Showing results for 
Search instead for 
Did you mean: 

How to take packet captures on an IOS Router. {Focused used on VPN Traffic}


IMPORTANT: In order to retrieve the packet capture file you need a TFTP server such as TFTP32. (Freeware)

1. The first set of command will create a buffer on the router in order to capture the data.

monitor capture buffer MYBUFFER size 10000 max-size 1550 circular
monitor capture point ip cef CAPTUREONG1 g1/0 both
monitor capture point associate CAPTUREONG1 MYBUFFER

NOTE: g1/0 is the interface we will capture the traffic in and out on this example. You have to select here the interface you want to capture the traffic on.

2. Second, an ACL will be created in order to capture all the interesting traffic. (Filter ACL)

ip access-list extended MYCAPTURE
permit ip host host
permit ip host host

3. The next step is to link the access-list to the buffer and start the capture.

monitor capture buffer MYBUFFER filter access-list MYCAPTURE
monitor capture point start CAPTUREONG1

NOTE: This command "show monitor capture point all" will show if the capture is active.

4. Once the traffic was sent and has been captured on the router's buffer, the capture needs to be stopped before we can sent the file to the TFTP Server using the following command:

monitor capture point stop CAPTUREONG1

5. The last command will send the capture file to the TFTP server, therefore it could be open with Wireshark or any other packet-analyzer.

monitor capture buffer MYBUFFER export tftp://

Marvin Ruiz

Great post. 

To put my two cents in:

Once the necessary data has been collected, delete the "capture point" and "capture buffer":

- no monitor capture point ip cef CAPTUREONG1 g1/0 both

- no monitor capture buffer MYBUFFER

In situations where you do not have a TFPT server available,  you can take a copy of the hex dump and use any online hex-pcap convertor in order to view the files.


Recognize Your Peers
Content for Community-Ad