Packet capture in Cisco IOS

Packet capture on IOSThis will be a brief article but a good one. It will save you some walking time to server room. I have the need to capture traffic on the switch or on the router several times every week. That action needed from me to be physically near the switch and to configure SPAN port so that I can connect to the switch with my machine and capture some packets with wireshark. Okay, I could use RSPAN to get captured packets to the closest switch but this altogether is not good enough. It’s too time consuming for short packets captures in troubleshooting sessions.

Recently in my CCIE study I came across the info that Cisco IOS is able to capture packets on the device itself and on more interfaces in once. You can later export that capture to your PC and analyze it with wireshark.

You can do it like this

Set the PCAP buffer size with this command

R5#monitor capture buffer MYBUFFER size 10000 max-size 1550 circular

Say to device what interface you want to capture traffic on and in which direction and add the name to this capture instance to CAPTUREONG1

R5#monitor capture point ip cef CAPTUREONG1 g1/0 both

Then you just tell to your router that he must use your capture instance CAPTUREONG1 and save the captured logs to MYBUFFER buffer.

R5#monitor capture point associate CAPTUREONG1 MYBUFFER

If you want to capture from specific source or destination host you can define an Access-list like this and assign it to the monitor capture buffer.

R5(config)#ip access-list ex MYCAPTURE
R5(config-ext-nacl)#permit ip host 192.168.1.1 host 10.1.1.1
R5(config-ext-nacl)#end
R5#monitor capture buffer MYBUFFER filter access-list MYCAPTURE

Start the capture process

monitor capture point start CAPTUREONG1

And you can test if the capture is running

R5#show monitor capture point all

When you are done

R5#monitor capture point stop CAPTUREONG1

And then you can simply send that capture file to your PC using TFTP

R5#monitor capture buffer MYBUFFER export tftp://10.2.1.1/capturefile1.cap

Use wireshark to analyze this captures and you are done.

 

No Responses

  1. Pingback: Network Packet Capture | February 29, 2016

Leave a Reply