Is there a list of filter expressions we can use?  I am trying to get IP address from the management port of my server (port 21) on my MS-220-24P switch.  I need to get this IP so I can get in there with a cross over cable to change it so I can get into the BIOS... but I cannot get the IP address from the port and I was told I need filter expressions but I cannot find the proper syntax for that.

Any help would be appreciated.  

BTW my servers is a Cisco UCS C200 M2 that I cannot get a single bit of Cisco support for since it is too old I guess.  My F8 BIOS does not work, the KVM console cable does not work and I don't have the IP for the CIMC.  So getting this IP will be so important!

Hi texmansru47, 
The video posted above is part of the "Capturing Packets with a Security Appliance" eLearning module. We have a handy downloadable capture filter summary "cheat sheet" on page 6, but you can get it here directly.

Otherwise, if you go to Switching > Switches, do you see your UCS server listed as a client? Hopefully you know its MAC address from that page or from a physical label on the server itself. Often the IP address will be shown in the Clients list too.

If it isn't, you'll need to look at the box where the routing for the server's subnet takes place. For example, that might be an MX security appliance. If that's the case, you can display the MX's ARP table by navigating to Security & SD-WAN > Appliance Status, then select the Tools tab. Toward the bottom is ARP table. Select the Run button, then see if you can find the server's MAC address in that output.

If you don't find the IP address there, go for a packet capture and filter on the server's MAC address (ether host xx:xx:xx:xx:xx). The server might be sitting idle and not transmitting anything for a long while, so you may have to let the capture run more than a minute. Downloading the capture to Wireshark will let you run for much longer.

Hope this helps!

The problem is I don't know the IP address.  This is a management port on a Cisco UCS server... I have even connected a cross over cable to a WIN 11 PC that has wireshark on it to no avail.  

I truly wish Meraki would show the IP of the connected host per port on the MS series switches.  It would simplify a TON.

I cannot reboot my server since I cannot get into the device to get to the CIMC to change the BIOS so I can boot from the DVD.  These UCS were a failed effort from Cisco since they lost their minds ignoring a true BIOS boot.  I have NEVER had a server that completely passes the CMOS screen at boot.  It goes from Hardware check to the OS.  Completely out of the Norm.. and of course I cannot get any help with that or these packet captures where I can get the ARP data of a possible IP address.  

Gotcha. I was suggesting a look at the ARP table because that's the only way to correlate a device's MAC and IP addresses. Maybe you're not able to find the management port's MAC address either.

Let's try to find the MAC first. Go to Switching > Switches, then select the switch name where the UCS mgmt port is connected. That should give you a list of clients like this:

Look for the specific switch port. If the switch is able to learn anything from traffic that the UCS mgmt port has sent, it will display the MAC and IP addresses. (If you don't see those columns listed, click on the wrench icon in top right and check the boxes next to MAC address and IP address.)

It's possible that you won't find an IP address listed there for the UCS. That's because the box hasn't sent any ARP replies that identify its MAC address with an IP address. Maybe it doesn't have a static IP address configured already, or maybe the box is just sitting idle and quiet, not transmitting. This is the point where you can dump the ARP table of the upstream MX or switch that's acting as a router on the UCS's VLAN and hopefully find the IP address listed there.

Try to do a packet capture on the switch port. Go to Network-wide > Packet capture, then select the switch and port where the UCS mgmt port is connected. You can kick off the capture with no filter at all; the capture will have any traffic to/from the UCS, as well as any broadcast traffic too. That might be a ton of packets to sift through. If you know the MAC address, then use filter ether host xx:xx:xx:xx:xx:xx (where xx's are the hex digits). That'll capture only packets to/from that MAC.

Here's another idea - go to the switch port's settings and change the VLAN number to something that isn't used anywhere else in your network. That will isolate the UCS mgmt port onto its own VLAN, then you can capture on the switch port without a filter and you won't get any broadcast traffic from other machines. You might have to let the capture run for a long time if the server is idle and quiet.

Let me know what happens!