11-06-2013 02:59 AM - edited 03-01-2019 04:58 PM
This document describes the procedure to perform EPC (Embedded Packet Capture), which is described in the following pages:
This EPC function has been implemented in 12.4(20)T and later.Currently, capturing is possible up to 102400 Kbytes. It may be useful when it is difficult to install a capturing device remotely, or it is difficult to insert a switch for capturing.
Using the EPC allows you to capture packets in a buffer up to 102400 Kbytes and you can export them via TFTP/FTP and then open them by capture analysis software, such as Wireshark.
Steps to capture by EPC
c2821# monitor capture buffer pacbuf size 512
c2821# monitor capture point ip process-switched ipsw in
c2821# *Sep 23 12:37:05.899 JST: %BUFCAP-6-CREATE: Capture Point ipsw created. c2821# monitor capture point associate ipsw pacbuf
c2821# monitor capture point start all
c2821# *Sep 23 12:40:00.455 JST: %BUFCAP-6-ENABLE: Capture Point ipsw enabled. c2821# show monitor capture buffer all parameters
Capture buffer pacbuf (linear buffer) Buffer Size : 524288 bytes, Max Element Size : 68 bytes, Packets : 3173Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0 Associated Capture Points: Name : ipsw, Status : ActiveConfiguration: monitor capture buffer pacbuf size 512 monitor capture point associate ipsw pacbuf
c2821# *Sep 23 12:41:14.575 JST: %BUFCAP-6-DISABLE: Capture Point ipsw disabled. *Sep 23 12:41:14.575 JST: %BUFCAP-5-BUFFER_FULL: Linear Buffer associated with capture buffer pacbuf is full.
c2821# show monitor capture buffer all parameters
Capture buffer pacbuf (linear buffer) Buffer Size : 524288 bytes, Max Element Size : 68 bytes, Packets : 3855Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0 Associated Capture Points: Name : ipsw, Status : InactiveConfiguration: monitor capture buffer pacbuf size 512 monitor capture point associate ipsw pacbuf
c2821# monitor capture point stop all
c2821# show monitor capture buffer pacbuf12:40:00.463 JST Sep 23 2010 : IPv4 Process : Di1 None 12:40:00.479 JST Sep 23 2010 : IPv4 Process : Di1 None12:40:00.499 JST Sep 23 2010 : IPv4 Process : Di1 None
(snip)
c2821# show monitor capture buffer pacbuf dump12:40:00.463 JST Sep 23 2010 : IPv4 Process : Di1 None 4465BE90: FF030021 45000064 8C850000 FF015753 ...!E..d......WS 4465BEA0: C0A80102 0B0B0B0B 08009F4A 0005320B @(.........J..2. 4465BEB0: 00000000 651347DC ABCDABCD ABCDABCD ....e.G\+M+M+M+M 4465BEC0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M 4465BED0: ABCDABCD 00 +M+M. 12:40:00.479 JST Sep 23 2010 : IPv4 Process : Di1 None 4465BE90: FF030021 45000064 8C860000 FF015752 ...!E..d......WR 4465BEA0: C0A80102 0B0B0B0B 08009F35 0005320C @(.........5..2. 4465BEB0: 00000000 651347F0 ABCDABCD ABCDABCD ....e.Gp+M+M+M+M 4465BEC0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M 4465BED0: ABCDABCD 00 +M+M. (snip)
c2821# monitor capture buffer pacbuf max-size 1024c2821# show monitor capture buffer all parameters
Capture buffer pacbuf (linear buffer) Buffer Size : 524288 bytes, Max Element Size : 1024 bytes, Packets : 0 Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0 Associated Capture Points: Name : ipsw, Status : Inactive Configuration: monitor capture buffer pacbuf size 512 max-size 1024monitor capture point associate ipsw pacbuf
c2821# monitor capture buffer pacbuf export ftp://<ftp server address>/<filename>
c2821# monitor capture buffer pacbuf clear
If you do not need to create several buffer names or capture points for different usage, it is easier to create an alias.
For example, here are some useful aliases.
(config)# alias exec cstart monitor capture point start all(config)# alias exec cclear monitor capture buffer pacbuf clear(config)# alias exec ccheck show monitor capture buffer all parameters(config)# alias exec ccopy monitor capture buffer pacbuf export ftp://192.168.1.1//files/pacbuf_c2821.pcap(config)# alias exec cstop monitor capture point stop all
Original Document: Cisco Support Community Japan DOC-13124
Author: Takashi Higashimura
Posted on September 22, 2010
Hi All, Need to clear my doubt that if i configure EPC on ISR 4431 series to capture WAN interface traffic and dump it on to another pc through tftp, will that hamper my WAN link working. Below are the command used, kindly guide.
monitor capture abc source interface g0/0/3 both
monitor capture export destination tftp://10.10.10.10
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: