Packet capture on 3020 for HP switch

Similar Messages

• MARS didnt captured the Syslog for a Switch

  Hi All,
  I have CSMARS configured for my enterprise network. In one of the major incidents, one of the line card of my 6509 went faulty with following syslog,
  09-19-2010 09:59:40 UTC Local0.Error 192.168.228.3 150: Sep 19 15:19:32 IST: %EARL-SP-3-RESET_LC: Resetting module in slot 1. (Errorcode 1)
  09-19-2010 09:59:40 UTC Local0.Error 192.168.228.3 151: Sep 19 15:19:32 IST: %PF_ASIC-SPSTBY-3-ASIC_DUMP: [0:0x20C] ME_AR_P2MMU_FREE_TAIL = 0x28E
  However this syslog message was not captured by the CSMARS, or may be i am not getting a way to locate this error in the incidents tab.
  Please help me in understanding if CSMARS captures all the events or not. Or i have to enable some events to be forwarded to CSMARS. Or if the log is registered, how can i find this log in the MARS.

  EDIT:
  I just noticed the attachment in your last message.  It looks like you've mis-configured the device type in MARS. 
  If you are running Native IOS on your 6509 (such as 12.2SXH or SXI), the device type should be "Cisco Switch-IOS 12.2" to parse the logs correctly.  The device type "Cisco IOS 12.2" is for routers running IOS 12.2.
  I'm going to assume the faulty line card is not in the critical path between this switch and your MARS server (correct?).  Otherwise, halijenn's comment applies.
  Anyway, have you verified that you're receiving logs from that switch in MARS?  Have you verified they are being parsed correctly?  The easiest way is to run a query in MARS.
  - Run a query for the last 7 or more days
  - "Result Format" should be "All Matching Events" (or all matching sessions)
  - Under "Reporting Device", select the switch in question
  This will return any events from that switch, and verify that it's reporting (and being parsed) properly.
  If that's successful, I would run a second query.
  - Change the "Result Format" to "All Matching Event Raw Messages"
  - Limit the time frame to an hour before and after the timestamp on the log you pasted above
  - Under "Keyword", add "EARL\-SP\-3\-RESET\_LC" (without quotes), and set "Operation" to "OR"
  - In the second field, enter "PF\_ASIC\-SPSTBY\-3\-ASIC\_DUMP" (no quotes)
  This is a regular expression that should match the logs you're looking for.  Apply the settings and run the query.  This should tell you if MARS at least received the log.  If it did, then more work will need to be done to figure out why it didn't report properly.
  Just FYI -- it's very possible that MARS could not completely parse that specific log, which happens with a lot of messages from the 6509s.  It often reports them as "Generic IOS Syslog" or something similar.

• Packet Capture between WAE's

  Hi,
  I may be looking into this to much and I know the WAE's are doing things to speed the transfers but during FTP transfers between my sites I'm seeing alot of "TCP Retransmission" and "TCP DUP ACK". I don't see this on the LAN side after optimization so this might be normal...is it?
  Thanks,
  Mike

  Zach,
  My WAE's sit inline with our firewalls on the outside. So on the inline group.. Wan0 connects to a switch facing a router and the Lan0 has a cross-over cable between Lan0 and the outside interface of a PIX. I'm doing the 1st packet capture by spanning the Wan0 switch port...this is where I see the DUP ACK's and Retranmissions. I'm also doing a packet capture behind the firewall by spanning the PIX inside interface.

• Ask the Expert: Packet Capture Capabilities of Cisco Routers and Switches

  With Rahul Rammanohar 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about packet capture capabilities of Cisco routers and switches.
  In May 2013, we created a video that included packet capture capabilities across multiple Cisco routers and switches. For each product, we began with a discussion about the theory of the capabilities, followed by an explanation of the commands, and we concluded with a demo on real devices. In this Ask the Expert event, you’re encouraged to ask questions about the packet capture capabilities of these Cisco devices:
  •       7600/6500: mini protocol analyzer (MPA), ELAM, and Netdr
  •       ASR9k: network processor capture
  •       7200/ISRs: embedded packet capture
  •       Cisco Nexus 7K, 5K, and 3K: Ethanalyzer
  •       Cisco Nexus 7K: ELAM
  •       CRS: show captured packets
  •       ASR1K: embedded packet capture
  More Information
  Blog URL: Packet Capture Capabilities of Cisco Routers and Switches
  Watch the Video:  https://supportforums.cisco.com/videos/6226
  Hitesh Kumar is a customer support engineer in the High-Touch Technical Services team at Cisco specializing in routing protocols. He has been supporting major service providers and enterprise customers in routing, Multiprotocol Label Switching (MPLS), multicast, and Layer 2 VPN (L2VPN) issues on routing platforms for more than three years. He has more than six years of experience in the IT industry and holds a CCIE certification (number 38757) in service. 
  Rahul Rammanohar is a technical leader with the High-Touch Technical Support Team in India. He handles escalations in the area of routing protocols and large-scale architectures for devices running Cisco IOS, IOS-XR, and IOS-XE Software. He has been supporting major service providers and large enterprise customers for routing, MPLS, multicast, and L2VPN issues on all routing platforms. He has more than 13 years of experience and holds a CCIE certification (number 13015) in routing/switching and service provider.
  Remember to use the rating system to let Hitesh and Rahul know if you have received an adequate response.  
  Because of the volume expected during this event, Hitesh and Rahul might not be able to answer each question. Remember that you can continue the conversation in the Service Provider, sub-community forum shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hello Erick
      Thanks for the topology. The trigger will be different for labelled  packet as you would need to mention the values of labels too in the  trigger.
       Below are two examples of one or two labels being  used, it depends on where you are capturing the packet in mplsvpn  scenario which will decide teh number of labels being imposed on the  packet.
  Trigger for one label. (if the router on which you are capturing the packet PHP is being performed)
  VPN label - 5678
  Source Address - 111.111.111.111
  Destination Address - 123.123.123.123
  show platform capture elam trigger dbus others if data = 0 0 0 0x88470162 0xE0000000 0 0 0x00006F6F 0x6F6F 7B7B 0x7B7B0000 [ 0 0 0 0xffffffff 0xf0000000 0 0 0x0000ffff 0xffffffff 0xffff0000 ]
  Trigger for two labels. (for other core routers)
  IGP label - 1234
  VPN label - 5678
  Source Address - 111.111.111.111
  Destination Address - 123.123.123.123
  show platform capture elam trigger dbus others if data = 0 0 0 0x8847004D 0x20000162 0xE0000000 0 0 0x00006F6F 0x6F6F7B7B 0x7B7B0000 [ 0 0 0 0xffffffff 0xf000ffff 0xf0000000 0 0 0x0000ffff 0xffffffff 0xffff0000 ]
      You can check the labels being used (by using show ip cef <> details) and covert their values to hex and change the trigger accordingly.
       I have changed the colors for better understanding. If you notice carefully in the trigger the values for ip address, labels have just been converted to their respective hex values which could be replaced.
       Please let me know if this helps.
  Thanks & Regards
  Hitesh & Rahul

• How to display date for each packet in a Cisco ASA packet capture

  Hello,
  Quick question...On a Cisco ASA (v8.2) how does one show the date of each packet in a packet capture?
  When performing a packet capture from CLI you can do a "show capture testcapture" command and you can see that the time is at the beginning of each packet but how does one view the date as well as the time for each packet?  I know you can export the packet capture and it will show the date & time in wireshark but sometimes for just quick and dirty capture I'd like to view the capture from the CLI on the ASA itself without doing an export. 
  Sample capture below.  Time is displayed but not the date of the packet capture.  Issuing command "sh cap test detail" doesn't show the date either.  I checked on an ASA running v9 and it also doesn't show the date in the packet capture.
  ASA5505# sh cap test
     1: 08:51:56.112085 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x:  udp 404
     2: 08:52:18.111871 802.1Q vlan#12 P0 10.150.40.240.29082 > x.x.x.x.53:  udp 37
     3: 08:52:18.165366 802.1Q vlan#12 P0 y.y.y.y.53 > 10.150.40.240.29082:  udp 53
     4: 08:52:32.129235 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x4.500:  udp 404
     5: 08:52:37.111627 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x.500:  udp 404
     6: 08:52:49.111490 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x.500:  udp 404
  Thanks for any help.
  Joe

  Hi,
  I would suggest copying the capture from the ASA to some local host and opening the capture file with Wireshark to view the information
  For example
  copy /pcap capture:test tftp://x.x.x.x/test.pcap
  This should copy the current data in the capture to the mentioned location with the mentioned filename.
  I personally view the captures on the ASA CLI only if I am just confirming that some traffic comes to the firewall or when I am checking what happens to a TCP connection that can not be formed. Its a lot easier to go through bigger captures by copying them from the ASA and viewing them with an actual software meant for that purpose.
  Hope this helps :)
  - Jouni

• Packet Capture for VPN traffic

  Hi Team,
  Please help me to set ACL and capture for Remote Access VPN traffic.
  Requirement is to see how much traffic is flowing from that Source IP.
  Source : Remote Access VPN IP(Tunneled) 10.10.10.10
  Destination : any
  This is what I did which is not working
  access-list VPN extended permit tcp host 10.10.10.10 any
  capture CAP_VPN type raw-data access-list VPN interface OUTSIDE

  Hello,
  If you set up the capture with that access list, you are filtering just TCP traffic, therefore you won't be able to see UDP or ICMP traffic too, I would recommend you using the same ACL, though using IP:
  access-list VPN extended permit ip host 10.10.10.10 any 
  Capture CAP_VPN access-list VPN interface outside 
  Then with:
  show capture CAP_VPN
  You will be able to see the packet capture on the ASA, though you can export the capture to a packet sniffer as follow:
    https://<ip address of asa>/capture/<capname>/pcap   capname-->CAP
  For further details of captures you can find it on this link
  Let me know if you could get the information you were trying to reach.
  Please don´t forget to rate and mark as correct the helpful Post!
  David Castro,
  Regards,

• LMS 3.2 syntax for specifying an interface for packet capture

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Tableau Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman";}
  Hi fellows,
  I have been trying to specify a particular interface on the packet capture windows and can not find the syntax on any documentation.
  It has to be something like @IPswitch /or: or ? and the interface
  Can someone have an example for the correct syntax?
  Thanks in advance
  Tewfiq

  You can't specify a device interface for packet capture.  The packet capture in LMS runs on the LMS server itself.  You can select a server interface and filter on a specific IP, but you cannot filter down to the device interface unless you filter on that device interface's IP address.  To filter on an IP, just type the IP address in the Address(es) text field.

• MPLS L2VPN packet capture

  Hi,
  I want to capture packet on gi0/0 of PE1 in order to show customer that all his traffic is encapsulated and transmitted by L2VPN (ldp signaling) in his lab.
  CE1-----------(g0/1)PE1(g0/0)------------PE2-----------CE2
  PE1 and PE2 are Cisco3945 and L2VPN is working well. I tried cisco RITE(Router IP Traffic Export Packet Capture) feature, but the output was not what I expected. I tried both export mode and capture mode. Only LDP hello message I got, looks like RITE is only interested in IP packet. Monitor session wasn't effective as well because it is not a switch.
  Is there any other way/workaround to capture customer's traffic encapsulated in L2VPN?
  What I did on PE1 when I was trying RITE export mode:
  ip traffic-export profile test
  bidirectional
  interface GigabitEthernet0/2
  mac-address e411.5b44.3a6d
  interface GigabitEthernet0/2
  ip address 10.1.2.1 255.255.255.0
  interface GigabitEthernet0/0
  ip traffic-export apply test
  Gi0/2 connected my PC(10.1.2.2) with wireshark installed.
  Many thanks.
  Regards,
  Jerry Fan

  Thanks Shivlu. I tried, but failed. 'monitor capture' is only interested in ipv4 and ipv6. Maybe the IOS in Cisco3945 isn't same as the IOS in Cat6500 or Cisco7600 or GSR/CSR.
  See following:
  ===================================================================
  Router_MPS_TEST_A#monitor capture ?    
    buffer  Control Capture Buffers
    point   Control Capture Points
  Router_MPS_TEST_A#monitor capture po
  Router_MPS_TEST_A#monitor capture point ?
    associate     Associate capture point with capture buffer
    disassociate  Dis-associate capture point from capture buffer
    ip            IPv4
    ipv6          IPv6
    start         Enable Capture Point
    stop          Disable Capture Point
  Router_MPS_TEST_A#monitor capture point ip ?
    cef               IPv4 CEF
    process-switched  Process switched packets
  Router_MPS_TEST_A#monitor capture point ip p
  Router_MPS_TEST_A#monitor capture point ip process-switched ?
    WORD  Name of the Capture Point
  Router_MPS_TEST_A#monitor capture point ip process-switched test-point ?
    both     Inbound and outbound and packets
    from-us  Packets originating locally
    in       Inbound packets
    out      Outbound packets
  Router_MPS_TEST_A#monitor capture point ip process-switched test-point b
  Router_MPS_TEST_A#monitor capture point ip process-switched test-point both ?
  Router_MPS_TEST_A#monitor capture point ip process-switched test-point both
  ===================================================================
  At last, I have to insert a switch in the middle of two cisco3945 and configured port span. That worked very well. Anyway, many thanks for your advice.
  Jerry Fan

• Packet captures in pcap format

  Running a packet capture on an ASA 5520 and I'd like to transfer the capture bucket in pcap format to my computer for analysis. I can get an ASCII record of the packets copied over using the "copy" command, however, I'd like to transfer the pcap dump using the "copy" command instead. Does anyone know how to do that transfer?
  The documentation states (8.x cmd reference, pg 4-11) that I should be able to get the pcap dump using a browser and the unit's web interface via https, but I think the unit gets confused with WebVPN when I make the transfer attempt.
  Thanks,
  Tariq

  Use the /pcap switch after the copy command. I've had some problems with copying out the outside interface for some reason but if you do a copy /pcap to flash and then copy the file from flash to your pc it should work just fine.

• Java packet capturing libraries ... ?

  HI All,
  actually i need to write some packet capturing code on solaris i have tried Jpcap library but there are some compilation issues on solaris .
  is there any other library which i can use for packet capturing except Jpcap ?
  thanks

  tcpdump hhhmmmmm... it actually can't work for me ....
  i am using Package "ch.ethz.ssh2" for ssh because i have to ssh to another server and run the snoop command on it.
  Ok, lets look at this code . can we find anything else for me
  <%@ page import="java.io.BufferedReader" %>
  <%@ page import="java.io.File" %>
  <%@ page import="java.io.IOException" %>
  <%@ page import="java.io.InputStream" %>
  <%@ page import="java.io.InputStreamReader" %>
  <%@ page import="ch.ethz.ssh2.Connection" %>
  <%@ page import="ch.ethz.ssh2.Session" %>
  <%@ page import="ch.ethz.ssh2.StreamGobbler" %>
  <%@ page import="java.io.BufferedWriter" %>
  <%@ page import="java.io.OutputStreamWriter" %>
  <%@ page import="java.io.PrintWriter" %>
  <%@ page import="ch.ethz.ssh2.SCPClient" %>
  <%@ page import="ch.ethz.ssh2.SFTPv3Client" %>
  <%@ page import="java.util.*" %>
  <%@ page  import="java.io.FileInputStream" %>
  <%@ page  import="java.io.BufferedInputStream"  %>
  <%@page contentType="text/html" pageEncoding="UTF-8"%>
  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
     "http://www.w3.org/TR/html4/loose.dtd">
  <html>
      <head>
          <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
          <title>JSP Page</title>
      </head>
  <%
  String hosts = request.getParameter("hostname");
  String packets = request.getParameter("packets");
  String q =request.getParameter("q");
  String str="";
  String hostname = "127.1.1.1";
                  String username = "root";
                  File keyfile = new File("/root/ssh/id_dsa");  // or "~/.ssh/id_dsa"
                  String keyfilePass = "pass";
                      try
                          /* Create a connection instance */
                          Connection conn = new Connection(hostname);
                          /* Now connect */
                          conn.connect();
                          /* Authenticate */
                          boolean isAuthenticated = conn.authenticateWithPublicKey(username, keyfile, keyfilePass);
                          if (isAuthenticated == false)
                                  throw new IOException("Authentication failed.");
                          /* Create a session */
                          Session sess = conn.openSession();
                          sess.execCommand("snoop -d bge0 -o /export/myhome/file.cap -c "+ packets +" host "+hosts +" ");
                          InputStream stdout = new StreamGobbler(sess.getStdout());
                          BufferedReader br = new BufferedReader(new InputStreamReader(stdout));
                          System.out.println("Here is some information about the remote host:");
                          while (true)
                                  String line = br.readLine();
                                  if (line == null)
                                          break;
                                  System.out.println(line);
                              /* Close this session */
                                sess.close();
                          /* Close the connection */
                          conn.close();
                  catch (IOException e)
                          e.printStackTrace(System.err);
                          //System.exit(2);
  %>
  </html>problem with this code is when code reach the below line command starts running on remote server unitll it captures number of packets ..
  sess.execCommand("snoop -d bge0 -o /export/myhome/file.cap -c "+ packets +" host "+hosts +" ");what i want to do is to run that command for some time for example: i want to run the command for 10 minutes but unfortunately there is no argument for time in snoop command. so can't exit the command on time basis ....
  any suggestions how can i fix that problem ?

• Empty pcap file with Embedded Packet Capture

  Hello,
  I have configured the EPC in my CISCO 2901 CUBE for monitoring VOIP traffic.
  #First I configure the type of traffic I want to filter
  access-list 110 permit tcp any any eq 5060
  access-list 110 permit tcp any any eq 5061
  access-list 110 permit udp any any eq 5060
  access-list 110 permit udp any any eq 5061
  #Then my buffer (too big, I know..)
  monitor capture buffer buff-SIP5 size 2048 max-size 9500
  # I apply the access-list to the buffer
  monitor capture buffer buff-SIP5 filter access-list 110
  # Define the capture point, both interfaces, IN and OUT..
  monitor capture point ip cef SIP5 all both 
  #Associate capture point with buffer
  monitor capture point associate SIP5 buff-SIP5
  #Start the capture
  monitor capture point start SIP5
  #Stop it..
  monitor capture point stop SIP5
  #Check if you have what you need
  show monitor cap buffer buff-SIP5 dump
  #Export it using scp
  monitor capture buffer buff-SIP5 export scp://[email protected]:/SIP5.pcap
  I would like some help with these two issues:
  1) When I export it, my pcap file is empty...yet when I do a dump, I can see everything I need
  2) If I don't apply the access-list filter, I can see the SIP messages in the pcap file. However, I cannot see the messages that sends the SBC, only the ones that it receives.
  Thanks in advance,
  Gabriel

  I tried recreating the packet capture with no access-list filtering.
  show mon cap buff all para
  Capture buffer cap (circular buffer)
  Buffer Size : 1048576 bytes, Max Element Size : 68 bytes, Packets : 0
  Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
  Associated Capture Points:
  Name : cap, Status : Active
  Configuration:
  monitor capture buffer cap circular
  monitor capture point associate cap cap
  interface GigabitEthernet1/1/1
   description UPLINK TO 6513
   switchport mode trunk
  end

• Multiple context mode, how to download the packet capture file

  Hi guys,
  Is there a way to download the packet capture file from a specific context? I know that I used to use https://<ASA_IP>/admin/capture/<capture> to download it if it is just one context. 
  The ASA uses mgmt 0/0 for management and it is connected in a separate OOB network. Only this network has TFTP servers for uploading the capture file. The context in question is in transparent mode. Its IP doesn't have access to any TFTP server.
  Thanks!
  Difan

  Hello Difan,
                       Please refer the following document.
  https://supportforums.cisco.com/document/69281/asa-using-packet-capture-troubleshoot-asa-firewall-configuration-and-scenarios
  Also what version of the ASA code are you using?
  Regards,
  Jai Ganesh K

• Details about the packet capture output bits...

                     Hi Mates,
  If we take the packet capture output, we will get similar output as follows:
  Please explain the significance of the highlighted bits values. (S,P,F and . )
  If tehre is ny doc related to them, appreciate to share.
  Thanks & Regards
  Ramana

  S SYN
  P PUSH
  F FIN
  http://www.firewall.cx/networking-topics/protocols/tcp/136-tcp-flag-options.html
  Looking for some Networking Assistance? 
  Contact me directly at [email protected]
  I will fix your problem ASAP.
  Cheers,
  Julio Carvajal Segura
  http://laguiadelnetworking.com

• CISCO 3750X stacking for 5 switches , only 4 switches are coming in stack

  Dear All,
  I have 5 cisco 3750X switches ,but only 4 switches coming up 5 switches i am unable to see .
  Connection for the switch :Please find the attached snapshot for the stack data connection .
  Also find the snapshot for the stack power connection .
  Please provide your assistance and support to overcome this issue .

  Dear Marvin,
  Thanks for your reply.
  is my connection provided in attachment for data stack are ok .
  i login to Switch # 5 through console 
  following is the result :--
  switch: ?
             ? -- Present list of available commands
           arp -- Show arp table or arp-resolve an address
          boot -- Load and boot an executable image
           cat -- Concatenate (type) file(s)
          copy -- Copy a file
        delete -- Delete file(s)
           dir -- List files in directories
    flash_init -- Initialize flash filesystem(s)
        format -- Format a filesystem
          fsck -- Check filesystem consistency
          help -- Present list of available commands
        memory -- Present memory heap utilization information
      mgmt_clr -- clear management port statistics
     mgmt_init -- initialize management port
     mgmt_show -- show management port statistics
         mkdir -- Create dir(s)
          more -- Concatenate (display) file(s)
          ping -- Send ICMP ECHO_REQUEST packets to a network host
        rename -- Rename a file
         reset -- Reset the system
         rmdir -- Delete empty dir(s)
           set -- Set or display environment variables
        set_bs -- Set attributes on a boot sector filesystem
     set_param -- Set system parameters in flash
         sleep -- Pause (sleep) for a specified number of seconds
          type -- Concatenate (type) file(s)
         unset -- Unset one or more environment variables
       version -- Display boot loader version
  switch: version
  C3750E Boot Loader (C3750X-HBOOT-M) Version 12.2(58r)SE, RELEASE SOFTWARE (fc1)
  Compiled Tue 26-Apr-11 06:59 by abhakat
  switch: boot
  Loading "flash:/c3750e-universalk9-mz.122-58.SE2/c3750e-universalk9-mz.122-58.SE2.bin"...flash:/c3750e-universalk9-mz.122-58.SE2/c3750e-universalk9-mz.122-58.SE2.bin: no such file or directory
  Error loading "flash:/c3750e-universalk9-mz.122-58.SE2/c3750e-universalk9-mz.122-58.SE2.bin"
  Interrupt within 5 seconds to abort boot process.
  Boot process failed...
  switch:
  All other 4 switches i can see in stack but not these switches and also the status light for this switches is blinking green  please provide your assistance .

• Trouble Capturing Packets with Embedded Packet Capture

  Hi All,
  I am trying to capture packets originating from a server to a host device across three switches:
  server -- 6513 -- 3850 -- 3550 -- host A
  I am doing a ping from the server to host A. The packet capture is being done on the 3850. This is my configuration:
  access-list 100 permit icmp host 192.168.101.6 host 192.168.100.188
  access-list 100 permit icmp host 192.168.100.188 host 192.168.101.6
  end
  monitor capture buffer TRACE
  monitor capture buffer TRACE filter access-list 100
  monitor capture point ip cef CAP g1/1/1 both
  montior capture point associate CAP TRACE
  monitor capture point start CAP
  I then issue a ping from the server to host A. Interface g1/1/1 is where the 6513 connects to the 3850. When I issue a show monitor capture buffer all parameters, there are no packets. If I remove the filter from the buffer I still do not see the packets.
  Does anyone have any advice here?

  I tried recreating the packet capture with no access-list filtering.
  show mon cap buff all para
  Capture buffer cap (circular buffer)
  Buffer Size : 1048576 bytes, Max Element Size : 68 bytes, Packets : 0
  Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
  Associated Capture Points:
  Name : cap, Status : Active
  Configuration:
  monitor capture buffer cap circular
  monitor capture point associate cap cap
  interface GigabitEthernet1/1/1
   description UPLINK TO 6513
   switchport mode trunk
  end