Apr
3
One useful tool I saw more than a year ago implemented by a TAC engineer and rediscovered at the CCIE INE bootcamp, is the Embedded packet capture that IOS provides. It can be very useful while studying for the CCIE.
This feature allows you to capture packets flowing through a router directly without the need to do any configuration changes on switches or doing cabling. Basically it allows you to do something similar to a `monitor session` on a switch but with the difference that the actual packets/dump in this router features are kept in memory and not sent through the wire directly to a sniffer.
The packet capture generated can be displayed on capture software as wireshark (it is on a PCAP format) for later analysis. Allowing you to sniff traffic even when the devices are not physically close to you or when working with remote racks like INE, as they are going to provide in the near future access to a virtual machine on each rack for you to work with packet captures. That way you’ll be able to send your capture to the virtual machine and open it with wireshark, everything from the confort of your home 
Configuration
The configuration is kind of simple if you remember these three specific points:
- Create a buffer space for the packet capture on memory (capture buffer)
- Configure the rules that are going to be used for matching the packets that you need (capture point). In here you can define the interfaces, acls, etc.
- Put together the storage (capture buffer) and the matching rules (capture points)
So, let’s say that we want to get 512 Kb of packet capture from the interface Serial 0/0/0.503
Here we define the capture buffer space of 512 k:
# monitor capture buffer BLOG-CAPTURE size 512
And verify with:
#show monitor capture buffer BLOG-CAPTURE parameters Capture buffer BLOG-CAPTURE (linear buffer) Buffer Size : 524288 bytes, Max Element Size : 68 bytes, Packets : 0 Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0 Associated Capture Points: Configuration: monitor capture buffer BLOG-CAPTURE size 512
Then the rules for the packets you want to capture. In my case I want all incoming packets on the serial 0/0/0.503 interface:
#monitor capture point ip cef INCOMING-S0/0/0 Serial0/0/0.503 in Apr 2 04:23:59.539: %BUFCAP-6-CREATE: Capture Point INCOMING-S0/0/0 created.
You can check your configuration with:
#show monitor capture point INCOMING-S0/0/0 Status Information for Capture Point INCOMING-S0/0/0 IPv4 CEF Switch Path: IPv4 CEF , Capture Buffer: None Status : Inactive Configuration: monitor capture point ip cef INCOMING-S0/0/0 Serial0/0/0.503 in
I used cef in there because I don’t want to get the process switched traffic but the actual switched traffic going through the interface.
Now you need to bind these two definitions together
#monitor capture point associate INCOMING-S0/0/0 BLOG-CAPTURE
Now everything is configured for you to start using it. As soon as you are ready to get the packets, run:
#monitor capture point start INCOMING-S0/0/0 Rack29R5# Apr 2 04:29:17.579: %BUFCAP-6-ENABLE: Capture Point INCOMING-S0/0/0 enabled.
And verify that everything is working fine:
#show monitor capture point all Status Information for Capture Point INCOMING-S0/0/0 IPv4 CEF Switch Path: IPv4 CEF , Capture Buffer: BLOG-CAPTURE Status : Active Configuration: monitor capture point ip cef INCOMING-S0/0/0 Serial0/0/0.503 in #show monitor capture buffer all parameters Capture buffer BLOG-CAPTURE (linear buffer) Buffer Size : 524288 bytes, Max Element Size : 68 bytes, Packets : 10 Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0 Associated Capture Points: Name : INCOMING-S0/0/0, Status : Active Configuration: monitor capture buffer BLOG-CAPTURE size 512 monitor capture point associate INCOMING-S0/0/0 BLOG-CAPTURE
When you are done you can stop it with the following command:
#monitor capture point stop INCOMING-S0/0/0 # Apr 2 04:31:41.463: %BUFCAP-6-DISABLE: Capture Point INCOMING-S0/0/0 disabled.
To see on the console what have been captured:
#show monitor capture buffer BLOG-CAPTURE dump 04:30:13.667 UTC Apr 2 2012 : IPv4 LES CEF : Se0/0/0.503 None 676E1590: 7C710800 45000064 |q..E..d 676E15A0: 004D0000 FC01580B AD1D0C01 AD1D0005 .M..|.X.-...-... 676E15B0: 0800D28C 000E0000 00000000 0035AB7A ..R..........5+z 676E15C0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M 676E15D0: ABCDABCD ABCDABCD ABCDABCD 00 +M+M+M+M+M+M. 04:30:15.671 UTC Apr 2 2012 : IPv4 LES CEF : Se0/0/0.503 None 676E1590: 7C710800 45000064 |q..E..d 676E15A0: 004E0000 FC01580A AD1D0C01 AD1D0005 .N..|.X.-...-... 676E15B0: 0800CAB8 000E0001 00000000 0035B34D ..J8.........53M 676E15C0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M 676E15D0: ABCDABCD ABCDABCD ABCDABCD 00 +M+M+M+M+M+M. […]
If you want to analyze the capture in another device (most likely), you can send it over using any of the transfer methods: TFTP, FTP, HTTP, SCP, etc. For example to send it over to a TFTP server:
# monitor capture buffer BLOG-CAPTURE export tftp://10.0.0.1/captures/
Tha’ts all, a very useful feature.
Thank you for reading our CCIE Blog
The Cisco IOS Packet Capture (EPC Embedded Packet Capture) by CCIE Blog, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.
