Sniffing traffic punted to CPU on Cisco 6500

Submitted by cliff on Wed, 21/03/2018 - 10:57

Sometimes your Cisco 6500 seems to having a hard time with high CPU. Most cases are pretty obvious, like rancid or librenms runs, arp or dhcpd storms. But sometimes it is not that obvious and you want to know which traffic flows to your CPU. Time to dump the packets to the CPU. The following has been retrieved from Please note that the SUP2T has no support for this (source)!

Cisco IOS Release 12.2(18)SXF

switch#monitor session 1 source interface <mod/port> 
!Use any dummy interface that is administratively shut down.
switch#monitor session 1 destination interface <mod/port> 
switch#remote login switch
switch-sp#test monitor add 1 rp-inband tx

Cisco IOS Releases 12.2(33)SXH and later

switch(config)# monitor session 1 type local
switch(config-mon-local)# source cpu rp tx
switch(config-mon-local)# destination interface <mod/port>
switch(config-mon-local)# no shut

This configuration mirrors traffic on the SP-RP inband path, and diverts it to the destination interface. Connect a PC on the destination interface, and start the sniffer application (Wireshark, for example) in order to capture traffic received on the Network Interface Card (NIC).