Introduction
This document describe how to take capture on Cisco IOS router for inbound and outbound traffic generated by the router.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on these software and hardware versions:
- Cisco IOS Release 12.4(20)T or later
- Cisco IOS-XE Release 15.2(4)S - 3.7.0 or later
The information in this document was created from devices in a lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Background Information
When enabled, the router captures the packets sent and received. The packets are stored within a buffer in DRAM and are thus not persistent through a reload. Once the data is captured, it can be examined in a summary or detailed view on the router. In addition, the data can be exported as a packet capture (PCAP) file to allow for further examination. The tool is configured in exec mode and is considered a temporary assistance tool. As a result, the tool configuration is not stored within the router configuration and will not remain in place after a system reload.
Cisco IOS Configuration Example
To capture both inbound and outbound traffic from the router we need two sets of captures on the router:
- CEF switching path capture for inbound IKE packets
- Process-switching path capture for outbound IKE packets
Capture for inbound packet:
monitor capture buffer in-buffer max-size 1500 linear
monitor capture point ip cef in-capture GigabitEthernet0/0 in
monitor capture point associate in-capture in-buffer
Capture for outbound Packet:
monitor capture buffer out-buffer max-size 1500 linear
monitor capture point ip process-switched out-capture from-us
monitor capture point associate out-capture out-buffer
Start the captures simultaneously:
monitor capture point start all
Stop the captures:
monitor capture point stop all
Transfer the capture to a TFTP server for further analysis:
monitor capture buffer out-buffer export tftp://x.x.x.x/out-buffer.pcap
monitor capture buffer in-buffer export tftp://x.x.x.x/in-buffer.pcap
Once the necessary data has been collected, delete the "capture point" and "capture buffer":
no monitor capture buffer in-buffer
no monitor capture buffer out-buffer
no monitor capture point ip cef in-capture GigabitEthernet0/0 in
no monitor capture point ip process-switched out-capture from-us