One useful tool I saw more than a year ago implemented by a TAC engineer and rediscovered at the CCIE INE bootcamp, is the Embedded packet capture that IOS provides. It can be very useful while studying for the CCIE.
This feature allows you to capture packets flowing through a router directly without the need to do any configuration changes on switches or doing cabling. Basically it allows you to do something similar to a `monitor session` on a switch but with the difference that the actual packets/dump in this router features are kept in memory and not sent through the wire directly to a sniffer.
The packet capture generated can be displayed on capture software as wireshark (it is on a PCAP format) for later analysis. Allowing you to sniff traffic even when the devices are not physically close to you or when working with remote racks like INE, as they are going to provide in the near future access to a virtual machine on each rack for you to work with packet captures. That way you’ll be able to send your capture to the virtual machine and open it with wireshark, everything from the confort of your home
The configuration is kind of simple if you remember these three specific points:
- Create a buffer space for the packet capture on memory (capture buffer)
- Configure the rules that are going to be used for matching the packets that you need (capture point). In here you can define the interfaces, acls, etc.
- Put together the storage (capture buffer) and the matching rules (capture points)
So, let’s say that we want to get 512 Kb of packet capture from the interface Serial 0/0/0.503
Here we define the capture buffer space of 512 k:
And verify with:
Then the rules for the packets you want to capture. In my case I want all incoming packets on the serial 0/0/0.503 interface:
You can check your configuration with:
I used cef in there because I don’t want to get the process switched traffic but the actual switched traffic going through the interface.
Now you need to bind these two definitions together
Now everything is configured for you to start using it. As soon as you are ready to get the packets, run:
And verify that everything is working fine:
When you are done you can stop it with the following command:
To see on the console what have been captured:
If you want to analyze the capture in another device (most likely), you can send it over using any of the transfer methods: TFTP, FTP, HTTP, SCP, etc. For example to send it over to a TFTP server:
Tha’ts all, a very useful feature.
Thank you for reading our CCIE Blog
The Cisco IOS Packet Capture (EPC Embedded Packet Capture) by CCIE Blog, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.