cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
68727
Views
20
Helpful
6
Comments
Julie Burruss
Level 4
Level 4

We all know that sometimes we need to see the packets. Often however, getting a packet capture  in the right place, or spanning the right VLAN’s, can take time. To make capturing packets easier, many Cisco products allow packet captures to be done directly on the devices. This is a handy reference to "how to" documents for Cisco products that support packet capture.

On Cisco IOS, there is Enhanced Packet Capture (EPC):

http://www.cisco.com/go/epc

https://supportforums.cisco.com/docs/DOC-5799

On Cisco IOS-XE (ASR), EPC was introduced in 3.7.0:

http://www.cisco.com/en/US/docs/ios-xml/ios/epc/configuration/xe-3s/epc-xe-3s-book.pdf

For the 7600 platform, there is a similar concept called Mini Protocol, which extends EPC into the hardware forwarding path:

http://www.cisco.com/en/US/partner/docs/routers/7600/ios/15S/configuration/guide/mpa.html

For the ASA, FWSM and PIX products, you can capture ingress and egress packets via the CLI and ADSM:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml

Additionally, you can capture packets which were dropped by the Accelerated Security Path (ASP) within the ASA and PIX by using a capture type of "asp-drop".

The Nexus platform has built in WireShark capability:

http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/ps9512/white_paper_c11-554444.html

On the Wireless LAN Controller (WLC), you can trace packets to/from the CPU with the debug packet logging facility:

http://www.cisco.com/en/US/docs/wireless/controller/5.0/configuration/guide/c5err.html#wp1018313

On the Cisco Unified Communications Manager (CUCM), Unity Connection (UC), Cisco Unified Presence Server (CUP), and Unified Contact Center Express (UCCX), packets can be captured on the Command Line Interface (CLI):

https://supportforums.cisco.com/docs/DOC-11599

It is possible to capture packets on a PC connected to the back of a Cisco IP Phone:

https://supportforums.cisco.com/docs/DOC-11735

The ACS 5.x can show you the text output of a standard TCPDump:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/command/reference/cli_app_a.html#wp1890347

It's best to redirect that to a file when using SSH/telnet so you don't see your own management traffic, so "tech dumptcp 0 > my-cap.txt".

Comments
r.cheung
Level 1
Level 1

Thanks for consolidating this into one page, Julie!

Quick note, the ASR9k dbg tool link appears dead...is there an alternate?

Julie Burruss
Level 4
Level 4

It's been updated, thanks!

Minh Le
Cisco Employee
Cisco Employee

What about the "Router IP Traffic Export Packet Capture Enhancements" feature:

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_rawip.html#wp1056204

Jordan Dalley
Level 1
Level 1

I wrote a howto for importing pcap's out of a cisco router into wireshark for packet inspection here: http://jordansciscos.blogspot.com.au/2013/06/capturing-packets-from-cisco-router-for.html

slav
Level 1
Level 1

Hi Julie, this is a great summary of capturing capabilities across most platforms ... except for the one I need

What about capturing packets on a CRS router with IOS-XR?  Disappointingly IOS-XR doesn't seem to support EPC. There is a packet  capture interface configuration command, but after entering it we can't  commit - probably isn't supported in our s/w version (4.1.2). Would you  know any other way of capturing on a CRS?

Thanks!

pgasparovic
Level 1
Level 1

After having this bookmarked 3/4-year ago, utilizing it today for 1st time by sniffing 3G WAN interface on ISR G2 router - was a beauty. Great tool!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: