How to Do Packet Captures on Cisco Catalyst 9300X Switches for a Specific VLAN
Cisco Networking | Packet Capture | Catalyst 9300X
How to Do Packet Captures on Cisco Catalyst 9300X Switches for a Specific VLAN
A complete step-by-step guide using Embedded Packet Capture (EPC) — fully updated for IOS-XE
Troubleshooting network issues on a Cisco Catalyst 9300X switch often requires deep visibility into traffic flowing through a specific VLAN. Whether you are chasing a broadcast storm, diagnosing application latency, or validating security policies, packet captures give you the raw evidence you need.
The Cisco Catalyst 9300X runs IOS-XE and supports a powerful built-in feature called Embedded Packet Capture (EPC). This tool lets you capture live packets directly on the switch — no external TAP, no SPAN port mirroring to an external device required.
In this guide, you will learn exactly how to configure, run, analyze, and export packet captures on a Cisco Catalyst 9300X for a specific VLAN — step by step.
📋 Table of Contents
- What Is Embedded Packet Capture (EPC)?
- Prerequisites and Requirements
- Understanding VLAN Capture Strategy on 9300X
- Step-by-Step: Configure EPC for a Specific VLAN
- Filtering Capture by VLAN Using Access Control Lists
- Starting and Stopping the Capture
- Viewing Capture Results on the Switch
- Exporting the PCAP File for Wireshark Analysis
- Advanced Tips and Best Practices
- Troubleshooting Common Issues
- Frequently Asked Questions (FAQ)
1. What Is Embedded Packet Capture (EPC)?
Embedded Packet Capture (EPC) is a Cisco IOS-XE feature that enables network engineers to capture packets directly on a router or switch without requiring any external hardware or software. It is deeply integrated into the forwarding plane of Cisco devices.
On the Cisco Catalyst 9300X, EPC captures packets at the interface level. You attach a capture point to a physical interface or an SVI (Switched Virtual Interface), apply optional filters, and store the results in device memory (or export them).
✅ Key Benefits of EPC on Catalyst 9300X:
- No external TAP or SPAN destination device required
- Capture at ingress, egress, or both directions
- Filter by ACL — including VLAN-specific matches
- Export captures as standard .pcap files for Wireshark
- Zero impact on production switching performance (hardware-assisted)
- Supported on IOS-XE 16.x and later
2. Prerequisites and Requirements
Before starting your packet capture, make sure the following conditions are met:
| Requirement | Details |
|---|---|
| Platform | Cisco Catalyst 9300X (C9300X) |
| IOS-XE Version | 16.9.x or later recommended; 17.x preferred |
| CLI Access | SSH or Console access with privilege level 15 |
| VLAN Knowledge | Know the VLAN ID and associated interface(s) |
| Flash Memory | At least 50–100 MB free on flash or bootflash |
| Wireshark (optional) | For analyzing exported .pcap files on your PC |
3. Understanding VLAN Capture Strategy on the 9300X
Unlike routers, the Catalyst 9300X is a Layer 2/Layer 3 switch. There are two primary strategies to capture VLAN-specific traffic:
Strategy A — Capture on the SVI (VLAN Interface)
Attach the capture point to the VLAN SVI (e.g., interface Vlan10). This captures Layer 3 routed traffic entering or leaving that VLAN. Best for routed traffic analysis.
Strategy B — Capture on Physical/Trunk Interface + ACL VLAN Filter
Attach the capture to a physical uplink or trunk port and apply an ACL that filters by VLAN tag or subnet. Best for Layer 2 switching and inter-VLAN traffic on trunk links.
Important Note on VLAN Filtering
EPC does not natively support attaching a capture point directly to a VLAN (Layer 2 domain). You must use a physical interface or SVI as the attachment point and use ACLs to restrict capture to VLAN-specific traffic (subnet-based filtering). This guide covers both methods.
4. Step-by-Step: Configure EPC for a Specific VLAN
We will walk through both methods below. In our example, we are capturing traffic for VLAN 10 with subnet 192.168.10.0/24.
⚡ Method A: Capture via SVI (Vlan10 Interface)
Step 1 — Verify the SVI exists:
show interfaces Vlan10
Step 2 — Create a capture buffer (RAM-based):
monitor capture VLAN10_CAP buffer size 10 circular
Step 3 — Attach capture point to the SVI (both directions):
monitor capture VLAN10_CAP interface Vlan10 both
Step 4 — (Optional) Apply ACL filter for subnet 192.168.10.0/24:
ip access-list extended VLAN10_FILTER permit ip 192.168.10.0 0.0.0.255 any permit ip any 192.168.10.0 0.0.0.255 monitor capture VLAN10_CAP access-list VLAN10_FILTER
⚡ Method B: Capture via Physical/Trunk Interface
Step 1 — Identify the trunk interface carrying VLAN 10:
show interfaces trunk show vlan id 10
Step 2 — Create a named capture buffer:
monitor capture VLAN10_TRUNK buffer size 20 circular
Step 3 — Attach to the physical uplink (e.g., TenGigabitEthernet1/0/1):
monitor capture VLAN10_TRUNK interface TenGigabitEthernet1/0/1 both
Step 4 — Apply VLAN subnet ACL filter:
monitor capture VLAN10_TRUNK access-list VLAN10_FILTER
5. Filtering Capture by VLAN Using Access Control Lists
Since EPC on the 9300X does not filter by raw VLAN ID directly, the cleanest approach is filtering by the IP subnet associated with your VLAN. Here is a complete ACL example for multiple scenarios:
Example: VLAN 10 (192.168.10.0/24) — Capture ALL traffic from/to VLAN 10:
ip access-list extended VLAN10_FILTER 10 permit ip 192.168.10.0 0.0.0.255 any 20 permit ip any 192.168.10.0 0.0.0.255
Example: Capture only HTTP/HTTPS traffic from VLAN 10:
ip access-list extended VLAN10_WEB 10 permit tcp 192.168.10.0 0.0.0.255 any eq 80 20 permit tcp 192.168.10.0 0.0.0.255 any eq 443 30 permit tcp any eq 80 192.168.10.0 0.0.0.255 40 permit tcp any eq 443 192.168.10.0 0.0.0.255 monitor capture VLAN10_CAP access-list VLAN10_WEB
Example: Capture only between VLAN 10 and VLAN 20 (192.168.20.0/24):
ip access-list extended VLAN10_TO_20 10 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 20 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 monitor capture VLAN10_CAP access-list VLAN10_TO_20
💡 Pro Tip
You can match on match any to capture all traffic on the interface without an ACL filter, then filter in Wireshark later using display filters like vlan.id == 10 if the interface captures 802.1Q tagged frames.
6. Starting and Stopping the Capture
▶ Start the Capture:
monitor capture VLAN10_CAP start
⏸ Verify capture is running:
show monitor capture VLAN10_CAP
⏹ Stop the Capture:
monitor capture VLAN10_CAP stop
You can also set the capture to stop automatically after a time limit or packet count:
# Stop after 60 seconds monitor capture VLAN10_CAP duration 60 # Stop after 1000 packets monitor capture VLAN10_CAP limit packets 1000 # Set max packet size (snaplen) monitor capture VLAN10_CAP limit packet-len 1518
✅ Best Practice
Always set a duration or packet limit on production switches to prevent the capture buffer from consuming excessive memory and impacting switch performance.
7. Viewing Capture Results on the Switch
You can display captured packets directly in the CLI without exporting to Wireshark:
Display brief summary of all captured packets:
show monitor capture VLAN10_CAP buffer brief
Display detailed decode of captured packets:
show monitor capture VLAN10_CAP buffer detail
Display dump in hex + ASCII:
show monitor capture VLAN10_CAP buffer dump
Check capture statistics:
show monitor capture VLAN10_CAP
The output will show fields like: Capture Status (Active/Inactive), Buffer Used, Packets Received, Packets Dropped, and the capture filter applied.
8. Exporting the PCAP File for Wireshark Analysis
For detailed analysis in Wireshark, export the captured packets as a standard PCAP file. The Catalyst 9300X supports exporting to flash, a TFTP server, FTP server, or HTTP.
Option 1 — Export to Local Flash:
monitor capture VLAN10_CAP export flash:VLAN10_capture.pcap
Option 2 — Export to a TFTP Server:
monitor capture VLAN10_CAP export
tftp://192.168.1.100/VLAN10_capture.pcap
Option 3 — Export to FTP Server:
monitor capture VLAN10_CAP export
ftp://admin:password@192.168.1.50/VLAN10_capture.pcap
Verify the file on flash:
dir flash: | include pcap
📥 How to Download the PCAP File to Your PC via SCP:
# From your PC terminal (Linux/Mac): scp admin@192.168.1.1:flash:VLAN10_capture.pcap ~/Downloads/ # Or use WinSCP on Windows to connect via SCP/SFTP to the
switch management IP
9. Advanced Tips and Best Practices
🔁 Use Linear vs. Circular Buffer Mode
Circular — When buffer is full, oldest packets are overwritten. Good for continuous monitoring.
Linear — Capture stops when buffer is full. Good for capturing the first N packets of an event.
monitor capture VLAN10_CAP buffer size 25 linear
📁 Capture Directly to Flash File (Instead of RAM Buffer)
For large or long captures, write directly to flash to avoid RAM limitations:
monitor capture VLAN10_CAP file location
flash:VLAN10_capture.pcap buffer-size 50 monitor capture VLAN10_CAP start
🧹 Clean Up After Capture
Always remove capture configurations when done to free resources:
no monitor capture VLAN10_CAP
🎯 Multiple Interface Attachment
You can attach the same capture point to multiple interfaces:
monitor capture VLAN10_CAP interface GigabitEthernet1/0/1 both monitor capture VLAN10_CAP interface GigabitEthernet1/0/2 both
10. Troubleshooting Common Issues
| Problem | Likely Cause | Solution |
|---|---|---|
| Capture shows 0 packets | Wrong interface, ACL too restrictive, or no traffic | Verify interface with show monitor capture, check ACL, test with match any |
| Cannot start capture — error | Another capture already running or missing buffer config | Run show monitor capture and stop/delete existing captures first |
| Export fails to TFTP | TFTP server unreachable or firewall blocking UDP 69 | Verify reachability with ping from switch; check TFTP server is running |
| Buffer fills too fast | High traffic volume on interface | Use circular buffer, reduce snaplen, or add more specific ACL filters |
| SVI capture missing L2 info | SVI captures L3 traffic; VLAN tags not present | Use physical trunk interface capture to see 802.1Q VLAN tags |
| High CPU during capture | Software-forwarded packets being captured at high rate | Limit capture with duration and packet-count limits; use hardware-assisted filtering |
11. Frequently Asked Questions (FAQ)
Q: Can I capture packets directly on a VLAN without specifying an interface?
A: Not directly. EPC on the Catalyst 9300X requires an interface attachment point — either a physical port or an SVI. You then use ACLs to restrict the captured traffic to a specific VLAN's subnet. VLAN-level attachment is not a supported EPC option on this platform.
Q: Does running EPC impact switch performance?
A: The Catalyst 9300X uses hardware-assisted capture, so the performance impact is minimal for typical traffic volumes. However, always apply specific ACL filters and set packet/duration limits on production devices to minimize any risk.
Q: What is the maximum buffer size for EPC on the 9300X?
A: The maximum in-memory buffer is typically 100 MB. For larger captures, use file-based capture directly to flash (which can be larger depending on available flash space).
Q: Can I run multiple simultaneous captures on a 9300X?
A: Yes, but with limitations. The 9300X supports a small number of concurrent capture sessions (typically 2–4). Each consumes buffer memory, so plan accordingly for production environments.
Q: Can I do a packet capture on a StackWise Virtual (SVL) setup?
A: Yes. EPC works on individual stack members. Specify the interface on the member switch (e.g., GigabitEthernet2/0/1 where 2 is the stack member number). You can also use the SVL interface directly.
Q: Is PCAP file format compatible with Wireshark?
A: Yes. The EPC-exported file is in standard libpcap format (.pcap) which is fully compatible with Wireshark, tshark, tcpdump, and any other packet analysis tool that supports the standard PCAP format.
📌 Quick Reference
Complete EPC Cheat Sheet for VLAN Capture on Catalyst 9300X
# ─── STEP 1: Create ACL for VLAN 10 subnet ─────────────────────── ip access-list extended VLAN10_FILTER permit ip 192.168.10.0 0.0.0.255 any permit ip any 192.168.10.0 0.0.0.255 # ─── STEP 2: Create capture with buffer ────────────────────────── monitor capture VLAN10_CAP buffer size 10 circular # ─── STEP 3: Attach to SVI ─────────────────────────────────────── monitor capture VLAN10_CAP interface Vlan10 both # ─── OR attach to physical interface ───────────────────────────── monitor capture VLAN10_CAP interface TenGigabitEthernet1/0/1 both # ─── STEP 4: Apply ACL filter ──────────────────────────────────── monitor capture VLAN10_CAP access-list VLAN10_FILTER # ─── STEP 5: Set limits (recommended) ──────────────────────────── monitor capture VLAN10_CAP limit duration 60 packets 5000 # ─── STEP 6: Start capture ─────────────────────────────────────── monitor capture VLAN10_CAP start # ─── STEP 7: Verify capture ────────────────────────────────────── show monitor capture VLAN10_CAP # ─── STEP 8: Stop capture ──────────────────────────────────────── monitor capture VLAN10_CAP stop # ─── STEP 9: View in CLI ───────────────────────────────────────── show monitor capture VLAN10_CAP buffer brief # ─── STEP 10: Export to flash ──────────────────────────────────── monitor capture VLAN10_CAP export flash:VLAN10_capture.pcap # ─── STEP 11: Export to TFTP server ────────────────────────────── monitor capture VLAN10_CAP export tftp://192.168.1.100/VLAN10.pcap # ─── STEP 12: Cleanup ──────────────────────────────────────────── no monitor capture VLAN10_CAP
✅ Conclusion
The Cisco Catalyst 9300X's Embedded Packet Capture (EPC) is a powerful, built-in tool that eliminates the need for external capture hardware when troubleshooting VLAN-specific traffic issues.
By attaching a capture point to either the VLAN SVI or a physical/trunk interface — and applying an ACL that matches the VLAN's IP subnet — you can precisely isolate and analyze the exact traffic you need, export it as a standard PCAP file, and open it in Wireshark for deep-dive analysis.
Remember: Always set packet limits and durations on production switches, clean up your capture sessions when done, and use specific ACL filters to minimize performance overhead. Happy packet hunting! 🦈
Tags: Cisco Catalyst 9300X | Packet Capture | EPC | IOS-XE | VLAN Troubleshooting | Wireshark | Network Analysis | Cisco Switching
THE NETWORK DNA
