When it comes to troubleshooting a suspected network problem, taking a filtered look at packets flowing through a router can give a network engineer insight in to how that traffic is being handled and potentially pinpoint the source of the issue. This guide will explain how to capture packets on a Cisco IOS based router and then export the captures to a TFTP for examination in Wireshark.
All of the commands associated with configuring, running, monitoring and exporting the capture, with the exception of defining the filter access list, are entered in global exec mode.
The first thing we have to do is tell the router what packets we are interested in capturing. This takes the form of an extended list that will be applied to the capture buffer so only interesting packets are stored. Remember to write this filter based on the interface where the capture will be applied. Using private IP addresses on an interface connected to the public Internet probably won’t show much. In this example, our access list (CAP-FILTER) is configured to match any packets sourced from or heading to the IP address 192.168.0.1.
ip access-list extended CAP-FILTER
permit ip host 192.168.0.1 any
permit ip any host 192.168.0.1
The next step is to define a capture buffer which is where any captured packets are stored. In this example, the buffer is called CAP-BUF but can be named anything you like.
monitor capture buffer CAP-BUF size 2048 max-size 1518 linear
Now that we have a Capture Filter and Buffer defined, we need to tie them together which is achieved using the following command:
monitor capture buffer CAP-BUF filter access-list CAP-FILTER
If the Filter and Buffer are successfully bound, the following message will be displayed: “Filter successfully applied to buffer”.
A Capture Point is how we tell the router which interface or interfaces we want to use to capture data and also the direction of traffic flow. In this example, we are going to create a capture point called CAP-POINT which will be tied to interface GigabitEthernet0/0/0 and capture traffic both in and outbound.
monitor capture point ip cef CAP-POINT gi0/0/0 both
The final step to setting up the capture is to associate the Capture Buffer to the Capture Point. This is done using the following command:
monitor capture point associate CAP-POINT CAP-BUF
ip access-list extended CAP-FILTER
permit ip host 192.168.0.1 any
permit ip any host 192.168.0.1
monitor capture buffer CAP-BUF size 2048 max-size 1518 linear
monitor capture buffer CAP-BUF filter access-list CAP-FILTER
monitor capture point ip cef CAP-POINT gi0/0/0 both
monitor capture point associate CAP-POINT CAP-BUF
Now that the packet capture has been configured and is ready to go, we need to instruct the router to begin capturing.
This command starts the capture:
monitor capture point start CAP-POINT
This command stops the capture:
monitor capture point stop CAP-POINT
To view the capture on the router use the following command:
show monitor capture buffer CAP-BUF
If CEF packets have been captured, the capture buffer contents might be limited in so far as you may not see source header information but something like the output below.
16:42:00.539 GMT Mar 4 2019 : IPv4 LES CEF : Di1 None
16:42:01.539 GMT Mar 4 2019 : IPv4 LES CEF : Di1 None
16:42:02.543 GMT Mar 4 2019 : IPv4 LES CEF : Di1 None
16:42:03.543 GMT Mar 4 2019 : IPv4 LES CEF : Di1 None
To delve into the packets, you will need to stop the capture and then export the buffer.
To view a capture in Wireshark, we need to first export it from the router to a PC. Capture export supports all the usual transfer methods normally associated with Cisco routers including FTP, TFTP, SCP and so on.
The following command would export the capture buffer CAP-BUF to a TFTP server located at 192.168.0.10 with a file name of capture.pcap.
monitor capture buffer CAP-BUF export tftp://192.168.0.10/capture.pcap
If the file transfer was successful, you should now be able to view the file in Wireshark or packet capture analyser!
When the capture is complete, clean up the capture by issuing the following commands:
no monitor capture point ip cef CAP-POINT gi0/0/0 both
no monitor capture buffer CAP-BUF
This command shows the parameters of all the capture buffers configured on the router.
show monitor capture buffer all parameter