Search This Blog

Thursday, November 1, 2012

Packet capture on Cisco router remotly

On IOS 12.4(20)T Cisco introduced a new feature called: Embedded Packet Capture.

This feature allow us to do packet capture , save the output into a buffer, and upload the pcap file to an FTP or TFTP server and all from the router.
1.       (Optional) create an access-list for filtering specific traffic

ip access-list extended ACL_PCAP_TRAFFIC
 permit ip any

2.       Configure filters:

RTR#monitor capture buffer CAPTURE_BUFFER filter access-list ACL_PCAP_TRAFFIC

NOTE that configuring monitor capture is done from user EXEC mode and not from the privilege mode.

3.       Set capture buffer maximum packet size, in my example 128 will capture only the first 128 bytes from each packet:

RTR#monitor capture buffer CAPTURE_BUFFER max-size 128

4.       Set capture buffer maximum file size, in my example 2048 will capture up to 2MB file size:

RTR#monitor capture buffer CAPTURE_BUFFER size 2048

5.       Set buffer limits as duration of the capture, number of packets or packet per-second:

RTR#monitor capture buffer CAPTURE_BUFFER limit [duration| packet-count| packets-per-sec]

6.       Set buffer behavior – linear or circular:

RTR#monitor capture buffer CAPTURE_BUFFER [linear| circular]

7.       Set point capture interface:

RTR# monitor capture point ip cef CAPTURE_POINT [INTERFACE] [in|out|both]

8.       Associate the capture point to the capture buffer:

RTR# monitor capture point associate CAPTURE_POINT CAPTURE_BUFFER

9.       Start capture traffic:

RTR# monitor capture point start

10.   Stop capture traffic:

RTR# monitor capture point stop

11.   Export capture buffer to remote host:

RTR# monitor capture buffer  CAPTURE_BUFFER export ftp://<user>:<password>@

            Note that the export capture syntax uses ftp server at to folder ftp-folder with
            file  named capture.cap.

To view the capture buffer parameters:


RTR#show monitor capture buffer all parameters
Capture buffer CAPTURE_BUFFER (linear buffer)
Buffer Size : 1048576 bytes, Max Element Size : 68 bytes, Packets : 0
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : CAPTURE_POINT, Status : Inactive
monitor capture buffer CAPTURE_BUFFER linear
monitor capture point associate CAPTURE_POINT CAPTURE_BUFFER

 And capture point configuration:

RTR#show monitor capture point all
Status Information for Capture Point CAPTURE_POINT
Switch Path: IPv4 CEF            , Capture Buffer: CAPTURE_BUFFER     
Status : Inactive
     monitor capture point ip cef CAPTURE_POINT all both

The embedded packet capture is great tool for remote troubleshooting and diagnostic.




No comments:

Post a Comment