A lot of the time the job of a network engineer is to prove that something isn’t the network, being able to view and confirm traffic is passing through a specific device and specific interface is very useful for completing this.
Below is the process of creating a packet capture directly on a Cisco IOS device and how to view / control the capture.
Create ACL to define what traffic to capture
First thing we need to do is specify what traffic is going to be captured, this is completed by using an ACL.
ip access-list extended capture
permit ip any host 8.8.8.8
permit ip host 8.8.8.8 anyin this example we are going to capture traffic heading to or returning from Googles DNS Servers.
Create Capture Buffer
Below in enable mode we create the buffer called capo, under the buffer size we set this in MB, range is from 0 – 100MB.
The default buffer method is linear as below (so don’t actually need the linear key word) but if there is going to be a lot of traffic can add circular at the end to ensure that if the buffer becomes full it will still run and overwrite previously captured data.
Router# monitor capture capo buffer size 50 linear
or
Router# monitor capture capo buffer size 50 circularAssign Access list Filter to Capture Buffer
Next we have to assign the Access List we created earlier into the Buffer as per below
Router# monitor capture capo access-list captureDefine Interface(s) to Capture traffic on
Now we have to specify the interface or interfaces we would like to capture the traffic on, a capture can have multiple interface but an interface can only have one capture on it.
We can also specify if we want only traffic that is inbound (IN) outbound (OUT) or BOTH on the specific Interfaces we’ve specified.
Router# monitor capture capo interface GigabitEhernet0/0 BOTH
or
Router# monitor capture capo interface GigabitEhernet0/0 IN
or
Router# monitor capture capo interface GigabitEhernet0/0 OUTControl Captures
And that is the buffer created, to manage the capture use the below commands, they can start or stop the buffers or if would like to start again can use clear to empty the buffer, note the buffer has to be stopped to allow a clear.
Router# monitor capture capo Start
Router# monitor capture capo Stop
Router# monitor capture capo ClearViewing Captures
Once we have a capture and we’ve started a capture the next thing is to look at it and see what it’s captured.
The first command below will show a summary of packets captured so can ensure that is actually capturing the packets. The Brief below will show a list of packets, source / destination and protocol etc.
Router# show monitor capture capo buffer
buffer size (KB) : 102400
buffer used (KB) : 128
packets in buf : 135
packets dropped : 0
packets per sec : 0
Router# show monitor capture capo buffer brief
----------------------------------------------------------------------------
# size timestamp source destination dscp protocol
----------------------------------------------------------------------------
0 59 0.000000 192.168.0.20 -> 8.8.8.8 0 BE UDP
1 59 0.996002 8.8.8.8 -> 192.168.0.20 0 BE UDP
2 59 2.011993 192.168.0.20 -> 8.8.8.8 0 BE UDP
3 59 4.011993 8.8.8.8 -> 192.168.0.20 0 BE UDP
Further Reading
There are some further features of the capture, such as can be exported and sent via TFTP etc, i’ve not used that feature myself but if you think this would be useful see the below document from Cisco.
