TCL script to automate Embedded Packet Capture (EPC) and ERSPAN in Cisco platforms
Upload capture_program.tcl to flash on Cisco device
scp capture_program.tcl <username>@<deviceip>:capture_program.tcl
Create cisco alias:
config t
alias exec wireshark tclsh flash:capture_program.tcl
or
alias exec wireshark tclsh bootflash:capture_program.tcl
CSR1000v, ASR1004, 3560, 3850, 4400, 4500 (sup-8), 9300, 9400.
Version of code is 15.X or later code, recommended 16.x code. ERSPAN maybe limited on older platforms.
switch# wireshark
Examples:
[syntax] wireshark <protocol> <source_ip:[port]> <dest_ip:[port]> <control|interface> <duration ses> <capture size MB> <packet-len>
20 sec 10 MB 172 mtu
wireshark ip any any
wireshark ip 192.168.25.2 any
wireshark ip 192.168.25.2 192.168.30.20 Gi1/0/1
wireshark ip 192.168.25.2 192.168.30.20 Gi1/0/1 40 10
wireshark ip 192.168.25.2 192.168.30.20 control 60 30
wireshark tcp any any
wireshark tcp 192.168.25.2 any:80
wireshark tcp 192.168.25.2 192.168.30.20:443 Gi1/0/1
wireshark tcp 192.168.25.2:443 192.168.30.20 Gi1/0/1 40 10 1500
wireshark udp any any
wireshark udp 192.168.25.2 any
wireshark udp 192.168.25.2 192.168.30.20:53 Gi1/0/1
wireshark udp 192.168.25.2:53 192.168.30.20 Gi1/0/1 40 10
[syntax] wireshark erspan <protocol> <source_ip> <dest_ip> <collector ip> <monitor interface> <ERSPAN source ip> <max duration sec> <direction>
wireshark erspan ip any any
wireshark erspan ip any any 172.33.11.23 Gi1/0/1
wireshark erspan ip any any 172.33.11.23 Gi1/0/1 2.2.2.2
wireshark erspan ip any any 172.33.11.23 Gi1/0/1 2.2.2.2 50
wireshark erspan ip any any 172.33.11.23 Gi1/0/1 2.2.2.2 50 rx
wireshark erspan --debug tcp any any 172.33.11.23
***If you want display pcap on cli examples:
wireshark filter
***If you want to see commands used:
wireshark --debug <protocol> <source_ip:[port]> <dest_ip:[port]> (including remainder options)
Supported platfroms:
CSR1000v, ASR1004, 3560, 3850, 4400, 4500 (sup-8), 9300, 9400
