Cisco IOS routers have built in sniffer. It is called EPC ( Embedded Packet Capture ).
The capture is store using PCAP format ( Tcpdump format ). so after capture you can analyze the packet with Wireshark, can submit file to Dsniff etc 😉
IOS has to be 12.4(20) or higher.
The packets too are stored in DRAM.
Please see CISCO manual for more information and limitations.
In this tutorial, I’ll show how use these resource and apply a filter to capture specific packets.
Let’s start …
At cisco router, on configuration mode, create a filter.
ROUTER(config)# ip access-list extended POP_CAP
ROUTER(config-ext-nacl)# permit tcp any any eq 110
after, LEAVE configuration mode and create a buffer
# monitor capture buffer ciscobuffer size 512 max-size 1024 circular
# monitor capture buffer ciscobuffer filter access-list POP_CAP
# monitor capture point ip cef thepoint f0/0 in
# monitor capture point associate thepoint ciscobuffer
Brief analysis:
Created a buffer named “ciscobuffer” with size 512 and max-size to packets 1024 and of type CIRCULAR.
Circular buffer, will rewrite the packet when limit are reached.
A filter was applied to buffer, as created previously.
A point named “thepoint” was created to first interface of router “f0/0” on “in” ( inbound traffic )
and the point was associate with buffer 🙂
Now, it time to start capture
# monitor capture point start thepoint
You can see details of capture point typing:
# show monitor capture buffer all param
Now stop the capture
# monitor capture point stop thepoint
To analyze captured packet, export it
# monitor capture buffer ciscobuffer export scp://knight@10.20.30.40:/captured.cap
Now clear all:
# monitor capture buffer ciscobuffer clear
# monitor capture point disassociate thepoint
# no monitor capture point ip cef thepoint f0/0 in
# no monitor capture buffer ciscobuffer
Mission Acomplished
Like? Please comment it and leave a sugestion to this blog,
Coming soon, RSS feed