Packet Captures with Cisco IOS


Previous to this addition, network admins had to rely on span ports and capturing traffic on end devices to troubleshoot network problems. Now, network admins can capture packets entering and exiting router interfaces. There are a couple of disappointments with the the packet capture. The first is that the configuration is a little bit difficult to use. There are a number of commands that need to be entered to execute a capture. It would have been nice if there was just one command, similar to tcpdump. The second disappointment is that the ability to view the packets, on the router, is very limited. In order to get a good view of the packet capture, it is necessary to export the capture file and view the file using Wireshark.

I’d like to go through an example of how to use the new packet capture feature. As stated above, there are number of steps to go through to create the capture. In this example, I will show how to create a 512 Kbytes circular buffer to hold the data and collect the data on the gigabitethernet 0/1 interface.

1. The first step is to create the buffer. In the configuration below I am calling the buffer “buf1”

monitor capture buffer buf1 size 512 max-size 512 circular

2. The next step is to define which interface will listen for the traffic. This is done by creating a capture point. In the configuration below I am calling the capture point “cap1”. I am setting the capture point to capture ip packets sent and received on gigabitethernet 0/1.

monitor capture point ip cef cap1 gigabitethernet0/1 both

3. The next step is to associate the buffer with the capture point.

monitor capture point associate cap1 buf1

4. The next step is to to start the capture

monitor capture point start cap1

5. After the required data is captured, the capture is stopped

monitor capture point stop cap1

6. The data can then be viewed with the command below. As you can see in the associated information shown with the command, there is not alot of detail given

show monitor cap buffer buf1 dump
23:50:18.669 EDT Feb 17 2009 : IPv4 LES CEF : Gi0/1 None

499A6280: 00192F06 0C09001B D5FF3C05 08004500 ../…..U.<…E. 499A6290: 008000BA 0000F611 881DAD4F 20284465 …:..v…-O (De 499A62A0: 29B91194 1194006C 00003668 E2340000 )9…..l..6hb4.. 499A62B0: 51D5B8B1 90BFB446 3F7011AF 78C98F42 QU81.?4F?p./xI.B 499A62C0: 696F3833 023841E8 5EF6988B C741F5E9 io83.8Ah^v..GAui 499A62D0: 4ACD925F 074DC56C 10B731B2 797F9C03 JM._.MEl.712y… 499A62E0: 28BF4C53 2ADF0EEF AE0F3526 98442EE2 (?LS*_.o..5&.D.b 499A62F0: 5A8C348A 246ABF28 3EFA15CB 11ABF76C Z.4.$j?(>z.K.+wl
499A6300: EC586E86 E802FF30 343BE135 9A0300 lXn.h..04;a5…

7. A better way to view the data is to export it. The data can be exported to another computer. The capture file can then be viewed with Wireshark. The export supports FTP, HTTP, HTTPS, PRAM, RCP, SCP, and TFTP. The example below shows TFTP.

capture monitor buffer buf1 export tftp://

Here are some references to use for further information

Leave a Reply