Cisco IOS Embedded Packet Capture – Example / How to
In this video I cover the embedded IOS packet capture capabilities in Cisco Devices. This ability on Cisco IOS 12.4(20)T and later can be a useful resource to add to your networking toolkit. When you’re cussing out a particular service on the lan that you are sure is malfunctioning without the help of your cables and packets, a quick packet capture will allow you to isolate where the issue is occurring.
There are three main components to using the IOS Packet Capture once you have a device with the correct IOS Version:
1. A standard or extended ACL identifying traffic
2. A Capture Buffer to hold the data
3. A Capture Point to associate to filter an interface off of your ACL and attach to the buffer.
It may sound complicated, but don’t grab the whiskey bottle yet. A real basic setup looks something like this, and there is a video below covering this whole process.
RTR#config t RTR(config)#ip access-list extended CAPACL RTR(config)#permit ip any any RTR(config)#end RTR#monitor capture buffer BUFFER filter access-list CAPACL circular RTR#monitor capture point ip cef POINT gi 0/0 both <-- Where we set interface and direction of capture. RTR#monitor capture point associate BUFF POINT
At this point we're ready to start/stop and show details. We've set an ACL for what kind of traffic we wanted to monitor, we've filtered that against our buffer, applied a point to an interface, and associated the buffer to the point. RTR#monitor capture point start POINT RTR#monitor capture point stop POINT and lastly to ensure we had packets captured... RTR#show monitor capture buffer BUFFER param <-- Will show if this buffer is active or inactive, how many packets it has, etc. At this point you can export the file as a .cap for wireshark. Use the following syntax:
RTR#monitor capture buffer BUFFER export tftp://IP/filename.pcap <-- There are many other options instead of TFTP, use the ? context for assistance. Export and enjoy digging in with Wireshark.
As always, check out the discussion on Reddit to see if anything was missed:
Additional Resource on more in depth Wireshark packet analysis: http://www.packetbomb.com/