This article describes configuring packet captures on a Cisco IOS router. The commands were tested on a Cisco C867VAE-K9 router running IOS 15.6(3)M.
All of the commands associated with the capture with the exception of defining the Filter access list are entered in global exec mode.
Define a Capture Filter
This is an extended list that will be applied to the capture buffer so only packets specifed are stored. Remember to write this filter based on where you are going to apply the capture – using private IP addresses on an interface connected to the public Internet probably won’t show much.
ip access-list extended CAP-FILTER
permit ip host 192.168.0.1 any
permit ip any host 192.168.0.1
Define the Capture buffer
This is where the capture data will be stored. In this example, the buffer is called CAP-BUF but you can call this whatever you like
monitor capture buffer CAP-BUF size 2048 max-size 1518 linear
Apply the Capture Filter to the Capture buffer
This attaches the filter created in the first step to the capture buffer so we only get packets we are interested in.
monitor capture buffer CAP-BUF filter access-list CAP-FILTER
After entering this command, you should see a message along the lines of “Filter successfully applied to buffer”.
Define Capture Point
The capture point is where we tell the router which interface we want to use to capture data and also, whether we want to capture CEF or process switched packets. The capture point in this example is called CAP-POINT but this is user defined and can be named to suit. We are applying the capture filter to interface g0/0/0 but this can be any interface on the router including VLAN’s – for example, VLAN 1
monitor capture point ip cef CAP-POINT gi0/0/0 both
Associate Capture Point with the Capture Buffer
This is self-explanatory and the final step required to prepare the router for packet capture.
monitor capture point associate CAP-POINT CAP-BUF
Summary of Commands
ip access-list extended CAP-FILTER
permit ip host 192.168.0.1 any
permit ip any host 192.168.0.1
monitor capture buffer CAP-BUF size 2048 max-size 1518 linear
monitor capture buffer CAP-BUF filter access-list CAP-FILTER
monitor capture point ip cef CAP-POINT gi0/0/0 both
monitor capture point associate CAP-POINT CAP-BUF
Starting and Stopping the capture
Now the capture has been defined, it needs to be started in order to actually do anything. The following command starts the capture.
monitor capture point start CAP-POINT
Stop the capture
monitor capture point stop CAP-POINT
Viewing the Capture
To view the capture on the router use the following command:
show monitor capture buffer CAP-BUF
This may only show some basic information for example:
16:42:00.539 GMT Mar 4 2019 : IPv4 LES CEF : Di1 None
16:42:01.539 GMT Mar 4 2019 : IPv4 LES CEF : Di1 None
16:42:02.543 GMT Mar 4 2019 : IPv4 LES CEF : Di1 None
16:42:03.543 GMT Mar 4 2019 : IPv4 LES CEF : Di1 None
To delve into the packets, you will need to stop the capture and then export the buffer.
Exporting the Capture
As it is not possible to export running captures, use the command monitor capture point stop CAP-POINT to stop the capture. Then use the following command to export the capture:
monitor capture buffer CAP-BUF export <flash|tftp|ftp>
The following command will export our example buffer, CAP-BUF, to the TFTP server at 192.168.0.1 and file called cap.pcap.
monitor capture buffer CAP-BUF export tftp://192.168.0.1/cap.pcap
You should now be able to view the file in Wireshark or packet capture analyser.
Clean up
When the capture is complete, clean up the capture by using the following commands:
no monitor capture point ip cef CAP-POINT gi0/0/0 both
no monitor capture buffer CAP-BUF
Useful Commands
show monitor capture buffer all parameter
As usual, this article is written as an aide to memory but feedback and comments are welcome.
UPDATE (27/03/2019) – TFTP Export and IP Inspect
Remember that in most cases, you will need to TFTP or otherwise export the captures from the router to another location for analysis. If you are using Cisco’s IP Inspect firewall feature and using TFTP, you may need to update your UDP statement to include the arguement “router-traffic” – for example:
ip inspect name policy-name udp router-traffic timeout 3600
This arguement permits the inspection of traffic to and from the router specifically and without it, you may find you are unable to export the captures.
You may also need to set the TFTP source interface to an interface looking in the direction of your TFTP server:
ip tftp source-interface Vlan1