Cisco Embedded Packet Capture (EPC)

Cisco’s Embedded Packet Capture (EPC) allows us to capture packets that flow to, through or from our router. Captures are stored in DRAM on the router where we can see a summary or detailed view of the packet(s). Since the captures are stored in DRAM, they’ll be gone after a reload. Optionally we can export our capture to an external server as a packet capture (PCAP) file so that we can open them with Wireshark.

Cisco's Embedded Packet Capture (EPC) allows us to capture packets that flow to, through or from our router. Captures are stored in DRAM on the router where we can see a summary or detailed view of the packet(s). Since the captures are stored in DRAM, they'll be gone after a reload. Optionally we ca


EPC is available since IOS 12.4(20)T and IOS-XE 15.2(4)S – 3.7.0 or later.

These captures are stored in DRAM where we cand can be exported as capture files so that we can open and analyze them in Wireshark.

To configure EPC we have to do a couple of things:

  • Configure a capture buffer: this is where the router stores the packets when they are captured.
  • Configure a capture point: this is where we want to capture packets (interface and direction).
  • Associate the capture buffer and capture point: this binds our capture buffer to the capture point.
  • Start and stop the capture to get some packets.
  • View the capture on the router (hex dump) or copy it to an external server so we can open it with Wireshark.

Let’s take a look how to do this!

Configuration

To demonstrate this I will use the following topology:

R1 R2 R3 Embedded Packet Capture

We will send a ping from R1 to R3 and capture these packets on R2. We can then export the captured packets to the TFTP server at 192.168.23.200. Here’s what the configuration looks like:

R2#monitor capture ?
  buffer  Control Capture Buffers
  point   Control Capture Points

We use the monitor capture command in privileged mode. I’ll start with the configuration of the capture buffer:

R2#monitor capture buffer ?
  WORD  Name of the Capture Buffer

First we have to think of a name, I’ll call my capture buffer “CAPTURE”:

R2#monitor capture buffer CAPTURE ?
  circular  Circular Buffer
  clear     Clear contents of capture buffer
  export    Export in Pcap format
  filter    Configure filters
  limit     Limit the packets dumped to the buffer
  linear    Linear Buffer(Default)
  max-size  Maximum size of element in the buffer (in bytes)
  size      Packet Dump buffer size (in Kbytes)

There’s a list of options. Let’s configure the size of our capture buffer:

R2#monitor capture buffer CAPTURE size ?
  <256-102400>  Buffer size in Kbytes : 102400K or less (default is 1024K)

The capture buffer is stored in DRAM so select whatever size you feel is appropriate.  You can also specify the maximum size of a single packet:

R2#monitor capture buffer CAPTURE size 8192 max-size 2048 ?
  circular  Circular Buffer
  linear    Linear Buffer(Default)

I’ll use a capture buffer of 8192K and a single packet has a maximum size of 2048K. The last thing we have to decide is if we want to use a circular or linear buffer. The linear buffer will stop capturing once the buffer is full while the circular buffer keeps capturing and deletes the oldest packets from the buffer. Let’s go for the circular buffer:

R2#monitor capture buffer CAPTURE size 8192 max-size 2048 circular

Instead of capturing all traffic, we’ll use a filter that only captures traffic from 192.168.12.1 to 192.168.23.3. Here’s how to configure it:

R2(config)#ip access-list extended PACKET_FILTER
R2(config-ext-nacl)#permit ip host 192.168.12.1 host 192.168.23.3

R2#monitor capture buffer CAPTURE filter access-list PACKET_FILTER
Filter Association succeeded

This attaches the access-list to our capture buffer. That’s all we have to do for the capture buffer so let’s configure the capture point so the router knows where to capture traffic:

R2#monitor capture point ?
  associate     Associate capture point with capture buffer
  disassociate  Dis-associate capture point from capture buffer
  ip            IPv4
  ipv6          IPv6
  start         Enable Capture Point
  stop          Disable Capture Point

Here you can see some of our options. Let’s select IPv4:

R2#monitor capture point ip ?
  cef               IPv4 CEF
  process-switched  Process switched packets

Here you have to decide between CEF or process switched packets. CEF is enabled by default so let’s go with that. Now we can choose the interface:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 657 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

541 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,


Forum Replies

  1. One thing that puzzles me about EPC is this seemingly artificial choice Cisco has you make between CEF and Process-switched methods. Why not just have it capture everything that traverses the interface in question? For example, I was trying to extend your example (and practice with extended ACLs) so that I would capture only BGP information being exchange between neighbors. I filtered on TCP 179 in both directions, and even threw in TCP established for good measure. No matter what I did, I would always capture zero packets. The only thing I can think of is

    ... Continue reading in our forum

  2. On NX-OS you can use Ethanalyzer:

  3. Hello Rene,

    On a production network is it possible to crash the router when we capture packets? If yes, how we should know whether it is high risk and we shouldn’t run EPC at all?

    Angelos

  4. Hello Lukas

    The maximum buffer size for the particular device that Rene is using is actually 102400 KB or 102 MB. See the screenshot below:

    //cdn-forum.networklessons.com/uploads/default/original/2X/0/01601e6f02542fceffae581b4746b893e1209c25.png

    Now keep in mind that the buffer is in the RAM of the Cisco device, which is usually not excessively large. The maximum sizes available for buffers will depend on the platform, the IOS and the available memory at the time.

    For this reason, unlike Wireshark, the EPC feature is not designed to run for extensive periods

    ... Continue reading in our forum

  5. Hi Laz,

    thanks a lot for your nice explanation :slight_smile:

    Kind regards,

    Lukas

16 more replies! Ask a question or join the discussion by visiting our Community Forum