Embedded Packet Capture, let’s go fishing for some packets!
February 26, 2014 4 Comments
EPC (Embedded Packet Capture) is another useful troubleshooting tool to occasionally capture traffic to be analyzed locally or exported to remote device. Occasionally, in contrast with RITE (Router IP Traffic Export) or SPAN on switches which are meant to have permanent flow of copied traffic directed to a traffic analyzer or IDS (Intrusion Detection System).
The configuration workflow is straightforward, but I would like to make a conceptual graphical analogy to illustrate it.
Let’s imagine traffic flowing through a router interface like the following:
1- Capture point:
Specify the protocol to capture, the interface and the direction, this is the Here you indicate which IP protocol you need to capture.
| monitor capture point ip cef CAPTURE_POINT fastEthernet 0/0 both |
| monitor capture point ipv6 cef CAPTURE_POINT fastEthernet 0/0 both |
2- Packet buffer:
Memory area where the frames are stored once captured.
| monitor capture buffer CAPTURE_BUFFER |
3- ACL:
If needed you can filter a specific type of traffic, available only for IPv4.
| (config)#access-list 100 permit icmp host 192.168.0.1 host 172.16.1.1#monitor capture buffer CAPTURE_BUFFER filter access-list 100 |
Except the optional IPv4 ACL, configured at the global configuration mode, everything else is configured at the privileged EXEC mode.
4- Associate capture point with capture buffer
| monitor capture point associate CAPTURE_POINT CAPTURE_BUFFER |
You can associate multiple capture points (on the same or multiple interfaces) to the same buffer.
5- Start and stop capture process
| monitor capture point start CAPTURE_POINTmonitor capture point stop CAPTURE_POINT |
If you are familiar with wireshark, it will be easier to remember the steps needed to capture traffic.
Wireshark analogy
Deployment 1
Two capture points are created to capture IPv4 and IPv6 traffic into separate capture buffers.
| monitor capture point ipv6 cef CAPTURE_POINT6 fa0/0 bothmonitor capture buffer CAPTURE_BUFFER6monitor capture point associate CAPTURE_POINT6 CAPTURE_BUFFER6
! monitor capture point ip cef CAPTURE_POINT4 fa0/0 both monitor capture buffer CAPTURE_BUFFER4 monitor capture point associate CAPTURE_POINT4 CAPTURE_BUFFER4 |
Following is the result on the router
Deployment 2
Two capture points are created to capture IPv4 and IPv6 traffic into single capture buffer.
| monitor capture point ipv6 cef CAPTURE_POINT6 fa0/0 bothmonitor capture point ip cef CAPTURE_POINT4 fa0/0 both!monitor capture buffer CAPTURE_BUFFER46
! monitor capture point associate CAPTURE_POINT6 CAPTURE_BUFFER46 monitor capture point associate CAPTURE_POINT4 CAPTURE_BUFFER46 |
Following is the result on the router
Exporting
| !Example of export to tftpR1#monitor capture buffer CAPTURE_BUFFER46 export ftp://login:password@192.168.0.32/Volume_1/ecp.pcapWriting Volume_1/ecp.pcap
R1# !Example of export to tftp R1# monitor capture buffer CAPTURE_BUFFER46 export tftp://192.168.0.145/ecp.pcap ! R1# |
And the file opened in wireshark:
EPC traffic opened with wireshark
That’s all folks!
CCIE, the beginning! 