fbpx

Embedded Packet Capture

Cisco Embedded Packet Capture

Embedded Packet Capture is a Cisco proprietary feature and an immensely useful command. It allows one to capture network traffic from any point within a router. For this use case we used Vlan1. In order to use the feature you must be running specific versions of code. For IOS you must be running 12.4(20)T or greater. For IOS-XE 15.2(4)S – 3.7.0 or later.

Video: Cisco Embedded Packet Capture

Set Up a Packet Capture Buffer

First set up your packet capture buffer. This is where the traffic will be stored. Keep in mind this is merely a buffer in memory. The buffer is not associated with a file. We will show you how to move the contents of the buffer to a file later in this procedure.

The below specifies a linear buffer of 4 MB in size. A linear buffer collects traffic beginning at byte 0 and until it reaches the 4 MB limit. Once 4 MB has been collected the packet capture will stop collecting traffic.

We could also have run the command with a circular buffer. A circular buffer would have the traffic collected beginning at byte 0. Once the buffer was full and reached the 4 MB limit it would then wrap and begin collecting at Byte 0 again. Traffic would be collected in a loop. Previously recorded traffic will be overwritten. Note that we specified a max-size of 1518 bytes. This is the maximum packet size to collect.

# Cisco IOS Command 15.1(4)M5
monitor capture buffer CAPTURE_BUFFER size 4096 max-size 1518 linear

Set Up a Packet Capture Point

We need to create a capture point in the router. A capture point can be any physical or logical interface in the router. You can also collect data globally so that all traffic on all interfaces is collected. Note that we are collecting this traffic on Vlan 1 and at both the ingress and egress.

# Cisco IOS Command 15.1(4)M5
monitor capture point ip cef CAPTURE_POINT VLAN1 both

Associate the Capture Point with the Capture Buffer

In order to run a packet capture you must associate the capture point with the capture buffer.

# Cisco IOS Command 15.1(4)M5
monitor capture point associate CAPTURE_POINT CAPTURE_BUFFER

Start the Packet Capture

# Cisco IOS Command 15.1(4)M5
monitor capture point start CAPTURE_POINT

Show the Packet Capture Point

# Cisco IOS Command 15.1(4)M5
show monitor capture point CAPTURE_POINT

Show the Packet Capture Buffer

Although a generally useless command you can see the capture buffer definition.

# Cisco IOS Command 15.1(4)M5
show monitor capture buffer CAPTURE_BUFFER parameters

Looking at Buffer Packet Count

# Cisco IOS Command 15.1(4)M5
show monitor capture buffer CAPTURE_BUFFER

or

# Cisco IOS Command 15.1(4)M5
show monitor capture buffer CAPTURE_BUFFER parameters | include Packets

Dump the Contents of the Packet Capture Buffer

Using this command you can see what is contained in the capture buffer and in it’s raw format.

# Cisco IOS Command 15.1(4)M5
show monitor capture buffer CAPTURE_BUFFER dump

Stop the Packet Capture

# Cisco IOS Command 15.1(4)M5
monitor capture point stop CAPTURE_POINT

Export the Capture Buffer to Flash:

When exporting the contents of the buffer to a file be sure to use a filename that ends in the extension .pcap. This will allow Wireshark to open the file as a packet capture.

# Cisco IOS Command 15.1(4)M5
monitor capture buffer CAPTURE_BUFFER export flash:capture.pcap

View the Contents of Flash:

View the contents of Flash: and verify that the file you used as part of the export exists.

# Cisco IOS Command 15.1(4)M5
show flash:

FTP the Capture File From Flash: to FTP:

Once you’ve FTP’d the file to a workstation you can use Wireshark to open the capture file.

# Cisco IOS Command 15.1(4)M5
copy flash:capture.pcap ftp:

Further Reading from Cisco

From The Author

Hits: 35

Related Articles

Secure Data Wiping & Destruction

Data wiping is an important part of business operations and any information security program. For those that have a Written Information Security Program (WISP) it likely includes the procedures and processes for data wiping and scrubbing of files, directories, and physical storage devices.

Cybersecurity Threat Report for May 14th, 2020

GUARDED: indicates a general risk of increased hacking, virus, or other malicious activity. There are 4 other levels. There’s Low, Elevated, High, and Severe.  From the Center for Internet Security, “The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.”

Responses

Your email address will not be published. Required fields are marked *

  • Sign Up
Lost your password? Please enter your username or email address. You will receive a link to create a new password via email.