IMPORTANT: In order to retrieve the packet capture file you need a TFTP server such as TFTP32. (Freeware)
1. The first set of command will create a buffer on the router in order to capture the data.
monitor capture buffer MYBUFFER size 10000 max-size 1550 circular
monitor capture point ip cef CAPTUREONG1 g1/0 both
monitor capture point associate CAPTUREONG1 MYBUFFER
NOTE: g1/0 is the interface we will capture the traffic in and out on this example. You have to select here the interface you want to capture the traffic on.
2. Second, an ACL will be created in order to capture all the interesting traffic. (Filter ACL)
ip access-list extended MYCAPTURE
permit ip host 192.168.1.1 host 10.1.1.1
permit ip host 10.1.1.1 host 192.168.1.1
end
3. The next step is to link the access-list to the buffer and start the capture.
monitor capture buffer MYBUFFER filter access-list MYCAPTURE
monitor capture point start CAPTUREONG1
NOTE: This command "show monitor capture point all" will show if the capture is active.
4. Once the traffic was sent and has been captured on the router's buffer, the capture needs to be stopped before we can sent the file to the TFTP Server using the following command:
monitor capture point stop CAPTUREONG1
5. The last command will send the capture file to the TFTP server, therefore it could be open with Wireshark or any other packet-analyzer.
monitor capture buffer MYBUFFER export tftp://192.168.100.200/CAPTURE.cap