capture mycap limit duration 60 packets 100
Note To avoid high CPU utilization, a low packet count and duration as limits has been set. Confirm that the capture point has been correctly defined by entering:
Switch# show monitor capture mycap parameter
monitor capture mycap interface GigabitEthernet3/1 in
58-18
OL_28731-01
Chapter 58 Configuring Wireshark
Software Configuration Guide—Release IOS XE 3.5.0E and IOS 15.2(1)E
Usage Examples for Wireshark
Step 3
monitor capture mycap limit packets 100 duration 60 Switch# show monitor capture mycap
Status Information for Capture mycap
Start the capture process and display the results.
Switch# monitor capture mycap start display
Step 4
Delete the capture point by entering:
Switch# no monitor capture mycap
Example: Simple Capture and Store
Step 1
Step 2
This example shows how to capture packets to a filter.
Define a capture point to match on the relevant traffic and associate it to a file by entering:
Switch# monitor capture mycap interface gi 3/1 in match ipv4 any any Switch# monitor capture mycap limit duration 60 packets 100
Switch# monitor cap mycap file location bootflash:mycap.pcap
Confirm that the capture point has been correctly defined by entering:
Switch# show monitor capture mycap parameter
monitor capture mycap interface GigabitEthernet3/1 in monitor capture mycap match ipv4 any any
monitor capture mycap file location bootflash:mycap.pcap monitor capture mycap limit packets 100 duration 60
Switch# show monitor capture mycap Target Type:
OL_28731-01
58-19
Software Configuration Guide—Release IOS XE 3.5.0E and IOS 15.2(1)E
Chapter 58
Configuring Wireshark
Usage Examples for Wireshark
Step 3
Step 4
Step 5
Launch packet capture by entering:
Switch# monitor capture mycap start
After sufficient time has passed, stop the capture by entering:
Switch# monitor capture mycap stop
Note Alternatively, you could let the capture operation stop automatically after the time has elapsed or the packet count has been met.
The mycap.pcap file now contains the captured packets. Display the packets by entering:
Switch# show monitor capture file bootflash:mycap.pcap
Step 6
Delete the capture point by entering:
Switch# no monitor capture mycap
| Defining, Modifying, or Deleting a Capture Point Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Although listed in sequence, the steps to specify values for the options can be executed in any order. You can also specify them in one, two, or several lines. Except for attachment points, which can be multiple, you can replace any value with a more recent value by redefining the same option, in the following order: Define the name that identifies the capture point. Multiple attachment points can be specified. Range support is also available both for adding and removing attachment points. Define the core system filter, defined either explicitly, through ACL or through a class map. Specify the session limit (in seconds or packets captured). Specify the packet segment length to be retained by Wireshark. Specify the file association, if the capture point intends to capture packets rather than merely display them. Specify the size of the memory buffer used by Wireshark to handle traffic bursts. To filter the capture point, use the following commands: | |
| Command | Purpose |
| [no] monitor capture mycap match {any | mac mac-match-string | ipv4 ipv4-match-string | ipv6 ipv6-match-string} | Defines an explicitly in-line core filter. |
| [no] monitor capture mycap match mac {src-mac-addr src-mac-mask | any | host src-mac-addr} | {dest-mac-addr dest-mac-mask | any | host dest-mac-addr} | Specifies use of a filter for MAC. |
| [no] monitor capture mycap match {ipv4 | ipv6} [src-prefix/length | any | host src-ip-addr] [dest-prefix/length | any | host dest-ip-addr] [no] monitor capture mycap match {ipv4 | ipv6} proto {tcp | udp} [src-prefix/length | any | host src-ip-addr] [eq | gt | lt | neq <0-65535>] [dest-prefix/length | any | host dest-ip-addr] [eq | gt | lt | neq <0-65535>] | Specifies a filter for IPv4/IPv6, use one of the formats. To remove the filters, use the no form of this command. |
| To define a capture point, use the following commands: | |
| Command | Purpose |
| monitor capture name [{interface name | vlan num | control-plane} {in | out | both} | Specifies one or more attachment points with direction. To remove the attachment point, use the no form of this command. |
