This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

EXOS Packet Capture

EXOS Packet Capture

Go to solution
Stefan_K_
Valued Contributor

‎05-18-2021 01:00 PM

Hello,

today I played around with the built-in packet capture of EXOS ( How To: How to perform a local packet capture on an EXOS switch | Extreme Portal (force.com) )

I’m able to capture packets and open the pcap file with wireshark, but I only see the following packets:

999ffec7689143d294de259a963f2492_0cfb738b-55a4-498b-9533-89f57cd81ed1.png

Wondering if I’m doing something wrong or if the feature is something else than I’m thinking. Any hints?

Best regards
Stefan

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
CThompsonEXOS
Extreme Employee

‎05-18-2021 03:54 PM

Hi,

You can use the editcap tool to remove the first 52 bytes.  Mine looked something like below from Powershell:

PS C:\Program Files\Wireshark> .\editcap.exe -C 52 editcap.pcap newpcap.pcap

syntax below:
PS C:\Program Files\Wireshark> .\editcap.exe -C 52 <original pcap filename> <new pcap filename>

Below is more on editcap:

https://www.wireshark.org/docs/man-pages/editcap.html

Before:

83850ff01e9c44fd92c42a4a8fa2122d_701970b3-7509-4c5a-9bf0-a8dab60f51b4.png

 

After:

83850ff01e9c44fd92c42a4a8fa2122d_65f32e5a-5e2a-4a35-96da-75256f170e72.png

 

Thanks,

Chris Thompson

View solution in original post

0 Kudos
11 REPLIES 11

Go to solution
booflix
New Contributor

2 weeks ago - last edited 2 weeks ago

It sounds like you’ve successfully captured traffic, but what you’re seeing in Wireshark suggests the capture might be limited in scope rather than “full” packet visibility. EXOS GMovies  packet capture is often interface- and filter-dependent, so if you’re only seeing a small subset of frames (like control or broadcast traffic), it could be due to the capture point, VLAN context, or applied filters.

0 Kudos

Go to solution
booflix
New Contributor

3 weeks ago - last edited 3 weeks ago

It sounds like the capture itself is working since you’re able to open the file in Wireshark, but the fact that you’re only seeing a limited or unexpected set of packets usually points to how (and where) the capture is being performed on EXOS.

One thing to keep in mind is that the built-in packet capture on EXOS doesn’t always behave like a full mirror/SPAN port. Depending on the configuration, it may only capture control-plane traffic or packets destined to/from the switch CPU, rather than all transit traffic on a port or VLAN. That could explain why your capture looks incomplete. Visit 

0 Kudos

Go to solution
booflix
New Contributor

‎03-13-2026 09:12 PM - edited ‎03-13-2026 09:12 PM

It sounds like the packet capture itself is working since you’re able to export the Cineby  pcap file and open it in Wireshark. In many cases with EXOS, seeing only a limited set of packets usually means the capture point or filter is restricting what the switch mirrors to the capture process. By default, the built-in capture may only see traffic that is processed by the CPU (control-plane traffic) rather than all data-plane traffic passing through the ports.

0 Kudos

Go to solution
booflix
New Contributor

‎02-16-2026 07:36 PM - edited ‎02-16-2026 07:36 PM

t sounds like the packet capture itself is working since you’re able to generate the pcap file and open it in Wireshark. If you’re only seeing a very limited set of packets Wooflix  (for example control-plane traffic like ARP, STP, LLDP, etc.), then it’s likely not a malfunction but rather how the built-in capture on ExtremeXOS (EXOS) is designed to operate.

0 Kudos
GTM-P2G8KFN