Capture Packets on an ISR Router

With some recent troubleshooting, there was a need to capture packets off a Cisco ISR.  Walking through the steps is small effort, however there are some some notes that can aid with the configuration.

For this example, an ISR G2 is used to capture some traffic flows.  While the Embedded Packet Capture (EPC) has been around since 12.4(20)T for quite some time, it has been a while since it was last personally used.

There are two components to an EPC: the capture buffer and the capture point.   The buffer has a few configuration components and acts simply as a cache of the selected traffic.  The capture point identifies the interface, filtered traffic (optional), and the direction of the capture.

The first thing to verify is to setup and configure the capture buffer.  There are a few configuration parameters that may be helpful to modify from the default configuration.

First is the size of the buffer.  While it will be helpful to limit the scope of the traffic collected, the default buffer size may be smaller than desired.  For this example in a ISR2911, the default is 1024KB.  In the buffer creation screenshot below, 8192KB is selected.  While it may not be expected to capture a significant quantity of data, there does need to be a balance between the buffer size and available memory on the platform.

The second item that may be desired to be modified is the capture overflow method.  The default is linear where the capture will stop when the buffer is full.  If there is the requirement to capture data until the reported scenario occurs, the circular capture may be used.

Lastly, the identification of the desired traffic is needed.  Leveraging an ACL, identify the traffic desired.  If the desired direction of the capture is both directions, the associated ACL will need to reflect this configuration.

Creation and Configuration of the Capture Buffer

Creation and Configuration of the Capture Buffer

Next is the configuration of the capture point where the selection of the interface and switching method is determined.  Determine which interface is desired and in which direction.  While process switch capturing is possible, CEF will be used in this example.

The last step with the capture point is to associate the buffer to capture point.

Capture Point Configuration

Capture Point Configuration

With the capture configured, a capture can begin and stop.

Capturing the Traffic

Capturing the Traffic

After the desired traffic is captured, the data needs to be transferred to a location to opened within Wireshark.  A centralized TFTP server is used below.  While the capture is initialized against the configuration “point”, the buffer contains the data to be reviewed.

Export the Buffer to a TFTP Server

Export the Buffer to a TFTP Server

As an added bonus, if the capture is desired to occur again with the same configuration, make sure to clear the buffer to avoid stale data.  This is especially important if the capture buffer is full with linear configured.

Clearing the Capture Buffer

Clearing the Capture Buffer

Once complete, the capture configuration within the device can be removed.

Capture Configuration Clean-up

Capture Configuration Clean-up

Below is the configuration used to build the monitor buffer and capture.

SBC1#
SBC1#config t
Enter configuration commands, one per line.  End with CNTL/Z.
SBC1(config)#ip access-list extended capture-acl
SBC1(config-ext-nacl)# permit ip any host 208.100.39.54
SBC1(config-ext-nacl)# permit ip host 208.100.39.54 any
SBC1(config-ext-nacl)#exit
SBC1(config)#exit
SBC1#
SBC1#monitor capture buffer capture-buffer size ?
  <256-102400>  Buffer size in Kbytes : 102400K or less (default is 1024K)

SBC1#monitor capture buffer capture-buffer size 8192
SBC1#
SBC1#monitor capture buffer capture-buffer circular 
SBC1#
SBC1#monitor capture buffer capture-buffer filter access-list capture-acl
Filter Association succeeded

SBC1#
SBC1#monitor capture point ip cef capture-point gi0/0 both
SBC1#
SBC1#monitor capture point associate capture-point capture-buffer
SBC1#
SBC1#
SBC1#monitor capture point start capture-point 
SBC1#
SBC1#monitor capture point stop capture-point  
SBC1#
SBC1#
SBC1#monitor capture buffer capture-buffer export tftp://tftp.destephen.local/sip-call.pcap
Translating "tftp.destephen.local"...domain server (192.168.2.4) [OK]
!
SBC1#
SBC1#
SBC1#no monitor capture point ip cef capture-point gi0/0 both 
SBC1#no monitor capture buffer capture-buffer
Capture Buffer deleted

SBC1#
SBC1#

 

 

 

The Cisco configuration guide covers both IOS and IOS-XE if needed.

Leave a Reply

Your email address will not be published. Required fields are marked *