This will be a brief article but a good one. It will save you some walking time to server room. I have the need to capture traffic on the switch or on the router several times every week. That action needed from me to be physically near the switch and to configure SPAN port so that I can connect to the switch with my machine and capture some packets with wireshark. Okay, I could use RSPAN to get captured packets to the closest switch but this altogether is not good enough. It’s too time consuming for short packets captures in troubleshooting sessions.
Recently in my CCIE study I came across the info that Cisco IOS is able to capture packets on the device itself and on more interfaces in once. You can later export that capture to your PC and analyze it with wireshark.
You can do it like this
Set the PCAP buffer size with this command
R5#monitor capture buffer MYBUFFER size 10000 max-size 1550 circular
Say to device what interface you want to capture traffic on and in which direction and add the name to this capture instance to CAPTUREONG1
R5#monitor capture point ip cef CAPTUREONG1 g1/0 both
Then you just tell to your router that he must use your capture instance CAPTUREONG1 and save the captured logs to MYBUFFER buffer.
R5#monitor capture point associate CAPTUREONG1 MYBUFFER
If you want to capture from specific source or destination host you can define an Access-list like this and assign it to the monitor capture buffer.
R5(config)#ip access-list ex MYCAPTURE R5(config-ext-nacl)#permit ip host 192.168.1.1 host 10.1.1.1 R5(config-ext-nacl)#end R5#monitor capture buffer MYBUFFER filter access-list MYCAPTURE
Start the capture process
monitor capture point start CAPTUREONG1
And you can test if the capture is running
R5#show monitor capture point all
When you are done
R5#monitor capture point stop CAPTUREONG1
And then you can simply send that capture file to your PC using TFTP
R5#monitor capture buffer MYBUFFER export tftp://10.2.1.1/capturefile1.cap
Use wireshark to analyze this captures and you are done.