IOS Embedded Packet Capture

Embedded Packet Capture
1. Configure a capture buffer monitor capture buffer PACKET_CAP size 2048 max-size 4000 circular 2. Optionally apply ACLs to limit the traffic captured in the buffer you created R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#ip access-list ex PACKET_CAP_FILTER R1(config-ext-nacl)#permit ip host 10.1.1.1 host 192.168.1.1 R1(config-ext-nacl)#permit ip host 192.168.1.1 host 10.1.1.1 R1(config-ext-nacl)#end R1#monitor capture buffer PACKET_CAP filter access-list PACKET_CAP_FILTER Filter Association succeeded 3. Set your capture points you can use IPv4 or IPv6 CEF for input and output, you can also name the capture point R1# monitor capture point ip cef CAP_FA1/0 fastEthernet 1/0 both R1# * May 7 19:54:45.767: %BUFCAP-6-CREATE: Capture Point CAP_FA1/0 created. 4. Associate the capture point to the capture buffer R1#monitor capture point associate CAP_FA1/0 PACKET_CAP 5. Enable the capture point to start the packet capture R1#monitor capture point start CAP_FA1/0 R1# * May 7 15:26:31.539: %BUFCAP-6-ENABLE: Capture Point CAP_FA0/0 enabled. 6. To stop the capture use the following command R1#monitor capture point stop CAP_FA1/0 R1# * May 7 15:28:55.363: %BUFCAP-6-DISABLE: Capture Point CAP_FA1/0 disabled. R1#

Use the following commands to view capture specific information: show monitor capture buffer all parameters show monitor capture point all show monitor capture buffer PACKET_CAP show monitor capture buffer PACKET_CAP dump

To export the packet capture use the following syntax: monitor capture buffer PACKET_CAP export tftp://1.1.1.2//Capture.pcap