Malformed packets found in packet captures

While running a packet capture I noticed SEVERAL lines with Malformed Packets. The line contained the MACs of the laptop and AP that the laptop was connected.
Is this something I should worry about or what is going on here?
I added a print shot of the packet capture if that helps.
Thank you, Gary

The malformed packets aren't LWAPP but seen in IEEE's association request packet.These messages aren't bad. All it is is that Ethereal could not fully decode the content of the packet because there wasn't enough information in it to decode.As these messages are sent from wireless clients to AP, as long as the clients are able to associate, shouldn't be a concern.

Similar Messages

Malformed packets - slow web page loading

I'm running bm3.9 sp2 with some post bm sp2 files as provided by Novell
support on a nw6.5 server.
I've noticed that on IE and Fireforx browsers, that web pages will often
take a long time to load and typically if I hit the 'stop' button on the
browser and do a 'reload' or 'refresh' for that web page, it will
immediately load fine.
I've been looking at the tcp stats but don't notice anything strange there.
I ran pktscan and the only thing standing out is about 200+ malformed
packets out of about 3000 packets. I've run pktscan a few different times on
different days and still noticing these malformed packets.
I was wondering if this could be a problem or any other suggestions on what
to look at.
TIA

correction on packet count - 200+ malformed out of 20k total packets
captured.
>>> On 12/17/2009 at 10:10 AM, Mysterious<[email protected]> wrote:
> On 12/17/2009 05:09 PM, John wrote:
>> some packet examples
>>
>> 3770 7.278536 00.00.00 04.00.00 FC Unknown frame[Malformed Packet]
>> Ethernet II, Src: 00:00:00_00:40:00 (00:00:00:00:40:00), Dst:
>> 20:00:00:00:8b:72 (20:00:00:00:8b:72)
>>
>> 4933 8.959812 00.00.00 31.00.00 FC Unknown frame[Malformed Packet]
>> Ethernet II, Src: 00:00:00_00:40:00 (00:00:00:00:40:00), Dst:
>> 20:00:00:00:b7:81 (20:00:00:00:b7:81)
>>
>> 9441 13.559633 72.82.b8 20.00.1b FC Unknown frame[Malformed Packet]
>> Ethernet II, Src: 00:00:00_00:40:00 (00:00:00:00:40:00), Dst:
>> 00:00:00_00:8b:63 (00:00:00:00:8b:63)
>>
>> 9443 13.559657 72.82.b8 07.00.1b FC Unknown frame[Malformed Packet]
>> Ethernet II, Src: 00:00:00_00:40:00 (00:00:00:00:40:00), Dst:
>> 00:00:00_00:96:41 (00:00:00:00:96:41)
>
> does your server use the bx2.lan driver?

IPS packet captures-disk space

I have been doing packet captures on High and Medium events and in the IME there is no obvious way to delete old captures. They don't take up alot space but I wanted to know if there is a way to view the disk capacity on the IPS and how I can delete old capture files from the IPS.

Hi Jason,
The ip logging functionality stores the logs in a circular buffer, so there is no need (and no supported way) to delete/manage the old log files - they will be overwritten then new logs necessitate it.
All of the information on ip logging can be found here:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_ip_logging.html#wp1030704
Also, unless you have a specific need for full stream captures for all high/medium events, you can use the "Produce Verbose Alert" action instead of the ip logging actions to capture the offending packet with significantly less resource utilization per alert.
-JT

Malformed packets

Hi,
Thanks in advance for your help.
Let me describe the issue briefly.
-Our system is configured with Video Streamer (winsend on PC),
Cisco 7609 and DSLAM with ATM traffic.
-Video streamer is connected to Cisco 7609 FE port.
-The video traffic is routed to ATM port and distributed to DSLAM.
-I could see that the video traffic is forwarded to ATM side but for some reason the packet is malformed and could not see
the video on ATM side.
I am connecting the routers the following way:
The DSLAM is connected to the 7609.
FE ATM
PC (winsend)------Cisco 7500--------DSLAM-----DSL
|
|
PC (winsend)------Cisco 7609------------+
FE ATM
-I also ran video traffic from Cisco 7500 to Cisco 7609.
The video traffic comming from Cisco 7500 works fine. (video stream is created winsend as well). The above problem happens only on video origninating from Cisco 7609.
-I Captured the video traffic on ATM by ethereal, noticed followings.
-Video traffic through Cisco 7500 is working fine, I could see Source and Destiation with proper IP address. Protocol shows UDP properly.
-Video traffic originating on Cisco 7609 has packet malformed.
The sniffer (Ethereal) showed the packet in strange status. Source and Destination shows MAC address, Protocol shows it as "0x1f64" which is not understandable.
I would appreciate any input.

correction on packet count - 200+ malformed out of 20k total packets
captured.
>>> On 12/17/2009 at 10:10 AM, Mysterious<[email protected]> wrote:
> On 12/17/2009 05:09 PM, John wrote:
>> some packet examples
>>
>> 3770 7.278536 00.00.00 04.00.00 FC Unknown frame[Malformed Packet]
>> Ethernet II, Src: 00:00:00_00:40:00 (00:00:00:00:40:00), Dst:
>> 20:00:00:00:8b:72 (20:00:00:00:8b:72)
>>
>> 4933 8.959812 00.00.00 31.00.00 FC Unknown frame[Malformed Packet]
>> Ethernet II, Src: 00:00:00_00:40:00 (00:00:00:00:40:00), Dst:
>> 20:00:00:00:b7:81 (20:00:00:00:b7:81)
>>
>> 9441 13.559633 72.82.b8 20.00.1b FC Unknown frame[Malformed Packet]
>> Ethernet II, Src: 00:00:00_00:40:00 (00:00:00:00:40:00), Dst:
>> 00:00:00_00:8b:63 (00:00:00:00:8b:63)
>>
>> 9443 13.559657 72.82.b8 07.00.1b FC Unknown frame[Malformed Packet]
>> Ethernet II, Src: 00:00:00_00:40:00 (00:00:00:00:40:00), Dst:
>> 00:00:00_00:96:41 (00:00:00:00:96:41)
>
> does your server use the bx2.lan driver?

Malformed Packets and Bad Checksums

..I have a customer who uses MPLS to connect to all remote locations. The MPLS carrier has recently merged with another carrier, and they are in the middle of making changes to their MPLS network(s). As a result, some (but not all) of my customer's sites that have gone through these changes are having problems with one particular application only. Wireshark packet captures at the remote location and at the affected application server shows the following, among other things:
- Bad IP Checksum
- Malformed TDS Packets
- Malformed SSL Packets
- Malformed GSM over IP Packets
- Malformed ASAP Packets
- TCP Sequence out of order
- ACKed lost TCP segment
- Previous TCP segment lost
- Fast TCP retransmission suspected
This is only a subset of the problems that Wireshark shows. The strange thing is that only a subset of the remote sites are affected, and it really is only one particular application of a large suite of applications. All other applications work acceptably. In addition, other sites that have been converted work just fine as well. There are about 15 of 80 sites having thus problem. The MPLS provider of have reviewed their equipment and configurations. Unfortunately, after the changes were made, we have no visibility into the MPLS network (it just shows one hop), so I have no way of helping them to troubleshoot.
We have the ability to test the application using a site that is connected via Fiber, and the application works just fine. Of course, we have moved PCs, etc from site to site. The problem seems to stay with the site, rather than the computers.
Any advice or ideas on what I can do to test would be appreciated.
Sent from Cisco Technical Support iPad App

Jason,
there is lot of interesting troubleshooting to be done Yours is the type of case I loved when I was in the TAC as I enjoyed using creative ways to investigate and tackle similar problems.
there might be so many approaches for this that I have difficulties to list them all.
I am afraid that a CSC post is not the right place for that as this can be time comsuming and lot of effort is needed.
I suggest you to open a TAC case where you can find some engineer with the right mind set for this CSI type of troubleshooting.
cheers,
Riccardo

Java packet capturing libraries ... ?

HI All,
actually i need to write some packet capturing code on solaris i have tried Jpcap library but there are some compilation issues on solaris .
is there any other library which i can use for packet capturing except Jpcap ?
thanks

tcpdump hhhmmmmm... it actually can't work for me ....
i am using Package "ch.ethz.ssh2" for ssh because i have to ssh to another server and run the snoop command on it.
Ok, lets look at this code . can we find anything else for me
<%@ page import="java.io.BufferedReader" %>
<%@ page import="java.io.File" %>
<%@ page import="java.io.IOException" %>
<%@ page import="java.io.InputStream" %>
<%@ page import="java.io.InputStreamReader" %>
<%@ page import="ch.ethz.ssh2.Connection" %>
<%@ page import="ch.ethz.ssh2.Session" %>
<%@ page import="ch.ethz.ssh2.StreamGobbler" %>
<%@ page import="java.io.BufferedWriter" %>
<%@ page import="java.io.OutputStreamWriter" %>
<%@ page import="java.io.PrintWriter" %>
<%@ page import="ch.ethz.ssh2.SCPClient" %>
<%@ page import="ch.ethz.ssh2.SFTPv3Client" %>
<%@ page import="java.util.*" %>
<%@ page import="java.io.FileInputStream" %>
<%@ page import="java.io.BufferedInputStream" %>
<%@page contentType="text/html" pageEncoding="UTF-8"%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <title>JSP Page</title>
    </head>
<%
String hosts = request.getParameter("hostname");
String packets = request.getParameter("packets");
String q =request.getParameter("q");
String str="";
String hostname = "127.1.1.1";
                String username = "root";
                File keyfile = new File("/root/ssh/id_dsa"); // or "~/.ssh/id_dsa"
                String keyfilePass = "pass";
                    try
                        /* Create a connection instance */
                        Connection conn = new Connection(hostname);
                        /* Now connect */
                        conn.connect();
                        /* Authenticate */
                        boolean isAuthenticated = conn.authenticateWithPublicKey(username, keyfile, keyfilePass);
                        if (isAuthenticated == false)
                                throw new IOException("Authentication failed.");
                        /* Create a session */
                        Session sess = conn.openSession();
                        sess.execCommand("snoop -d bge0 -o /export/myhome/file.cap -c "+ packets +" host "+hosts +" ");
                        InputStream stdout = new StreamGobbler(sess.getStdout());
                        BufferedReader br = new BufferedReader(new InputStreamReader(stdout));
                        System.out.println("Here is some information about the remote host:");
                        while (true)
                                String line = br.readLine();
                                if (line == null)
                                        break;
                                System.out.println(line);
                            /* Close this session */
                              sess.close();
                        /* Close the connection */
                        conn.close();
                catch (IOException e)
                        e.printStackTrace(System.err);
                        //System.exit(2);
%>
</html>problem with this code is when code reach the below line command starts running on remote server unitll it captures number of packets ..
sess.execCommand("snoop -d bge0 -o /export/myhome/file.cap -c "+ packets +" host "+hosts +" ");what i want to do is to run that command for some time for example: i want to run the command for 10 minutes but unfortunately there is no argument for time in snoop command. so can't exit the command on time basis ....
any suggestions how can i fix that problem ?

Ask the Expert: Packet Capture Capabilities of Cisco Routers and Switches

With Rahul Rammanohar
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about packet capture capabilities of Cisco routers and switches.
In May 2013, we created a video that included packet capture capabilities across multiple Cisco routers and switches. For each product, we began with a discussion about the theory of the capabilities, followed by an explanation of the commands, and we concluded with a demo on real devices. In this Ask the Expert event, you’re encouraged to ask questions about the packet capture capabilities of these Cisco devices:
•       7600/6500: mini protocol analyzer (MPA), ELAM, and Netdr
•       ASR9k: network processor capture
•       7200/ISRs: embedded packet capture
•       Cisco Nexus 7K, 5K, and 3K: Ethanalyzer
•       Cisco Nexus 7K: ELAM
•       CRS: show captured packets
•       ASR1K: embedded packet capture
More Information
Blog URL: Packet Capture Capabilities of Cisco Routers and Switches
Watch the Video: https://supportforums.cisco.com/videos/6226
Hitesh Kumar is a customer support engineer in the High-Touch Technical Services team at Cisco specializing in routing protocols. He has been supporting major service providers and enterprise customers in routing, Multiprotocol Label Switching (MPLS), multicast, and Layer 2 VPN (L2VPN) issues on routing platforms for more than three years. He has more than six years of experience in the IT industry and holds a CCIE certification (number 38757) in service.
Rahul Rammanohar is a technical leader with the High-Touch Technical Support Team in India. He handles escalations in the area of routing protocols and large-scale architectures for devices running Cisco IOS, IOS-XR, and IOS-XE Software. He has been supporting major service providers and large enterprise customers for routing, MPLS, multicast, and L2VPN issues on all routing platforms. He has more than 13 years of experience and holds a CCIE certification (number 13015) in routing/switching and service provider.
Remember to use the rating system to let Hitesh and Rahul know if you have received an adequate response.
Because of the volume expected during this event, Hitesh and Rahul might not be able to answer each question. Remember that you can continue the conversation in the Service Provider, sub-community forum shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

Hello Erick
    Thanks for the topology. The trigger will be different for labelled packet as you would need to mention the values of labels too in the trigger.
     Below are two examples of one or two labels being used, it depends on where you are capturing the packet in mplsvpn scenario which will decide teh number of labels being imposed on the packet.
Trigger for one label. (if the router on which you are capturing the packet PHP is being performed)
VPN label - 5678
Source Address - 111.111.111.111
Destination Address - 123.123.123.123
show platform capture elam trigger dbus others if data = 0 0 0 0x88470162 0xE0000000 0 0 0x00006F6F 0x6F6F 7B7B 0x7B7B0000 [ 0 0 0 0xffffffff 0xf0000000 0 0 0x0000ffff 0xffffffff 0xffff0000 ]
Trigger for two labels. (for other core routers)
IGP label - 1234
VPN label - 5678
Source Address - 111.111.111.111
Destination Address - 123.123.123.123
show platform capture elam trigger dbus others if data = 0 0 0 0x8847004D 0x20000162 0xE0000000 0 0 0x00006F6F 0x6F6F7B7B 0x7B7B0000 [ 0 0 0 0xffffffff 0xf000ffff 0xf0000000 0 0 0x0000ffff 0xffffffff 0xffff0000 ]
    You can check the labels being used (by using show ip cef <> details) and covert their values to hex and change the trigger accordingly.
     I have changed the colors for better understanding. If you notice carefully in the trigger the values for ip address, labels have just been converted to their respective hex values which could be replaced.
     Please let me know if this helps.
Thanks & Regards
Hitesh & Rahul

Cisco Prime and WLC packet capture error - Request Timed Out

Hello,
We have a Cisco Prime installation (2.2.0) and a WLC (Cisco 5508)
I’ve been trying to test the wireless packet capture function, but have now run into problems, a quick rundown of my actions so far:
Selected a wireless access point in Prime and clicked ‘Packet Capture’
Did a packet capture saving to the PI, the capture worked fine
Could not find any way to delete the packet capture
Selected a wireless access point in Prime and clicked ‘Packet Capture’
Did a packet capture saving to an FTP server, the capture worked fine
The 1st capture had finished (10 minute capture) before testing the second
The 2nd capture has also finished and saved the files to the FTP server as specified
Now though I cannot capture from any access point as when I click ‘Packet Capture’ I get the error:
“Request Timed out. Error in getting data from server.”
The error is ‘instant’ as in no delay indicating something actually timing out.
So the 2 problems I have are:
How do I fix the ‘request timed out’ error above
How do I delete old packet captures from the PI
I hope someone can help as I can’t find any info on either of the problems.
Cheers
Adrian

I think I've solved (2) by deleting the files from the FTP directory on the prime box through SSH.
So I'm now just stuck on the timed out error.

Empty pcap file with Embedded Packet Capture

Hello,
I have configured the EPC in my CISCO 2901 CUBE for monitoring VOIP traffic.
#First I configure the type of traffic I want to filter
access-list 110 permit tcp any any eq 5060
access-list 110 permit tcp any any eq 5061
access-list 110 permit udp any any eq 5060
access-list 110 permit udp any any eq 5061
#Then my buffer (too big, I know..)
monitor capture buffer buff-SIP5 size 2048 max-size 9500
# I apply the access-list to the buffer
monitor capture buffer buff-SIP5 filter access-list 110
# Define the capture point, both interfaces, IN and OUT..
monitor capture point ip cef SIP5 all both
#Associate capture point with buffer
monitor capture point associate SIP5 buff-SIP5
#Start the capture
monitor capture point start SIP5
#Stop it..
monitor capture point stop SIP5
#Check if you have what you need
show monitor cap buffer buff-SIP5 dump
#Export it using scp
monitor capture buffer buff-SIP5 export scp://[email protected]:/SIP5.pcap
I would like some help with these two issues:
1) When I export it, my pcap file is empty...yet when I do a dump, I can see everything I need
2) If I don't apply the access-list filter, I can see the SIP messages in the pcap file. However, I cannot see the messages that sends the SBC, only the ones that it receives.
Thanks in advance,
Gabriel

I tried recreating the packet capture with no access-list filtering.
show mon cap buff all para
Capture buffer cap (circular buffer)
Buffer Size : 1048576 bytes, Max Element Size : 68 bytes, Packets : 0
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : cap, Status : Active
Configuration:
monitor capture buffer cap circular
monitor capture point associate cap cap
interface GigabitEthernet1/1/1
description UPLINK TO 6513
switchport mode trunk
end

How to display date for each packet in a Cisco ASA packet capture

Hello,
Quick question...On a Cisco ASA (v8.2) how does one show the date of each packet in a packet capture?
When performing a packet capture from CLI you can do a "show capture testcapture" command and you can see that the time is at the beginning of each packet but how does one view the date as well as the time for each packet? I know you can export the packet capture and it will show the date & time in wireshark but sometimes for just quick and dirty capture I'd like to view the capture from the CLI on the ASA itself without doing an export.
Sample capture below. Time is displayed but not the date of the packet capture. Issuing command "sh cap test detail" doesn't show the date either. I checked on an ASA running v9 and it also doesn't show the date in the packet capture.
ASA5505# sh cap test
   1: 08:51:56.112085 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x: udp 404
   2: 08:52:18.111871 802.1Q vlan#12 P0 10.150.40.240.29082 > x.x.x.x.53: udp 37
   3: 08:52:18.165366 802.1Q vlan#12 P0 y.y.y.y.53 > 10.150.40.240.29082: udp 53
   4: 08:52:32.129235 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x4.500: udp 404
   5: 08:52:37.111627 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x.500: udp 404
   6: 08:52:49.111490 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x.500: udp 404
Thanks for any help.
Joe

Hi,
I would suggest copying the capture from the ASA to some local host and opening the capture file with Wireshark to view the information
For example
copy /pcap capture:test tftp://x.x.x.x/test.pcap
This should copy the current data in the capture to the mentioned location with the mentioned filename.
I personally view the captures on the ASA CLI only if I am just confirming that some traffic comes to the firewall or when I am checking what happens to a TCP connection that can not be formed. Its a lot easier to go through bigger captures by copying them from the ASA and viewing them with an actual software meant for that purpose.
Hope this helps :)
- Jouni

ACE Packet capture

Hi, I have tried to do a packet capture on the ACE by following this doc -
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Troubleshooting_Guide_--_Overview_of_ACE_Troubleshooting#Capturing_Packets_in_Real_Time
Issue is, the output is displayed in a hexa-decimal format (In red below) -
ACE1# show capture CAP2414 detail
0001: msg_type: PKT_RCV
ace_id: 18173           action_flag: 0x13
src_addr: 10.127.84.153            src_port: 58653
dst_addr: 10.127.85.153            dst_port: 14109
l3_protocol: 0          l4_protocol: 6
message_hex_dump:
0x0000: 0007 0104 0000 46fd 0000 0000 0a7f 5499 ......F.......T.
0x0010: 0a7f 5599 0609 0033 e51d 371d 0000 0000 ..U....3..7.....
0x0020: 0104 0000 05b4 0000 0000 46fd 1300 0000 ..........F.....
0x0030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0040: 0000 0000 0000 0001                      ........
Even if I copy the CAP file to my laptop and open it in wireshark, I only see it showing source and destination MACs. (File attached)
Can anyone please advise??

Hi Kanwaljeet, the steps are -
Step 1:
access-list CAP line 8 extended permit ip host 10.127.84.152 host 10.127.85.152
access-list CAP line 16 extended permit ip host 10.127.84.153 host 10.127.85.153
Step 2:
capture CAP interface all access-list CAP
Step 3:
capture CAP start
Step 4:
capture CAP stop
Step 5:
Copy capture CAP disk0:CAP
Step 6:
tftp the file CAP to the laptop and open in Wireshark

Multiple context mode, how to download the packet capture file

Hi guys,
Is there a way to download the packet capture file from a specific context? I know that I used to use https://<ASA_IP>/admin/capture/<capture> to download it if it is just one context.
The ASA uses mgmt 0/0 for management and it is connected in a separate OOB network. Only this network has TFTP servers for uploading the capture file. The context in question is in transparent mode. Its IP doesn't have access to any TFTP server.
Thanks!
Difan

Hello Difan,
Please refer the following document.
https://supportforums.cisco.com/document/69281/asa-using-packet-capture-troubleshoot-asa-firewall-configuration-and-scenarios
Also what version of the ASA code are you using?
Regards,
Jai Ganesh K

Details about the packet capture output bits...

Hi Mates,
If we take the packet capture output, we will get similar output as follows:
Please explain the significance of the highlighted bits values. (S,P,F and . )
If tehre is ny doc related to them, appreciate to share.
Thanks & Regards
Ramana

S SYN
P PUSH
F FIN
http://www.firewall.cx/networking-topics/protocols/tcp/136-tcp-flag-options.html
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com

MPLS L2VPN packet capture

Hi,
I want to capture packet on gi0/0 of PE1 in order to show customer that all his traffic is encapsulated and transmitted by L2VPN (ldp signaling) in his lab.
CE1-----------(g0/1)PE1(g0/0)------------PE2-----------CE2
PE1 and PE2 are Cisco3945 and L2VPN is working well. I tried cisco RITE(Router IP Traffic Export Packet Capture) feature, but the output was not what I expected. I tried both export mode and capture mode. Only LDP hello message I got, looks like RITE is only interested in IP packet. Monitor session wasn't effective as well because it is not a switch.
Is there any other way/workaround to capture customer's traffic encapsulated in L2VPN?
What I did on PE1 when I was trying RITE export mode:
ip traffic-export profile test
bidirectional
interface GigabitEthernet0/2
mac-address e411.5b44.3a6d
interface GigabitEthernet0/2
ip address 10.1.2.1 255.255.255.0
interface GigabitEthernet0/0
ip traffic-export apply test
Gi0/2 connected my PC(10.1.2.2) with wireshark installed.
Many thanks.
Regards,
Jerry Fan

Thanks Shivlu. I tried, but failed. 'monitor capture' is only interested in ipv4 and ipv6. Maybe the IOS in Cisco3945 isn't same as the IOS in Cat6500 or Cisco7600 or GSR/CSR.
See following:
===================================================================
Router_MPS_TEST_A#monitor capture ?
buffer Control Capture Buffers
point   Control Capture Points
Router_MPS_TEST_A#monitor capture po
Router_MPS_TEST_A#monitor capture point ?
associate     Associate capture point with capture buffer
disassociate Dis-associate capture point from capture buffer
ip            IPv4
ipv6          IPv6
start         Enable Capture Point
stop          Disable Capture Point
Router_MPS_TEST_A#monitor capture point ip ?
cef               IPv4 CEF
process-switched Process switched packets
Router_MPS_TEST_A#monitor capture point ip p
Router_MPS_TEST_A#monitor capture point ip process-switched ?
WORD Name of the Capture Point
Router_MPS_TEST_A#monitor capture point ip process-switched test-point ?
both     Inbound and outbound and packets
from-us Packets originating locally
in       Inbound packets
out      Outbound packets
Router_MPS_TEST_A#monitor capture point ip process-switched test-point b
Router_MPS_TEST_A#monitor capture point ip process-switched test-point both ?
Router_MPS_TEST_A#monitor capture point ip process-switched test-point both
===================================================================
At last, I have to insert a switch in the middle of two cisco3945 and configured port span. That worked very well. Anyway, many thanks for your advice.
Jerry Fan

Trouble Capturing Packets with Embedded Packet Capture

Hi All,
I am trying to capture packets originating from a server to a host device across three switches:
server -- 6513 -- 3850 -- 3550 -- host A
I am doing a ping from the server to host A. The packet capture is being done on the 3850. This is my configuration:
access-list 100 permit icmp host 192.168.101.6 host 192.168.100.188
access-list 100 permit icmp host 192.168.100.188 host 192.168.101.6
end
monitor capture buffer TRACE
monitor capture buffer TRACE filter access-list 100
monitor capture point ip cef CAP g1/1/1 both
montior capture point associate CAP TRACE
monitor capture point start CAP
I then issue a ping from the server to host A. Interface g1/1/1 is where the 6513 connects to the 3850. When I issue a show monitor capture buffer all parameters, there are no packets. If I remove the filter from the buffer I still do not see the packets.
Does anyone have any advice here?

I tried recreating the packet capture with no access-list filtering.
show mon cap buff all para
Capture buffer cap (circular buffer)
Buffer Size : 1048576 bytes, Max Element Size : 68 bytes, Packets : 0
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : cap, Status : Active
Configuration:
monitor capture buffer cap circular
monitor capture point associate cap cap
interface GigabitEthernet1/1/1
description UPLINK TO 6513
switchport mode trunk
end

Malformed packets found in packet captures

Similar Messages

Maybe you are looking for