Embedded Packet Capture is a Cisco proprietary feature and an immensely useful command. It allows one to capture network traffic from any point within a router. For this use case we used Vlan1. In order to use the feature you must be running specific versions of code. For IOS you must be running 12.4(20)T or greater. For IOS-XE 15.2(4)S – 3.7.0 or later.
Set Up a Packet Capture Buffer
First set up your packet capture buffer. This is where the traffic will be stored. Keep in mind this is merely a buffer in memory. The buffer is not associated with a file. We will show you how to move the contents of the buffer to a file later in this procedure.
The below specifies a linear buffer of 4 MB in size. A linear buffer collects traffic beginning at byte 0 and until it reaches the 4 MB limit. Once 4 MB has been collected the packet capture will stop collecting traffic.
We could also have run the command with a circular buffer. A circular buffer would have the traffic collected beginning at byte 0. Once the buffer was full and reached the 4 MB limit it would then wrap and begin collecting at Byte 0 again. Traffic would be collected in a loop. Previously recorded traffic will be overwritten. Note that we specified a max-size of 1518 bytes. This is the maximum packet size to collect.
# Cisco IOS Command 15.1(4)M5 monitor capture buffer CAPTURE_BUFFER size 4096 max-size 1518 linear
Set Up a Packet Capture Point
We need to create a capture point in the router. A capture point can be any physical or logical interface in the router. You can also collect data globally so that all traffic on all interfaces is collected. Note that we are collecting this traffic on Vlan 1 and at both the ingress and egress.
# Cisco IOS Command 15.1(4)M5 monitor capture point ip cef CAPTURE_POINT VLAN1 both
Associate the Capture Point with the Capture Buffer
In order to run a packet capture you must associate the capture point with the capture buffer.
# Cisco IOS Command 15.1(4)M5 monitor capture point associate CAPTURE_POINT CAPTURE_BUFFER
Start the Packet Capture
# Cisco IOS Command 15.1(4)M5 monitor capture point start CAPTURE_POINT
Show the Packet Capture Point
# Cisco IOS Command 15.1(4)M5 show monitor capture point CAPTURE_POINT
Show the Packet Capture Buffer
Although a generally useless command you can see the capture buffer definition.
# Cisco IOS Command 15.1(4)M5 show monitor capture buffer CAPTURE_BUFFER parameters
Looking at Buffer Packet Count
# Cisco IOS Command 15.1(4)M5 show monitor capture buffer CAPTURE_BUFFER
# Cisco IOS Command 15.1(4)M5 show monitor capture buffer CAPTURE_BUFFER parameters | include Packets
Dump the Contents of the Packet Capture Buffer
Using this command you can see what is contained in the capture buffer and in it’s raw format.
# Cisco IOS Command 15.1(4)M5 show monitor capture buffer CAPTURE_BUFFER dump
Stop the Packet Capture
# Cisco IOS Command 15.1(4)M5 monitor capture point stop CAPTURE_POINT
Export the Capture Buffer to Flash:
When exporting the contents of the buffer to a file be sure to use a filename that ends in the extension .pcap. This will allow Wireshark to open the file as a packet capture.
# Cisco IOS Command 15.1(4)M5 monitor capture buffer CAPTURE_BUFFER export flash:capture.pcap
View the Contents of Flash:
View the contents of Flash: and verify that the file you used as part of the export exists.
# Cisco IOS Command 15.1(4)M5 show flash:
FTP the Capture File From Flash: to FTP:
Once you’ve FTP’d the file to a workstation you can use Wireshark to open the capture file.
# Cisco IOS Command 15.1(4)M5 copy flash:capture.pcap ftp:
Further Reading from Cisco
- Embedded Packet Capture in IOS and IOS-XE
- Packet Capture Config Generator and Analyzer
- Support and Downloads
- IOS XR Software
- NX-OS Software
- 4000 Series Integrated Services Routers
- ASR 900 Series Aggregation Routers
From The Author
- The State of Broadband 2020
- Using Linguistic Phonetics for Secure Passwords
- tcpdump for Newbies
- Content Delivery Networks (CDN) In Depth
- 2020 State of Cybersecurity
- Using nmap for Network Discovery
- Cryptographic Key Length Recommendations 2020-2030
- FTC June 2015 Guidance on Data Security
- United States Data Breach Laws