Have you ever wanted to capture packets on a specific interface on a Cisco Router? Maybe you have worked out span ports to throw traffic over to your favorite packet analysis tool like a Wireshark appliance. Did you know that in Cisco IOS you can capture packets on one or more interfaces at the same time, and then export that data out to a tool for analysis? Here’s how to do it.
1. Set the PCAP buffer size
R1#monitor capture buffer pcap-buffer1 size 10000 max-size 1550
2. Define where you want to perform the capture
R1#monitor capture point ip cef pcap-point1 g1/0 both
3. Associate the capture point with the capture buffer
R1#monitor capture point associate pcap-point1 pcap-buffer1
4. Verify that the capture is running
R1#show monitor capture point all Status Information for Capture Point pcap-point1 IPv4 CEF Switch Path: IPv4 CEF , Capture Buffer: pcap-buffer1 Status : Active
monitor capture point ip cef pcap-point1 GigabitEthernet1/0 both
5. Throw some packets across the interface
R3#ping 184.108.40.206 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 220.127.116.11, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 48/52/56 ms R3#telnet 10.0.1.1 Trying 10.0.1.1 ... Open Password required, but none set [Connection to 10.0.1.1 closed by foreign host] R3# R3#
5. Stop the capture
R1#monitor capture point stop pcap-point1
6. Verify that you have reachability to the TFTP server
R1#ping 192.168.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 8/29/84 ms
7. Export the capture via TFTP
R1#monitor capture buffer pcap-buffer1 export tftp://192.168.1.2/sample1.cap ! R1#
8. Open the capture in Wireshark
9. Analyze away!
As you can see it’s very easy to configure the packet capture feature in IOS 15. There’s no smoke and mirrors behind it, but knowing that you can do this could prove helpful in certain situations.