There are different ways to capture the packets on Cisco router. When enabled, the router captures the packets sent and received. The packets are stored within a buffer in DRAM and are thus not persistent through a reload.
IOS Configuration Example
- Define a ‘capture buffer’,
monitor capture buffer CAP size 100 max-size 1000 linear
2.Define an Access Control List (ACL) within config mode and apply the filter to the buffer:
ip access-list extended CAP-FILTER
permit ip host 192.x.x.x host 172.x.x.x
permit ip host 172.x.x.x host 192.x.x.x
monitor capture buffer CAP filter access-list CAP-FILTER
3.Define a capture point which defines the location where the capture occurs.
monitor capture point ip cef VIEW fastEthernet 0 both
4.Attach the buffer to the capture point:
monitor capture point associate VIEW BUF
5.Start the capture:
6.The capture is now active. Allow collection of the necessary data.
7.Stop the capture:
monitor capture point stop VIEW
8.TO examine :
show monitor capture buffer CAP dump
Export capture:
monitor capture buffer CAP export tftp://10.x.x.x/CAP.pcap
IOS-XE Configuration Example
The Embedded Packet Capture feature was introduced in Cisco IOS-XE Release 3.7 – 15.2(4)S. The configuration of the capture is different than Cisco IOS as it adds more features.
- Define the location where the capture will occur:
monitor capture CAP interface GigabitEthernet0/0/1 both.
2.Associate a filter. It may be specified inline, or an ACL or class-map can be referenced:
monitor capture CAP match ipv4 protocol tcp any any
3.Start the capture:
monitor capture CAP start
4. The capture is now active. Allow it to collect the necessary data.
5. Stop the capture:
monitor capture CAP stop
6. Examine the capture in a summary view:
show monitor capture CAP buffer brief
7.Examine the capture in a detailed view:
show monitor capture CAP buffer detailed
8.In addition, export the capture in PCAP format for further analysis:
monitor capture CAP export ftp://10.x.x.x/CAP.pcap