Packet Captures with Cisco IOS

NetCraftsmen®

Previous to this addition, network admins had to rely on span ports and capturing traffic on end devices to troubleshoot network problems. Now, network admins can capture packets entering and exiting router interfaces. There are a couple of disappointments with the the packet capture. The first is that the configuration is a little bit difficult to use. There are a number of commands that need to be entered to execute a capture. It would have been nice if there was just one command, similar to tcpdump. The second disappointment is that the ability to view the packets, on the router, is very limited. In order to get a good view of the packet capture, it is necessary to export the capture file and view the file using Wireshark.

I’d like to go through an example of how to use the new packet capture feature. As stated above, there are number of steps to go through to create the capture. In this example, I will show how to create a 512 Kbytes circular buffer to hold the data and collect the data on the gigabitethernet 0/1 interface.

1. The first step is to create the buffer. In the configuration below I am calling the buffer “buf1”

monitor capture buffer buf1 size 512 max-size 512 circular

2. The next step is to define which interface will listen for the traffic. This is done by creating a capture point. In the configuration below I am calling the capture point “cap1”. I am setting the capture point to capture ip packets sent and received on gigabitethernet 0/1.

monitor capture point ip cef cap1 gigabitethernet0/1 both

3. The next step is to associate the buffer with the capture point.

monitor capture point associate cap1 buf1

4. The next step is to to start the capture

monitor capture point start cap1

5. After the required data is captured, the capture is stopped

monitor capture point stop cap1

6. The data can then be viewed with the command below. As you can see in the associated information shown with the command, there is not alot of detail given

show monitor cap buffer buf1 dump
23:50:18.669 EDT Feb 17 2009 : IPv4 LES CEF : Gi0/1 None

499A6280: 00192F06 0C09001B D5FF3C05 08004500 ../…..U.<…E. 499A6290: 008000BA 0000F611 881DAD4F 20284465 …:..v…-O (De 499A62A0: 29B91194 1194006C 00003668 E2340000 )9…..l..6hb4.. 499A62B0: 51D5B8B1 90BFB446 3F7011AF 78C98F42 QU81.?4F?p./xI.B 499A62C0: 696F3833 023841E8 5EF6988B C741F5E9 io83.8Ah^v..GAui 499A62D0: 4ACD925F 074DC56C 10B731B2 797F9C03 JM._.MEl.712y… 499A62E0: 28BF4C53 2ADF0EEF AE0F3526 98442EE2 (?LS*_.o..5&.D.b 499A62F0: 5A8C348A 246ABF28 3EFA15CB 11ABF76C Z.4.$j?(>z.K.+wl
499A6300: EC586E86 E802FF30 343BE135 9A0300 lXn.h..04;a5…

7. A better way to view the data is to export it. The data can be exported to another computer. The capture file can then be viewed with Wireshark. The export supports FTP, HTTP, HTTPS, PRAM, RCP, SCP, and TFTP. The example below shows TFTP.

capture monitor buffer buf1 export tftp://192.168.1.10/buf1.pcap

Here are some references to use for further information

Leave a Reply

 

Nick Kelly

Cybersecurity Engineer, Cisco

Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.

 

Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.

 

John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.