Cisco Router Monitor Packet Capture

Cisco’s Embedded Packet Capture (EPC) allows us to capture packets that flow to, through or from our router. Captures are stored in DRAM on the router where we can see a summary or detailed view of the packet(s). Since the captures are stored in DRAM, they’ll be gone after a reload. Optionally we can export our capture to an external server as a packet capture (PCAP) file so that we can open them with Wireshark.

EPC is available since IOS 12.4(20)T and IOS-XE 15.2(4)S – 3.7.0 or later.
These captures are stored in DRAM where we cand can be exported as capture files so that we can open and analyze them in Wireshark.
To configure EPC we have to do a couple of things:

• Configure a capture buffer: this is where the router stores the packets when they are captured.
• Configure a capture point: this is where we want to capture packets (interface and direction).
• Associate the capture buffer and capture point: this binds our capture buffer to the capture point.
• Start and stop the capture to get some packets.
• View the capture on the router (hex dump) or copy it to an external server so we can open it with Wireshark.

Let’s take a look how to do this!

Configuration

To demonstrate this I will use the following topology:

We will send a ping from R1 to R3 and capture these packets on R2. We can then export the captured packets to the TFTP server at 192.168.23.200. Here’s what the configuration looks like:

R2#monitor capture ?
  buffer  Control Capture Buffers
  point   Control Capture Points

We use the monitor capture command in privileged mode. I’ll start with the configuration of the capture buffer:

R2#monitor capture buffer ?
  WORD  Name of the Capture Buffer

First we have to think of a name, I’ll call my capture buffer “CAPTURE”:

R2#monitor capture buffer CAPTURE ?
  circular  Circular Buffer
  clear     Clear contents of capture buffer
  export    Export in Pcap format
  filter    Configure filters
  limit     Limit the packets dumped to the buffer
  linear    Linear Buffer(Default)
  max-size  Maximum size of element in the buffer (in bytes)
  size      Packet Dump buffer size (in Kbytes)

There’s a list of options. Let’s configure the size of our capture buffer:

R2#monitor capture buffer CAPTURE size ?
  <256-102400>  Buffer size in Kbytes : 102400K or less (default is 1024K)

The capture buffer is stored in DRAM so select whatever size you feel is appropriate.  You can also specify the maximum size of a single packet:

R2#monitor capture buffer CAPTURE size 8192 max-size 2048 ?
  circular  Circular Buffer
  linear    Linear Buffer(Default)

I’ll use a capture buffer of 8192K and a single packet has a maximum size of 2048K. The last thing we have to decide is if we want to use a circular or linear buffer. The linear buffer will stop capturing once the buffer is full while the circular buffer keeps capturing and deletes the oldest packets from the buffer. Let’s go for the circular buffer:

R2#monitor capture buffer CAPTURE size 8192 max-size 2048 circular

Instead of capturing all traffic, we’ll use a filter that only captures traffic from 192.168.12.1 to 192.168.23.3. Here’s how to configure it:

R2(config)#ip access-list extended PACKET_FILTER
R2(config-ext-nacl)#permit ip host 192.168.12.1 host 192.168.23.3

R2#monitor capture buffer CAPTURE filter access-list PACKET_FILTER
Filter Association succeeded

This attaches the access-list to our capture buffer. That’s all we have to do for the capture buffer so let’s configure the capture point so the router knows where to capture traffic:

R2#monitor capture point ?
  associate     Associate capture point with capture buffer
  disassociate  Dis-associate capture point from capture buffer
  ip            IPv4
  ipv6          IPv6
  start         Enable Capture Point
  stop          Disable Capture Point

Here you can see some of our options. Let’s select IPv4:

R2#monitor capture point ip ?
  cef               IPv4 CEF
  process-switched  Process switched packets

Here you have to decide between CEF or process switched packets. CEF is enabled by default so let’s go with that. Now we can choose the interface:

R2#monitor capture point ip cef POINT FastEthernet 0/1 ?
  both  capture ingress and egress
  in    capture on ingress
  out   capture on egress

I’ll select the interface and call my capture point “POINT”. We still have to choose the direction. Let’s pick both:

R2#monitor capture point ip cef POINT FastEthernet 0/1 both
%BUFCAP-6-CREATE: Capture Point POINT created.

That takes care of the capture point. Last but not least we have to associate our capture buffer and point:

R2#monitor capture point associate POINT CAPTURE

Everything is in place, time to verify our work.

Verification

First we will start the capture point:

R2#monitor capture point start POINT
%BUFCAP-6-ENABLE: Capture Point POINT enabled.

It should now capture traffic between R1 and R3. Let’s take a look at some show commands first:

R2#show monitor capture point POINT
Status Information for Capture Point POINT
IPv4 CEF
Switch Path: IPv4 CEF            , Capture Buffer: CAPTURE
Status : Active

Configuration:
monitor capture point ip cef POINT FastEthernet0/1 both

Here’s a nice overview of our capture point. It tells us what it will capture and what capture buffer we use. Instead of specifying the name of the capture point you can also use “all” to see all your capture points.
Let’s send a ping from R1 to R3, see if it actually captures some traffic:

R1#ping 192.168.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Now take a look at the capture buffer:

R2#show monitor capture buffer CAPTURE parameters
Capture buffer CAPTURE (circular buffer)
Buffer Size : 8388608 bytes, Max Element Size : 2048 bytes, Packets : 5
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : POINT, Status : Active
Configuration:
monitor capture buffer CAPTURE size 8192 max-size 2048 circular
monitor capture point associate POINT CAPTURE
monitor capture buffer CAPTURE filter access-list PACKET_FILTER

Above you can see the details of our capture buffer and the number of packets it has caught. There’s another command you can use to see some info about these packets:

R2#show monitor capture buffer CAPTURE
12:24:15.447 UTC May 7 2015 : IPv4 LES CEF    : Fa0/0 Fa0/1

12:24:15.451 UTC May 7 2015 : IPv4 LES CEF    : Fa0/0 Fa0/1

12:24:15.451 UTC May 7 2015 : IPv4 LES CEF    : Fa0/0 Fa0/1

12:24:15.455 UTC May 7 2015 : IPv4 LES CEF    : Fa0/0 Fa0/1

12:24:15.455 UTC May 7 2015 : IPv4 LES CEF    : Fa0/0 Fa0/1

Above you can see when and where these packets were captured. If you want to see the content of these packets then we can use a dump:

R2#show monitor capture buffer CAPTURE dump
12:24:15.447 UTC May 7 2015 : IPv4 LES CEF    : Fa0/0 Fa0/1

4B164C40: 0016C7BE 0EC80017 5AED7AF1 08004500  ..G>.H..Zmzq..E.
4B164C50: 00640000 0000FE01 1844C0A8 0C01C0A8  .d....~..D@(..@(
4B164C60: 17030800 47100000 00000000 00000016  ....G...........
4B164C70: 3724ABCD ABCDABCD ABCDABCD ABCDABCD  7$+M+M+M+M+M+M+M
4B164C80: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
4B164C90: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
4B164CA0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
4B164CB0: ABCD00
[output omitted]

This gives us the packet in hexadecimal. Very nice but it’s easier if we can see these packets in Wireshark. This is no problem but we’ll have to export our packets first. Let’s stop the monitor first:

R2#monitor capture point stop POINT
%BUFCAP-6-DISABLE: Capture Point POINT disabled.

Here’s how to copy the capture file:

R2#monitor capture buffer CAPTURE export ?
  flash:  Location to dump buffer
  ftp:    Location to dump buffer
  http:   Location to dump buffer
  https:  Location to dump buffer
  pram:   Location to dump buffer
  rcp:    Location to dump buffer
  scp:    Location to dump buffer
  tftp:   Location to dump buffer

We have a couple of options, let’s use TFTP to copy the packets:

R2#monitor capture buffer CAPTURE export tftp://192.168.23.200//capture.pcap
!

I’ll export the capture buffer to my TFTP server at 192.168.23.200. The filename will be “capture.pcap”. This file can be opened with Wireshark:

There we go, our 5 ICMP echo requests from R1 to R3.