Cisco IOS Embedded Packet Capture – Example / How to

In this video I cover the embedded IOS packet capture capabilities in Cisco Devices. This ability on Cisco IOS  12.4(20)T and later can be a useful resource to add to your networking toolkit. When you’re cussing out a particular service on the lan that you are sure is malfunctioning without the help of your cables and packets, a quick packet capture will allow you to isolate where the issue is occurring.

There are three main components to using the IOS Packet Capture once you have a device with the correct IOS Version:

1. A standard or extended ACL identifying traffic
2. A Capture Buffer to hold the data
3. A Capture Point to associate to filter an interface off of your ACL and attach to the buffer.

It may sound complicated, but don’t grab the whiskey bottle yet. A real basic setup looks something like this, and there is a video below covering this whole process.

RTR#config t
RTR(config)#ip access-list extended CAPACL
RTR(config)#permit ip any any
RTR(config)#end
RTR#monitor capture buffer BUFFER filter access-list CAPACL circular
RTR#monitor capture point ip cef POINT gi 0/0 both <-- Where we set interface and direction of capture.
RTR#monitor capture point associate BUFF POINT
At this point we're ready to start/stop and show details. We've set an ACL for what kind of traffic we wanted to monitor, we've filtered that against our buffer, applied a point to an interface, and associated the buffer to the point.

RTR#monitor capture point start POINT
RTR#monitor capture point stop POINT

and lastly to ensure we had packets captured...
RTR#show monitor capture buffer BUFFER param  <-- Will show if this buffer is active or inactive, how many packets it has, etc.
At this point you can export the file as a .cap for wireshark. Use the following syntax:
RTR#monitor capture buffer BUFFER export tftp://IP/filename.pcap <-- There are many other options instead of TFTP, use the ? context for assistance. Export and enjoy digging in with Wireshark.

As always, check out the discussion on Reddit to see if anything was missed:
http://www.reddit.com/r/networking/comments/2nuouu/embedded_ios_packet_capture_video/

Additional Resource on more in depth Wireshark packet analysis: http://www.packetbomb.com/

Google+ Linkedin

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*
*