DDoS attack emergency?

Capturing Packets with Cisco IOS

When it comes to troubleshooting a suspected network problem, taking a filtered look at packets flowing through a router can give a network engineer insight in to how that traffic is being handled and potentially pinpoint the source of the issue.  This guide will explain how to capture packets on a Cisco IOS based router and then export the captures to a TFTP for examination in Wireshark.

All of the commands associated with configuring, running, monitoring and exporting the capture, with the exception of defining the filter access list, are entered in global exec mode.

Step 1 – Define a Capture Filter

The first thing we have to do is tell the router what packets we are interested in capturing.  This takes the form of an extended list that will be applied to the capture buffer so only interesting packets are stored.  Remember to write this filter based on the interface where the capture will be applied.  Using private IP addresses on an interface connected to the public Internet probably won’t show much.  In this example, our access list (CAP-FILTER) is configured to match any packets sourced from or heading to the IP address 192.168.0.1.

ip access-list extended CAP-FILTER
permit ip host 192.168.0.1 any
permit ip any host 192.168.0.1

Step 2 – Define the Capture Buffer

The next step is to define a capture buffer which is where any captured packets are stored.  In this example, the buffer is called CAP-BUF but can be named anything you like.

monitor capture buffer CAP-BUF size 2048 max-size 1518 linear

Step 3 – Bind the Capture Filter and Capture Buffer

Now that we have a Capture Filter and Buffer defined, we need to tie them together which is achieved using the following command:

monitor capture buffer CAP-BUF filter access-list CAP-FILTER

If the Filter and Buffer are successfully bound, the following message will be displayed:  “Filter successfully applied to buffer”.

Step 4 – Define a Capture Point

A Capture Point is how we tell the router which interface or interfaces we want to use to capture data and also the direction of traffic flow.  In this example, we are going to create a capture point called CAP-POINT which will be tied to interface GigabitEthernet0/0/0 and capture traffic both in and outbound.

monitor capture point ip cef CAP-POINT gi0/0/0 both

Step 5 – Bind the Capture Buffer to the Capture Point

The final step to setting up the capture is to associate the Capture Buffer to the Capture Point.  This is done using the following command:

monitor capture point associate CAP-POINT CAP-BUF

Command Summary

ip access-list extended CAP-FILTER
permit ip host 192.168.0.1 any
permit ip any host 192.168.0.1
monitor capture buffer CAP-BUF size 2048 max-size 1518 linear
monitor capture buffer CAP-BUF filter access-list CAP-FILTER
monitor capture point ip cef CAP-POINT gi0/0/0 both
monitor capture point associate CAP-POINT CAP-BUF

Starting and Stopping the Capture

Now that the packet capture has been configured and is ready to go, we need to instruct the router to begin capturing.

This command starts the capture:

monitor capture point start CAP-POINT

This command stops the capture:

monitor capture point stop CAP-POINT

Viewing the Capture

To view the capture on the router use the following command:

show monitor capture buffer CAP-BUF

If CEF packets have been captured, the capture buffer contents might be limited in so far as you may not see source header information but something like the output below.

16:42:00.539 GMT Mar 4 2019 : IPv4 LES CEF : Di1 None
16:42:01.539 GMT Mar 4 2019 : IPv4 LES CEF : Di1 None
16:42:02.543 GMT Mar 4 2019 : IPv4 LES CEF : Di1 None
16:42:03.543 GMT Mar 4 2019 : IPv4 LES CEF : Di1 None

To delve into the packets, you will need to stop the capture and then export the buffer.

Exporting the Capture

To view a capture in Wireshark, we need to first export it from the router to a PC.  Capture export supports all the usual transfer methods normally associated with Cisco routers including FTP, TFTP, SCP and so on.

The following command would export the capture buffer CAP-BUF to a TFTP server located at 192.168.0.10 with a file name of capture.pcap.

monitor capture buffer CAP-BUF export tftp://192.168.0.10/capture.pcap

If the file transfer was successful, you should now be able to view the file in Wireshark or packet capture analyser!

Capture Clean up

When the capture is complete, clean up the capture by issuing the following commands:

no monitor capture point ip cef CAP-POINT gi0/0/0 both
no monitor capture buffer CAP-BUF

Useful Commands

This command shows the parameters of all the capture buffers configured on the router.

show monitor capture buffer all parameter

back to top