Wednesday, July 13, 2011

Remote Packet Capture in Cisco IOS

Sometimes you need a network packet capture but you don't have access to the network. That's the time for Cisco's "Embedded Packet Capture"

Lets say you want to capture the traffic on you Cisco IOS routers LAN interface. You need about 2 megabyte circular buffer.

monitor capture buffer buf1 size 2048 circular
monitor capture point ip cef cap1 gigabitethernet0/0 both 
monitor capture point associate cap1 buf1

Start the capture with:
monitor capture point start cap1

And stop the capture with:
monitor capture point stop cap1

Check if everything you need is in the trace:
show monitor cap buffer buf1 dump

And copy it to a place, in this case flash, where you can access it:
monitor capture buffer buf1 export flash:capture.pcap

You might want to download it for example via SCP. There is a seperate entry in this blog regarding SCP:

But you could also copy it directly to a bunch of remote locations:
router#monitor capture buffer buf1 export ?
  flash0:  Location to dump buffer
  flash1:  Location to dump buffer
  flash:   Location to dump buffer
  ftp:     Location to dump buffer
  http:    Location to dump buffer
  https:   Location to dump buffer
  pram:    Location to dump buffer
  rcp:     Location to dump buffer
  scp:     Location to dump buffer
  tftp:    Location to dump buffer


Cisco Link to embedded Packet Capture:

If you want to automate it in a quite fancy way you should have a look at Cisco Embedded Automation Systems - EASy

