Cisco IOS – Packet Captures

~ Iain

This article describes configuring packet captures on a Cisco IOS router. The commands were tested on a Cisco C867VAE-K9 router running IOS 15.6(3)M.

All of the commands associated with the capture with the exception of defining the Filter access list are entered in global exec mode.

Define a Capture Filter

This is an extended list that will be applied to the capture buffer so only packets specifed are stored. Remember to write this filter based on where you are going to apply the capture – using private IP addresses on an interface connected to the public Internet probably won’t show much.

ip access-list extended CAP-FILTER
  permit ip host 192.168.0.1 any
  permit ip any host 192.168.0.1

Define the Capture buffer

This is where the capture data will be stored. In this example, the buffer is called CAP-BUF but you can call this whatever you like

monitor capture buffer CAP-BUF size 2048 max-size 1518 linear

Apply the Capture Filter to the Capture buffer

This attaches the filter created in the first step to the capture buffer so we only get packets we are interested in.

monitor capture buffer CAP-BUF filter access-list CAP-FILTER

After entering this command, you should see a message along the lines of “Filter successfully applied to buffer”.

Define Capture Point

The capture point is where we tell the router which interface we want to use to capture data and also, whether we want to capture CEF or process switched packets. The capture point in this example is called CAP-POINT but this is user defined and can be named to suit. We are applying the capture filter to interface g0/0/0 but this can be any interface on the router including VLAN’s – for example, VLAN 1

monitor capture point ip cef CAP-POINT gi0/0/0 both

Associate Capture Point with the Capture Buffer

This is self-explanatory and the final step required to prepare the router for packet capture.

monitor capture point associate CAP-POINT CAP-BUF

Summary of Commands

 ip access-list extended CAP-FILTER
  permit ip host 192.168.0.1 any
  permit ip any host 192.168.0.1 
monitor capture buffer CAP-BUF size 2048 max-size 1518 linear
monitor capture buffer CAP-BUF filter access-list CAP-FILTER
monitor capture point ip cef CAP-POINT gi0/0/0 both
monitor capture point associate CAP-POINT CAP-BUF

Starting and Stopping the capture

Now the capture has been defined, it needs to be started in order to actually do anything. The following command starts the capture.

monitor capture point start CAP-POINT

Stop the capture

monitor capture point stop CAP-POINT

Viewing the Capture

To view the capture on the router use the following command:

show monitor capture buffer CAP-BUF

This may only show some basic information for example:

16:42:00.539 GMT Mar 4 2019 : IPv4 LES CEF : Di1 None
16:42:01.539 GMT Mar 4 2019 : IPv4 LES CEF : Di1 None
16:42:02.543 GMT Mar 4 2019 : IPv4 LES CEF : Di1 None
16:42:03.543 GMT Mar 4 2019 : IPv4 LES CEF : Di1 None

To delve into the packets, you will need to stop the capture and then export the buffer.

Exporting the Capture

As it is not possible to export running captures, use the command monitor capture point stop CAP-POINT to stop the capture. Then use the following command to export the capture:

monitor capture buffer CAP-BUF export <flash|tftp|ftp>

The following command will export our example buffer, CAP-BUF, to the TFTP server at 192.168.0.1 and file called cap.pcap. 

monitor capture buffer CAP-BUF export tftp://192.168.0.1/cap.pcap

You should now be able to view the file in Wireshark or packet capture analyser.

Clean up

When the capture is complete, clean up the capture by using the following commands:

no monitor capture point ip cef CAP-POINT gi0/0/0 both
no monitor capture buffer CAP-BUF

Useful Commands

show monitor capture buffer all parameter

As usual, this article is written as an aide to memory but feedback and comments are welcome.

UPDATE (27/03/2019) – TFTP Export and IP Inspect

Remember that in most cases, you will need to TFTP or otherwise export the captures from the router to another location for analysis. If you are using Cisco’s IP Inspect firewall feature and using TFTP, you may need to update your UDP statement to include the arguement “router-traffic” – for example:

ip inspect name policy-name udp router-traffic timeout 3600

This arguement permits the inspection of traffic to and from the router specifically and without it, you may find you are unable to export the captures.

You may also need to set the TFTP source interface to an interface looking in the direction of your TFTP server:

ip tftp source-interface Vlan1



Published by Iain

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.