Cisco IOS Packet Capture (EPC Embedded Packet Capture)

One useful tool I saw more than a year ago implemented by a TAC engineer and rediscovered at the CCIE INE bootcamp, is the Embedded packet capture that IOS provides. It can be very useful while studying for the CCIE.

This feature allows you to capture packets flowing through a router directly without the need to do any configuration changes on switches or doing cabling. Basically it allows you to do something similar to a `monitor session` on a switch but with the difference that the actual packets/dump in this router features are kept in memory and not sent through the wire directly to a sniffer.

The packet capture generated can be displayed on capture software as wireshark (it is on a PCAP format) for later analysis. Allowing you to sniff traffic even when the devices are not physically close to you or when working with remote racks like INE, as they are going to provide in the near future access to a virtual machine on each rack for you to work with packet captures. That way you’ll be able to send your capture to the virtual machine and open it with wireshark, everything from the confort of your home :)

Configuration

The configuration is kind of simple if you remember these  three specific points:

  1. Create a buffer space for the packet capture on memory (capture buffer)
  2. Configure the rules that are going to be used for matching the packets that you need (capture point). In here you can define the interfaces, acls, etc.
  3. Put together the storage (capture buffer) and the matching rules (capture points)

So, let’s say that we want to get 512 Kb of packet capture from the interface Serial 0/0/0.503

Here we define the capture buffer space of 512 k:

# monitor capture buffer BLOG-CAPTURE size 512

And verify with:

#show monitor capture buffer BLOG-CAPTURE parameters
Capture buffer BLOG-CAPTURE (linear buffer)
Buffer Size : 524288 bytes, Max Element Size : 68 bytes, Packets : 0
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Configuration:
monitor capture buffer BLOG-CAPTURE size 512

Then the rules for the packets you want to capture. In my case I want all incoming packets on the serial 0/0/0.503 interface:

#monitor capture point ip cef INCOMING-S0/0/0 Serial0/0/0.503 in
Apr  2 04:23:59.539: %BUFCAP-6-CREATE: Capture Point INCOMING-S0/0/0 created.

You can check your configuration with:

#show monitor capture point INCOMING-S0/0/0
Status Information for Capture Point INCOMING-S0/0/0
IPv4 CEF
Switch Path: IPv4 CEF            , Capture Buffer: None
Status : Inactive

Configuration:
monitor capture point ip cef INCOMING-S0/0/0 Serial0/0/0.503 in

I used cef in there because I don’t want to get the process switched traffic but the actual switched traffic going through the interface.

Now you need to bind these two definitions together

#monitor capture point associate INCOMING-S0/0/0 BLOG-CAPTURE

Now everything is configured for you to start using it. As soon as you are ready to get the packets, run:

#monitor capture point start INCOMING-S0/0/0
Rack29R5#
Apr  2 04:29:17.579: %BUFCAP-6-ENABLE: Capture Point INCOMING-S0/0/0 enabled.

And verify that everything is working fine:

#show monitor capture point all
Status Information for Capture Point INCOMING-S0/0/0
IPv4 CEF
Switch Path: IPv4 CEF            , Capture Buffer: BLOG-CAPTURE
Status : Active

Configuration:
monitor capture point ip cef INCOMING-S0/0/0 Serial0/0/0.503 in

#show monitor capture buffer all parameters
Capture buffer BLOG-CAPTURE (linear buffer)
Buffer Size : 524288 bytes, Max Element Size : 68 bytes, Packets : 10
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : INCOMING-S0/0/0, Status : Active
Configuration:
monitor capture buffer BLOG-CAPTURE size 512
monitor capture point associate INCOMING-S0/0/0 BLOG-CAPTURE

When you are done you can stop it with the following command:

#monitor capture point stop INCOMING-S0/0/0
#
Apr  2 04:31:41.463: %BUFCAP-6-DISABLE: Capture Point INCOMING-S0/0/0 disabled.

To see on the console what have been captured:

#show monitor capture buffer BLOG-CAPTURE dump
04:30:13.667 UTC Apr 2 2012 : IPv4 LES CEF    : Se0/0/0.503 None

676E1590:                   7C710800 45000064          |q..E..d
676E15A0: 004D0000 FC01580B AD1D0C01 AD1D0005  .M..|.X.-...-...
676E15B0: 0800D28C 000E0000 00000000 0035AB7A  ..R..........5+z
676E15C0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
676E15D0: ABCDABCD ABCDABCD ABCDABCD 00        +M+M+M+M+M+M.   

04:30:15.671 UTC Apr 2 2012 : IPv4 LES CEF    : Se0/0/0.503 None

676E1590:                   7C710800 45000064          |q..E..d
676E15A0: 004E0000 FC01580A AD1D0C01 AD1D0005  .N..|.X.-...-...
676E15B0: 0800CAB8 000E0001 00000000 0035B34D  ..J8.........53M
676E15C0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
676E15D0: ABCDABCD ABCDABCD ABCDABCD 00        +M+M+M+M+M+M.
[…]

If you want to analyze the capture in another device (most likely), you can send it over using any of the transfer methods: TFTP, FTP, HTTP, SCP, etc. For example to send it over to a TFTP server:

# monitor capture buffer BLOG-CAPTURE export tftp://10.0.0.1/captures/

Tha’ts all, a very useful feature.

Thank you for reading our CCIE Blog

Daniel Rodriguez

Daniel is the co-founder of Network Faculty. He holds the following certifications: CCNA, CCNP, CCIP, LPIC Level 2 and Security+. He loves Perl Programming, Linux, IPv6 and Multicast deployments. When not doing network related study/work, he is training for triathlons and other endurance sports.

More Posts - Website - Twitter - Facebook

Creative Commons License
The Cisco IOS Packet Capture (EPC Embedded Packet Capture) by CCIE Blog, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.

Tags: ,

4 Responses to "Cisco IOS Packet Capture (EPC Embedded Packet Capture)"

  • Lorenzo says:
  • SynG says:
Leave a Comment

*

Notify me of followup comments via e-mail. You can also subscribe without commenting.