Professional Documents
Culture Documents
10/17/2015
- Configuration,
firewall.cx
Capture IPv4 and IPv6 packets in the Cisco Express Forwarding path
Ability to specify various capture buffer parameters
Export packet captures in PCAP format, enabling analysis with external tools such as Colasoft Capsa, Wireshark.
Display content of the capture buffer
Granularity of captured packets via Standard or Extended Access Control Lists (ACLs)
Capture Buffer
Capture buffer is an area in memory for holding packet data. There are two types of Capture Buffers: Linear and Circular.
Linear Capture Buffer: When the capture buffer is full, it stops capturing data.
Circular Capture Buffer: When the capture buffer is full, it continues capturing data by overwriting older data.
Capture Point
Capture point is a traffic transit point where a packet is captured. Capture points need to define the following:
IPv4 or IPv6
CEF (Cisco Express Forwarding or Process-Switched
Interface e.g Fast Ethernet0, Dialer0 etc.
Direction of traffic to the interface: in (ingress), out (engress) or both
about:reader?url=http%3A%2F%2Fwww.firewall.cx%2Fcisco-technical-knowledgebase%2Fcisco-routers%2F1089-cisco-router-embedded-packet-capture-configuratio
1
How to Capture Packets on your Cisco Router with Embedded Packet Capture
10/17/2015
- Configuration,
list selected-traffic
Filter Association succeeded
Note: Our access list includes traffic originating from both hosts because we want to capture bidirectional traffic. If we included only one ACL
statement, then only one-way traffic would be captured.
Our filter is now in place and we are ready for the next step.
about:reader?url=http%3A%2F%2Fwww.firewall.cx%2Fcisco-technical-knowledgebase%2Fcisco-routers%2F1089-cisco-router-embedded-packet-capture-configuratio
2
How to Capture Packets on your Cisco Router with Embedded Packet Capture
10/17/2015
- Configuration,
*May 25 14:57:02.091: %BUFCAP-6-ENABLE: Capture Point CPoint-FE0 enabled.
At this point, the router is capturing all traffic between our two hosts.
To stop the capturing process, use the monitor capture point stop command:
R1# monitor capture point stop CPoint-FE0
*May 25 15:00:51.419: %BUFCAP-6-DISABLE: Capture Point CPoint-FE0 disabled.
2. To view Capture Point details, use the show monitor capture point all command:
R1# show monitor capture point allStatus Information for Capture Point CPoint-FE0IPv4 CEFSwitch Path: IPv4 CEF
firewallcx_cap Status : Active
, Capture Buffer:
Configuration:
monitor capture point ip cef CPoint-FE0 FastEthernet0 both
3. To see all information about the captured packets, use the 'show monitor capture buffer' command:
R1# show monitor capture buffer firewallcx_cap
15:04:50.835 UTC May 25 2015 : IPv4 LES CEF : Fa0 None
15:04:51.015 UTC May 25 2015 : IPv4 LES CEF : Fa1 Fa0
15:04:51.015 UTC May 25 2015 : IPv4 LES CEF : Fa0 None
15:04:51.015 UTC May 25 2015 : IPv4 LES CEF : Fa0 None
15:04:51.195 UTC May 25 2015 : IPv4 LES CEF : Fa1 Fa0
15:04:51.443 UTC May 25 2015 : IPv4 LES CEF : Fa1 Fa0
15:04:51.443 UTC May 25 2015 : IPv4 LES CEF : Fa1 Fa0
15:04:51.443 UTC May 25 2015 : IPv4 LES CEF : Fa1 Fa0
4. To examine the buffers contents, use the 'show monitor capture buffer dump' command:
R1# show monitor capture buffer firewallcx_cap dump15:04:50.835 UTC May 25 2015 : IPv4 LES CEF : Fa0 None
86621680: 5475D061 2856F4CE 469A161C TuPa(VtNF...
86621690: 08004500 00347440 40007F06 57B7C0A8 ..E..4t@@...W7@(
866216A0: 0302D056 9BCBC6BC 00506100 C18E0000 ..PV.KF<.Pa.A...
866216B0: 00008002 20003676 00000204 04EC0103 .... .6v.....l..
866216C0: 03020101 040200
.......
15:04:51.015 UTC May 25 2015 : IPv4 LES CEF : Fa1 Fa0
86621680: F4CE469A 161C5475 D0612856 tNF...TuPa(V
86621690: 08004500 00340000 40003406 16F8D056 ..E..4..w.4..xPV
866216A0: 9BCBC0A8 03020050 C6BC8F58 11D26100 .K@(...PF<.X.Ra.
866216B0: C18F8012 39087B6D 00000204 05AC0101 A...9.{m.....,..
866216C0: 04020103 030700
.......
15:04:51.015 UTC May 25 2015 : IPv4 LES CEF : Fa0 None
86621680: 5475D061 2856F4CE 469A161C TuPa(VtNF...
86621690: 08004500 00287443 40007F06 57C0C0A8 ..E..(tC@...W@@(
866216A0: 0302D056 9BCBC6BC 00506100 C18F8F58 ..PV.KF<.Pa.A..X
866216B0: 11D35010 4137B408 00000000 00000000 .SP.A74.........
866216C0: 04
about:reader?url=http%3A%2F%2Fwww.firewall.cx%2Fcisco-technical-knowledgebase%2Fcisco-routers%2F1089-cisco-router-embedded-packet-capture-configuratio
3
How to Capture Packets on your Cisco Router with Embedded Packet Capture
10/17/2015
- Configuration,
exporting the data, and also have our tftp server ready to accept the captured data:
R1# monitor capture point stop CPoint-FE0
R1#
*May 25 15:35:31.975: %BUFCAP-6-DISABLE: Capture Point CPoint-FE0 disabled.
R1#
R1# monitor capture buffer firewallcx_cap export tftp://192.168.5.53/capture.pcap
!!!!!!!
R1#
At this point, the capture.pcap file should be located on our workstation.
We are now ready to import the data into our network analyzer Capsa for further analysis:
Figure 3. Importing
packets into Colasoft Network Analyzer
Once the import process is complete, our captured packets are displayed and we can analyse them in a more user-friendly environment:
Figure 4. Packets
displayed inside Colasoft Capsa network analyzer
This article introduced the Cisco Embedded Packet Capture feature offered on all Cisco router IOS platforms from version 12.4.20T and
above. We explained terms used by the Embedded Packet Capture feature (Capture Buffer, Capture Point) and showed how to configured
Embedded Packet Capture using 5 simple steps, but also how to export captured data from the Cisco router so that it can be imported
into a network analyzer.
Back to Cisco Routers Section
Aa
Aa
Sans-serif Serif
Aa
Svtl Tmav Spia
about:reader?url=http%3A%2F%2Fwww.firewall.cx%2Fcisco-technical-knowledgebase%2Fcisco-routers%2F1089-cisco-router-embedded-packet-capture-configuratio
4
How to Capture Packets on your Cisco Router with Embedded Packet Capture
10/17/2015
- Configuration,
about:reader?url=http%3A%2F%2Fwww.firewall.cx%2Fcisco-technical-knowledgebase%2Fcisco-routers%2F1089-cisco-router-embedded-packet-capture-configuratio
5