Capture Packets at Cisco IOS

Cisco IOS routers have built in sniffer. It is called EPC ( Embedded Packet Capture ).
The capture is store using PCAP format ( Tcpdump format ). so after capture you can analyze the packet with Wireshark, can submit file to Dsniff etc 😉
IOS has to be 12.4(20) or higher.
The packets too are stored in DRAM.
Please see CISCO manual for more information and limitations.

In this tutorial, I’ll show how use these resource and apply a filter to capture specific packets.

Let’s start …

At cisco router, on configuration mode, create a filter.

ROUTER(config)# ip access-list extended POP_CAP
ROUTER(config-ext-nacl)# permit tcp any any eq 110

after, LEAVE configuration mode and create a buffer

# monitor capture buffer ciscobuffer size 512 max-size 1024 circular
# monitor capture buffer ciscobuffer filter access-list POP_CAP
# monitor capture point ip cef thepoint f0/0 in
# monitor capture point associate thepoint ciscobuffer

Brief analysis:

Created a buffer named “ciscobuffer” with size 512 and max-size to packets 1024 and of type CIRCULAR.
Circular buffer, will rewrite the packet when limit are reached.
A filter was applied to buffer, as created previously.
A point named “thepoint” was created to first interface of router “f0/0” on “in” ( inbound traffic )
and the point was associate with buffer 🙂

Now, it time to start capture


# monitor capture point start thepoint

You can see details of capture point typing:


# show monitor capture buffer all param

Now stop the capture


# monitor capture point stop thepoint

To analyze captured packet, export it


# monitor capture buffer ciscobuffer export scp://knight@10.20.30.40:/captured.cap

Now clear all:


# monitor capture buffer ciscobuffer clear
# monitor capture point disassociate thepoint
# no monitor capture point ip cef thepoint f0/0 in
# no monitor capture buffer ciscobuffer

Mission Acomplished

Like? Please comment it and leave a sugestion to this blog,
Coming soon, RSS feed

This entry was posted in Network and tagged , , . Bookmark the permalink.