There are different  ways to capture the packets on Cisco router. When enabled, the router captures the packets sent and received. The packets are stored within a buffer in DRAM and are thus not persistent through a reload.

IOS Configuration Example

  1. Define a ‘capture buffer’,

monitor capture buffer CAP size 100 max-size 1000 linear

2.Define an Access Control List (ACL) within config mode and apply the filter to the buffer:

    ip access-list extended CAP-FILTER
    permit ip host 192.x.x.x host 172.x.x.x
    permit ip host 172.x.x.x host 192.x.x.x

monitor capture buffer CAP filter access-list CAP-FILTER

3.Define a capture point which defines the location where the capture occurs.

monitor capture point ip cef VIEW fastEthernet 0 both

4.Attach the buffer to the capture point:
monitor capture point associate VIEW BUF

5.Start the capture:

6.The capture is now active. Allow collection of the necessary data.

7.Stop the capture:

monitor capture point stop VIEW

8.TO examine :

show monitor capture buffer CAP dump

Export capture:

    monitor capture buffer CAP export tftp://10.x.x.x/CAP.pcap

IOS-XE Configuration Example

The Embedded Packet Capture feature was introduced in Cisco IOS-XE Release 3.7 – 15.2(4)S. The configuration of the capture is different than Cisco IOS as it adds more features.

  1. Define the location where the capture will occur:

monitor capture CAP interface GigabitEthernet0/0/1 both.

2.Associate a filter. It may be specified inline, or an ACL or class-map can be referenced:

monitor capture CAP match ipv4 protocol tcp any any

3.Start the capture:

monitor capture CAP start

4. The capture is now active. Allow it to collect the necessary data.

5. Stop the capture:

monitor capture CAP stop

6. Examine the capture in a summary view:

show monitor capture CAP buffer brief

7.Examine the capture in a detailed view:

show monitor capture CAP buffer detailed

8.In addition, export the capture in PCAP format for further analysis:

monitor capture CAP export ftp://10.x.x.x/CAP.pcap