Embedded Packet Capture or EPC gives you the ability to capture packets flowing through the Router, and from the Switch. After the capture is complete it can be analyzed locally by saving or capture off box via exporting so you can analysis using your favorite tool such Ehtereal or Wireshark. The ability to utilize Embedded Packet Capture directly on the Router greatly simplifies the overall packet capture process. By allowing devices to become active participants in the management and operation of the network. This feature facilitates troubleshooting by gathering information about the packet format. This feature also facilitates application analysis and security.
Features & Benefits
- The ability to capture both IPv4 & IPv6 packets in the Cisco Express Forwarding path
- This feature began in IOS version 12.4(20)T and later.
- A flexible method for specifying the capture buffer size and type
- The ability to display the contents of the capture locally on the Switch itself
- The ability to export the packets in the PCAP format to view with Ethereal or Wireshark
- Capture Interfaces include physical interfaces, sub-interfaces, and tunnel interfaces.
If you’ve ever spent any time capturing packets on a ASA Firewall then this isn’t going to be all the much different. For that matter there are a lot of similarity between the two. Lets start off by creating the capture buffer that we will use throughout the configuration. When I create buffers I usually like to start or finish between 1024 to 2048, but you can setup your buffer however you like it. I’m going to use the name BUF, but you can make up any name you want within reason.
RTR#monitor capture buffer BUF size 2048 max-size 4096 circular
Now that the buffer has been created lets move onto the creatation of an ACL for the capture. This is however optional, but whenever I create captures on the ASA I always prefer to use an ACL when I can so I’m going to do the same in this following example. The ACL will isolate packets destined to and from the Server with the following IP adress of 172.16.1.20 through the Router’s GigabitEthernet LAN Interface.
RTR#configure terminal
RTR(config)#ip access-list extended SERVER
RTR(config-ext-nacl)#permit ip host 172.16.1.20 any log
RTR(config-ext-nacl)#end
RTR#
Now that we have an ACL created for the Server lets associate it with the buffer BUF
RTR#monitor capture buffer BUF filter access-list SERVER
Now that we have the ACL and Buffer in place lets move onto the Capture Point itself. In this example the Server is located behind the Router’s GigabitEthernet Interface 0/0/0. I’ll create a capture point called CAP in both direction for the Server.
Available Capture Points
- IPv4 CEF Interrupt Path with Input / Output Interface
- IPv6 CEF Interrupt Path with Input / Output Interface
SW1#monitor capture point ip cef CAP GigabitEthernet0/0/0 both
At this point we need to associate the Capture Buffer that was created earlier with the Capture Point
RTR#monitor capture point associate CAP BUF
Now that the capture point CAP has been associated with the capture buffer BUF we can start the capture.
RTR#monitor capture point start CAP
If you haven’t already noticed with the exception most of the configuration for the capture is done outside Global Configuration Mode. With the exception of the ACL I created for the Server which as I mentioned was optional all the remaining configuration was done outside of Global Configuration much like they way debugging works.
At this point we can actually start the embedded packet capture on Router RTR.
RTR#
RTR#monitor capture point start CAP
*Dec 5 3:26:31.539: %BUFCAP-6-ENABLE: Capture Point CAP enabled
RTR#
Exporting Your Capture
It’s always a good idea to to send the captured packets off box if possible. If your going to send your captures off box you might wan to consider increasing your buffer size as well. I like to capture locally when I can via FTP, but for this example I’m going to use TFTP.
RTR#monitor capture buffer BUF export tftp://172.16.1.82/Capture.pcap
What an awesome feature for Cisco to include naively into the IOS on the Router. The ability to capture and export directly on the makes packet analysis so much easier. This packet capture functionality can also be found in NX-OS, and ASA IOS as well.
I hope you found this post on Embedded Packet Capture helpful and informative. Be sure to let me know what you think by leaving suggestions, and feedback in the comments section below. You can find out more about these and other articles be checking out recent posts and archives. To learn more about me be sure to check out the About page. And as always thanks again for visiting The Packet.
