Enabling The Packet Capture Function - Cisco 4700M Administration Manual

Capturing Packet Information

Enabling the Packet Capture Function

This section describes how to enable the packet capture function on the ACE for packet sniffing and
network fault isolation. As part of the packet capture process, you specify whether to capture packets
from all input interfaces or an individual VLAN interface. The packet capture feature streams output on
the console as packets are received by the ACE.
Prerequisites
To create a capture based on an access list, the access list must already exist. For information about
creating an access list, see the Cisco 4700 Series Application Control Engine Appliance Security
Configuration Guide.
Restrictions
This topic includes the following restrictions:
•
•
•
•
•
•
•
•
Cisco 4700 Series Application Control Engine Appliance Administration Guide
4-24
The packet capture function enables access-control lists (ACLs) to control which packets are
captured by the ACE on the input interface. If the ACLs are selecting an excessive amount of traffic
for the packet capture operation, the ACE will see a heavy load, which can cause a degradation in
performance. We recommend that you avoid using the packet capture function when high network
performance is critical.
In addition, probe traffic will not hit a security ACL so ACLs cannot control the capture of those
packets. In this case, probe traffic cannot be captured by the packet capture function.
The capture packet function works on an individual context basis. The ACE traces only the packets
that belong to the current context where you execute the capture Exec mode command. Thecontext
ID, which is passed along with the packet, can be used to isolate packets that belong to a specific
context. To trace the packets for a specific context, use the changeto Exec mode command to enter
the specified context and then use the capture command.
If you enable packet capture for jumbo packets, the ACE captures only the first 1,860 bytes of data.
The ACE does not automatically save the packet capture to a file. To copy the capture buffer
information as a file in Flash memory or to a remote server, use the copy capture command (see the
"Copying Packet Capture Buffer Information"
When capturing packets based on a specific interface and you delete the interface, the ACE stops
the capture automatically. If you check the status of the packet capture using the show capture
status command, you will notice that the capture stopped because of an interface deletion. At this
point, you can perform any operation (for example, saving the old capture) on the capture except
starting the capture. To restart the capture, you must delete the oldcapture and configure a new one.
The ACE handles the deletion of an ACL or an ACL entry in a similar manner.
When capturing packets based on a specific access list name, ensure that the access list is for an
input interface. If you configure the packet capture on the output interface, the ACE will fail to
match any packets.
If you add an interface while you are already capturing all interfaces, the capture continues using all
the original interfaces. If you add an ACL entry during an existing ACL capture, the capture
continues normally using the original ACL criteria.
If the ACE stops a packet capture because of an interface or ACL deletion, the following additional
information appears in the output of the show capture buffer_name status command:
Capture forced to stop due to change in [interface | access-list] config.
To restart the capture, remove and add the capture again.
Chapter 4
section).
Managing the ACE Software
OL-20823-01