With some recent troubleshooting, there was a need to capture packets off a Cisco ISR. Walking through the steps is small effort, however there are some some notes that can aid with the configuration.
For this example, an ISR G2 is used to capture some traffic flows. While the Embedded Packet Capture (EPC) has been around
since 12.4(20)T for quite some time, it has been a while since it was last personally used.
There are two components to an EPC: the capture buffer and the capture point. The buffer has a few configuration components and acts simply as a cache of the selected traffic. The capture point identifies the interface, filtered traffic (optional), and the direction of the capture.
The first thing to verify is to setup and configure the capture buffer. There are a few configuration parameters that may be helpful to modify from the default configuration.
First is the size of the buffer. While it will be helpful to limit the scope of the traffic collected, the default buffer size may be smaller than desired. For this example in a ISR2911, the default is 1024KB. In the buffer creation screenshot below, 8192KB is selected. While it may not be expected to capture a significant quantity of data, there does need to be a balance between the buffer size and available memory on the platform.
The second item that may be desired to be modified is the capture overflow method. The default is linear where the capture will stop when the buffer is full. If there is the requirement to capture data until the reported scenario occurs, the circular capture may be used.
Lastly, the identification of the desired traffic is needed. Leveraging an ACL, identify the traffic desired. If the desired direction of the capture is both directions, the associated ACL will need to reflect this configuration.
Next is the configuration of the capture point where the selection of the interface and switching method is determined. Determine which interface is desired and in which direction. While process switch capturing is possible, CEF will be used in this example.
The last step with the capture point is to associate the buffer to capture point.
With the capture configured, a capture can begin and stop.
After the desired traffic is captured, the data needs to be transferred to a location to opened within Wireshark. A centralized TFTP server is used below. While the capture is initialized against the configuration “point”, the buffer contains the data to be reviewed.
As an added bonus, if the capture is desired to occur again with the same configuration, make sure to clear the buffer to avoid stale data. This is especially important if the capture buffer is full with linear configured.
Once complete, the capture configuration within the device can be removed.
Below is the configuration used to build the monitor buffer and capture.
SBC1# SBC1#config t Enter configuration commands, one per line. End with CNTL/Z. SBC1(config)#ip access-list extended capture-acl SBC1(config-ext-nacl)# permit ip any host 188.8.131.52 SBC1(config-ext-nacl)# permit ip host 184.108.40.206 any SBC1(config-ext-nacl)#exit SBC1(config)#exit SBC1# SBC1#monitor capture buffer capture-buffer size ? <256-102400> Buffer size in Kbytes : 102400K or less (default is 1024K) SBC1#monitor capture buffer capture-buffer size 8192 SBC1# SBC1#monitor capture buffer capture-buffer circular SBC1# SBC1#monitor capture buffer capture-buffer filter access-list capture-acl Filter Association succeeded SBC1# SBC1#monitor capture point ip cef capture-point gi0/0 both SBC1# SBC1#monitor capture point associate capture-point capture-buffer SBC1# SBC1# SBC1#monitor capture point start capture-point SBC1# SBC1#monitor capture point stop capture-point SBC1# SBC1# SBC1#monitor capture buffer capture-buffer export tftp://tftp.destephen.local/sip-call.pcap Translating "tftp.destephen.local"...domain server (192.168.2.4) [OK] ! SBC1# SBC1# SBC1#no monitor capture point ip cef capture-point gi0/0 both SBC1#no monitor capture buffer capture-buffer Capture Buffer deleted SBC1# SBC1#
The Cisco configuration guide covers both IOS and IOS-XE if needed.