Cisco’s Embedded Packet Capture (EPC) allows us to capture packets that flow to, through or from our router. Captures are stored in DRAM on the router where we can see a summary or detailed view of the packet(s). Since the captures are stored in DRAM, they’ll be gone after a reload. Optionally we can export our capture to an external server as a packet capture (PCAP) file so that we can open them with Wireshark.
EPC is available since IOS 12.4(20)T and IOS-XE 15.2(4)S – 3.7.0 or later.
These captures are stored in DRAM where we cand can be exported as capture files so that we can open and analyze them in Wireshark.
To configure EPC we have to do a couple of things:
- Configure a capture buffer: this is where the router stores the packets when they are captured.
- Configure a capture point: this is where we want to capture packets (interface and direction).
- Associate the capture buffer and capture point: this binds our capture buffer to the capture point.
- Start and stop the capture to get some packets.
- View the capture on the router (hex dump) or copy it to an external server so we can open it with Wireshark.
Let’s take a look how to do this!
To demonstrate this I will use the following topology:
We will send a ping from R1 to R3 and capture these packets on R2. We can then export the captured packets to the TFTP server at 192.168.23.200. Here’s what the configuration looks like:
R2#monitor capture ? buffer Control Capture Buffers point Control Capture Points
We use the monitor capture command in privileged mode. I’ll start with the configuration of the capture buffer:
R2#monitor capture buffer ? WORD Name of the Capture Buffer
First we have to think of a name, I’ll call my capture buffer “CAPTURE”:
R2#monitor capture buffer CAPTURE ? circular Circular Buffer clear Clear contents of capture buffer export Export in Pcap format filter Configure filters limit Limit the packets dumped to the buffer linear Linear Buffer(Default) max-size Maximum size of element in the buffer (in bytes) size Packet Dump buffer size (in Kbytes)
There’s a list of options. Let’s configure the size of our capture buffer:
R2#monitor capture buffer CAPTURE size ? <256-102400> Buffer size in Kbytes : 102400K or less (default is 1024K)
The capture buffer is stored in DRAM so select whatever size you feel is appropriate. You can also specify the maximum size of a single packet:
R2#monitor capture buffer CAPTURE size 8192 max-size 2048 ? circular Circular Buffer linear Linear Buffer(Default)
I’ll use a capture buffer of 8192K and a single packet has a maximum size of 2048K. The last thing we have to decide is if we want to use a circular or linear buffer. The linear buffer will stop capturing once the buffer is full while the circular buffer keeps capturing and deletes the oldest packets from the buffer. Let’s go for the circular buffer:
R2#monitor capture buffer CAPTURE size 8192 max-size 2048 circular
Instead of capturing all traffic, we’ll use a filter that only captures traffic from 192.168.12.1 to 192.168.23.3. Here’s how to configure it:
R2(config)#ip access-list extended PACKET_FILTER R2(config-ext-nacl)#permit ip host 192.168.12.1 host 192.168.23.3 R2#monitor capture buffer CAPTURE filter access-list PACKET_FILTER Filter Association succeeded
This attaches the access-list to our capture buffer. That’s all we have to do for the capture buffer so let’s configure the capture point so the router knows where to capture traffic:
R2#monitor capture point ? associate Associate capture point with capture buffer disassociate Dis-associate capture point from capture buffer ip IPv4 ipv6 IPv6 start Enable Capture Point stop Disable Capture Point
Here you can see some of our options. Let’s select IPv4:
R2#monitor capture point ip ? cef IPv4 CEF process-switched Process switched packets
Here you have to decide between CEF or process switched packets. CEF is enabled by default so let’s go with that. Now we can choose the interface: