The Capture Buffer (or “sniffing”) on Cisco IOS
A great alternative to SPAN and RSPAN, is to use the actual IOS itself as the packet sniffer! Capture traffic from the CLI and when you need to, export the data as a “.cap” (Wireshark, etc) file. to your PC.
This is very nice when troubleshooting packet loss at a remote location where a sniffer trace isn’t available.
- Available from Cisco IOS 12.4(20)T onwards
- The capture filters can be set based on interface name, direction, ACL, and even punted to process level.
- The buffer size can be configured (so maybe start small, eh?)
Here is an example capture session:
DEVICE USED: Cisco 1841 with IOS Version 12.4(24)T3
STEP 1 – SET IT UP
Define the capture buffer:
1841_Router#monitor capture buffer DM_TEST_CAPTURE
1841_Router#Define the capture point:
1841_Router#monitor capture point ip cef CAP_POINT all both
1841_Router#
*Apr 25 14:36:04.199: %BUFCAP-6-CREATE: Capture Point CAP_POINT created.Associate the capture point to the buffer:
1841_Router#monitor capture point associate CAP_POINT DM_TEST_CAPTURE
1841_Router#
STEP 2 – START CAPTURING:
1841_Router#monitor capture point start all
To see a summary of the frames in the buffer during the capture:
1841_Router#show monitor capture buffer DM_TEST_CAPTURE
To see a dump of the frames in the buffer during the capture:
1841_Router#show monitor capture buffer DM_TEST_CAPTURE dump
EXAMPLE CAPTURE (generate some pings while capture buffer is started, show the buffer):
1841_Router#ping 192.168.150.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.150.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Show the capture buffer:
1841_Router#show monitor capture buffer DM_TEST_CAPTURE dump
14:42:25.151 UTC Apr 25 2010 : IPv4 LES CEF : Fa0/1 None657F3A20: 001BD509 ..U.
657F3A30: E773000F 8FB76C80 08004500 0064000A gs…7l…E..d..
657F3A40: 0000FE01 0E3EC0A8 96FEC0A8 96010000 ..~..>@(.~@(….
657F3A50: 2E250002 00000000 0000000B 5818ABCD .%……….X.+M
657F3A60: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
657F3A70: 00 .14:42:25.155 UTC Apr 25 2010 : IPv4 LES CEF : Fa0/1 None
657F3A20: 001BD509 ..U.
657F3A30: E773000F 8FB76C80 08004500 0064000B gs…7l…E..d..
657F3A40: 0000FE01 0E3DC0A8 96FEC0A8 96010000 ..~..=@(.~@(….
657F3A50: 2E240002 00010000 0000000B 5818ABCD .$……….X.+M
657F3A60: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
657F3A70: 00 .14:42:25.155 UTC Apr 25 2010 : IPv4 LES CEF : Fa0/1 None
657F3A20: 001BD509 ..U.
657F3A30: E773000F 8FB76C80 08004500 0064000C gs…7l…E..d..
657F3A40: 0000FE01 0E3CC0A8 96FEC0A8 96010000 ..~..<@(.~@(….
657F3A50: 2E1F0002 00020000 0000000B 581CABCD …………X.+M
657F3A60: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
657F3A70: 00 .14:42:25.155 UTC Apr 25 2010 : IPv4 LES CEF : Fa0/1 None
657F3A20: 001BD509 ..U.
657F3A30: E773000F 8FB76C80 08004500 0064000D gs…7l…E..d..
657F3A40: 0000FE01 0E3BC0A8 96FEC0A8 96010000 ..~..;@(.~@(….
657F3A50: 2E1E0002 00030000 0000000B 581CABCD …………X.+M
657F3A60: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
657F3A70: 00 .14:42:25.155 UTC Apr 25 2010 : IPv4 LES CEF : Fa0/1 None
657F3A20: 001BD509 ..U.
657F3A30: E773000F 8FB76C80 08004500 0064000E gs…7l…E..d..
657F3A40: 0000FE01 0E3AC0A8 96FEC0A8 96010000 ..~..:@(.~@(….
657F3A50: 2E1D0002 00040000 0000000B 581CABCD …………X.+M
657F3A60: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
657F3A70: 00 .1841_Router#
STOPPING AND EXPORTING THE CAPTURE:
1841_Router#mon capture point stop all
1841_Router#
*Apr 25 14:54:51.283: %BUFCAP-6-DISABLE: Capture Point CAP_POINTdisabled.
1841_Router#
EXPORTING THE CAPTURE via tftp:
1841_Router#mon cap buff DM_TEST_CAPTURE export tftp://192.168.1.100/capture.cap
!
1841_Router#
And voila! You have a Wireshark capture of the traffic!
(Hmmm, I have RIP version 1 enabled on some routers? Glad I tried this capture buffer thing!
NOW TIDY UP BEHIND YOU:
1841_Router#no mon cap buff DM_TEST_CAPTURE
Capture Buffer deleted
Wireshark Network Analysis
by Laura Chappell
