Capturing Traffic with Cisco Catalyst 3560

It’s been many times that we wrote about traffic capturing with the help of different network equipment. Not so long ago, we told our readers about sniffering means available to the users of Cisco Nexus switches. However, the Nexus switches themselves are far from being budget devices. So, today we’ll turn to a completely different market segment – compact L3-switches Cisco Catalyst 3560. The functions that are going to be described below may be not applicable in all Cisco Catalyst switches; even perhaps not in all devices in the Catalyst 3560 series. However, it was certainly present in our WS-C3560CG-8TC-S model. The commands are very similar to ones we’ve recently studied in the article about EPC (Embedded Packet Capture) for Cisco ASR switches; there are though some differences.

So, the process can be divided into three steps two of which are major ones (creating a capture buffer and capturing itself) and one supplementary. The supplementary part is to create an access list which will allow filtering unnecessary packets that have no use for example in performing troubleshooting. For instance, we’d like to receive only any ICMP-messages. The access list should look like this.

switch3560(config)#ip access-list extended foxtest
switch3560(config-ext-nacl)#permit icmp any any
switch3560(config-ext-nacl)#^Z
switch3560#sho ip access-lists foxtest
Extended IP access list foxtest
10 permit icmp any any

The next step is to make a buffer where the captured packets will be stored. Creating this buffer one can change a number of parameters responsible for its operation. For example, one can choose this buffer to be linear or circular; or set its size and the maximum packet size that can get into it.

switch3560#monitor capture ?
buffer Control Capture Buffers
point Control Capture Points
switch3560#monitor capture buffer ?
WORD Name of the Capture Buffer
switch3560#monitor capture buffer foxtest ?
circular Circular Buffer
clear Clear contents of capture buffer
export Export in Pcap format
filter Configure filters
limit Limit the packets dumped to the buffer
linear Linear Buffer(Default)
max-size Maximum size of element in the buffer (in bytes)
size Packet Dump buffer size (in Kbytes)
<cr>
switch3560#monitor capture buffer foxtest size 2048 ?
circular Circular Buffer
linear Linear Buffer(Default)
max-size Maximum size of element in the buffer (in bytes)
<cr>
switch3560#monitor capture buffer foxtest size 2048 max-size ?
<68-9500> Element size in bytes : 9500 bytes or less (default is 68 bytes)
switch3560#monitor capture buffer foxtest size 2048 max-size 1500 ?
circular Circular Buffer
linear Linear Buffer(Default)
<cr>
switch3560#monitor capture buffer foxtest size 2048 max-size 1500 circular ?
<cr>
switch3560#monitor capture buffer foxtest size 2048 max-size 1500 circular

After creating the buffer it can be associated with the filter in the face of the access list created earlier.

switch3560#monitor capture buffer foxtest filter ?
access-list Set access list
switch3560#monitor capture buffer foxtest filter access-list ?
<1-199> IP access list
<1300-2699> IP expanded access list
WORD Access-list name
switch3560#monitor capture buffer foxtest filter access-list foxtest ?
<cr>
switch3560#monitor capture buffer foxtest filter access-list foxtest
Filter Association succeeded

The show monitor capture buffer name parameters command will help to find out the buffer parameters.

switch3560#sho monitor capture buffer ?
WORD Name of the Capture Buffer
all All capture buffers
merged Merged View of Capture Buffers
switch3560#sho monitor capture buffer foxtest parameters
Capture buffer foxtest (circular buffer)
Buffer Size : 2097152 bytes, Max Element Size : 1500 bytes, Packets : 0
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Configuration:
monitor capture buffer foxtest size 2048 max-size 1500 circular
monitor capture buffer foxtest filter access-list foxtest

After creating the buffer, one should initiate capturing itself. The commands of the switch allow creating capturing for two traffic transmission modes: CEF and process-switching. Unfortunately, we failed to get CEF processed packets (Cisco Express Forwarding), but capturing traffic intended for the switch itself was a success.

switch3560#monitor capture ?
buffer Control Capture Buffers
point Control Capture Points
switch3560#monitor capture po
switch3560#monitor capture point ?
associate Associate capture point with capture buffer
disassociate Dis-associate capture point from capture buffer
ip IPv4
ipv6 IPv6
start Enable Capture Point
stop Disable Capture Point
switch3560#monitor capture point ip ?
cef IPv4 CEF
process-switched Process switched packets
switch3560#monitor capture point ip pr
switch3560#monitor capture point ip process-switched ?
WORD Name of the Capture Point
switch3560#monitor capture point ip process-switched foxtest ?
both Inbound and outbound and packets
from-us Packets originating locally
in Inbound packets
out Outbound packets
switch3560#monitor capture point ip process-switched foxtest bo
switch3560#monitor capture point ip process-switched foxtest both ?
<cr>
switch3560#monitor capture point ip process-switched foxtest both
switch3560#

Capture and the buffer should also be associated.

switch3560#monitor capture point associate ?
WORD Name of the Capture Point
switch3560#monitor capture point associate foxtest ?
WORD Name of the Capture Buffer
switch3560#monitor capture point associate foxtest foxtest ?
<cr>
switch3560#monitor capture point associate foxtest foxtest

The capture parameters are available with the show monitor capture point name command.

switch3560#sho monitor capture point foxtest ?
| Output modifiers
<cr>
switch3560#sho monitor capture point foxtest
Status Information for Capture Point foxtest
IPv4 Process
Switch Path: IPv4 Process , Capture Buffer: foxtest
Status : Inactive
Configuration:
monitor capture point ip process-switched foxtest both

Having completed these preliminary steps, one can start capturing itself.

switch3560#monitor capture point start ?
WORD Name of the Capture Point
all All Capture Points
switch3560#monitor capture point start foxtest ?
<cr>
switch3560#monitor capture point start foxtest
switch3560#sho moni cap poi foxtest
Status Information for Capture Point foxtest
IPv4 Process
Switch Path: IPv4 Process , Capture Buffer: foxtest
Status : Active
Configuration:
monitor capture point ip process-switched foxtest both

Capturing can be stopped manually or automatically after a certain event like receiving the preset number of packets.

switch3560#monitor capture point stop foxtest

The statistics of the buffer load can be obtained with the help of the show monitor capture buffer name parameters command.

switch3560# show monitor capture buffer foxtest parameters
Capture buffer foxtest (circular buffer)
Buffer Size : 2097152 bytes, Max Element Size : 1500 bytes, Packets : 14
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : foxtest, Status : Inactive
Configuration:
monitor capture buffer foxtest size 2048 max-size 1500 circular
monitor capture point associate foxtest foxtest
monitor capture buffer foxtest filter access-list foxtest

The captured data can be viewed in the full or brief mode.

switch3560#show monitor capture buffer foxtest
15:52:45.953 MSK Jan 11 2014 : IPv4 Process : Vl247 None
15:52:45.954 MSK Jan 11 2014 : IPv4 Process : None Vl247
switch3560#show monitor capture buffer foxtest dump
15:52:45.952 MSK Jan 11 2014 : IPv4 Process : Vl247 None
064AC930: 08CC68D1 32C23085 .LhQ2B0.
064AC940: A947DB99 08004500 003C7084 00008001 )G[...E..<p.....
064AC950: 46E9C0A8 0102C0A8 01010800 85410001 Fi@(..@(.....A..
064AC960: C8196162 63646566 6768696A 6B6C6D6E H.abcdefghijklmn
064AC970: 6F707172 73747576 77616263 64656667 opqrstuvwabcdefg
064AC980: 6869E6 hif
15:52:45.952 MSK Jan 11 2014 : IPv4 Process : None Vl247
064AC930: 3085A947 DB9908CC 0.)G[..L
064AC940: 68D132C2 08004500 003C7084 0000FF01 hQ2B..E..<p.....
064AC950: C7E8C0A8 0101C0A8 01020000 8D410001 Gh@(..@(.....A..
064AC960: C8196162 63646566 6768696A 6B6C6D6E H.abcdefghijklmn
064AC970: 6F707172 73747576 77616263 64656667 opqrstuvwabcdefg
064AC980: 6869E6 hif

For more thorough analysis, the captured packets can be exported to a TFTP-server or saved to the inner flash-memory.

switch3560# monitor capture buffer foxtest export ?
flash: Location to dump buffer
ftp: Location to dump buffer
http: Location to dump buffer
https: Location to dump buffer
rcp: Location to dump buffer
scp: Location to dump buffer
tftp: Location to dump buffer
switch3560# monitor capture buffer foxtest export tftp://192.168.1.2/foxtest.pcap
!!

During export of the captured data, a file in the standard format understood by the TCPdump and Wireshark utilities is created.

Here we’re through with this very brief analysis of the Cisco Catalyst 3560CG-8TC-S switch functions related to traffic capturing. A more detailed description of these functions can be found on the vendor’s site in the article related rather to routers or modular L3-switches like Catalyst 6500. To be fair, we have to say that in the Cisco Catalyst 3560 switch series there’re standard functions of creating SPAN-sessions as well.

switch3560#sho monitor session ?
<1-66> SPAN session number
all Show all SPAN sessions
erspan-destination Show only Destination ERSPAN sessions
erspan-source Show only Source ERSPAN sessions
local Show only Local SPAN sessions
range Show a range of SPAN sessions in the box
remote Show only Remote SPAN sessions

Add comment


Security code
Refresh

Found a typo? Please select it and press Ctrl + Enter.