
Wireshark Packet Capture in CML 2 / VIRL 2
My first post in a while…
I recently started using Cisco Modeling Labs Personal / VIRL 2 and noticed it had no Wireshark packet capture function, or a way to download pcap files. However, captures can be performed!
This can be done using Netcat to stream the capture over the network. This example is on a Mac.
First, we start a capture in our CML Personal Lab. This is done by selecting the link and navigating to the Packet Capture tab.
I set the Max Packets value to something high, so the capture doesn’t end before I have time to set things up. I then click start.

In Terminal, run the following command:
nc -l 20000 | wireshark -ki -
This starts the Netcat process listening on port 20000. It pipes the output into Wireshark. The ‘-k’ option tells Wireshark to start capturing instantly and the ‘-i -‘ option tells Wireshark to capture from stdin. I think.
Now, on the CML Personal server log in to the Cockpit (https://<server ip>:9090) and go to the Terminal tab.

Run the following command:
sudo tail -f /var/tmp/*.pcapng -n +1 | nc <Capture System IP> 20000
Captures are stores in /var/tmp. They’re deleted once the capture ends. This command assumes only a single capture is running. You could use the specific filename if multiple captures are running. The tail -f command watches the file for updates and continually pipes data to Netcat. The ‘-n +1’ option ensures that the whole file is piped from the beginning by instructing the tail -f command to start at line 1. Netcat pipes the output to the Capture system on port 20000.
Packets will now begin to stream into Wireshark…

It’s all a bit awkward, so it will be really nice once Cisco create this functionality via the GUI.
3 thoughts on “Wireshark Packet Capture in CML 2 / VIRL 2”
Hi Matt,
Doesn’t this look like another half cooked Cisco product, sell it before it is ready and usful? There are issues with CML, you cannot update cokpit, this will break the CML services, you cannot reregister it once the VM is messed up without emailing CML community manager directly and then waiting a couple of days so that they sort this out. and Having packet capture missing without been able to access it without certain level of terminal sckills on Linux is just a joke, for a premium product I would have expected something more, and paying only to be Leagally entitled to use the images for Studies.
Thanks, this was my rant as I started with this product recently and have to say that I regret purchasing it.
Hi Aigars
Yeah I agree, it’s the beginning of a fantastic product, but isn’t there yet. With it being a paid product I hold it to a much higher standard than something like EVE-NG. If I hadn’t been given a license for free with learning credits, I probably wouldn’t have purchased it myself. Its not enough of an upgrade… yet.
That said, I do really like how I can connect/disconnect interfaces of running routers. It’s fantastic for making quick changes, or for simulating something like a VM moving around a DC. Exposing an API is really cool too. I’ve done very little with that, but can see it being quite useful for taking some of the tedium out of setting up labs.
Thanks for the tip.
I wasn’t able to use the wildcard for filename, but it works if I use the filename