It could be better, as it won't parse the packets as good as tpcdump, but it is way better than nothing.
However I couldn't figure out what the order of operation, with regards to ACLs and ZBF.
So I labbed it up, with IOU 15.4, and here are the results:
- For incoming ACL, packets are captured before ACL is evaluated
- For incoming ZBF policy, packets are captured before the policy is checked.
So it looks like the embedded packet capture is placed at the right place, right before incoming ACL/ZBF check. However more testing needed to be done: NAT, outgoing ACL/ZBF, IPS drops, encryption, sanity checks
I wish Cisco would have published an official and full "order of operation". Here is the best I have found so far.