{"id":546,"date":"2010-04-25T13:01:55","date_gmt":"2010-04-25T12:01:55","guid":{"rendered":"http:\/\/mccltd.net\/blog\/?p=546"},"modified":"2010-08-07T09:47:56","modified_gmt":"2010-08-07T08:47:56","slug":"packet-capture-sniffing-on-cisco-ios","status":"publish","type":"post","link":"http:\/\/darenmatthews.com\/blog\/?p=546","title":{"rendered":"The Capture Buffer (or &#8220;sniffing&#8221;) on Cisco IOS"},"content":{"rendered":"<p>A great alternative to SPAN and RSPAN, is to use the actual IOS itself as the packet sniffer!  Capture traffic from the CLI and when you need to, export the data as a &#8220;.cap&#8221; (Wireshark, etc) file. to your PC.<!--more--><\/p>\n<p>This is very nice when troubleshooting packet loss at a remote location where a sniffer trace isn&#8217;t available.<\/p>\n<ul>\n<li>Available from Cisco IOS 12.4(20)T onwards<\/li>\n<li>The capture filters can be set based on interface name, direction, ACL, and even punted to process level.<\/li>\n<li>The buffer size can be configured (so maybe start small, eh?)<\/li>\n<\/ul>\n<p><strong>Here is an example capture session:<\/strong><\/p>\n<p>DEVICE USED: Cisco 1841 with IOS Version <strong>12.4(24)<\/strong>T3<\/p>\n<p><strong>STEP 1 &#8211; SET IT UP<\/strong><\/p>\n<blockquote><p>Define the capture buffer:<\/p>\n<p>1841_Router#monitor capture buffer DM_TEST_CAPTURE<br \/>\n1841_Router#<\/p>\n<p>Define the capture point:<\/p>\n<p>1841_Router#monitor capture point ip cef CAP_POINT all both<br \/>\n1841_Router#<br \/>\n*Apr 25 14:36:04.199: %BUFCAP-6-CREATE: Capture Point CAP_POINT created.<\/p>\n<p>Associate the capture point to the buffer:<\/p>\n<p>1841_Router#monitor capture point associate CAP_POINT DM_TEST_CAPTURE<br \/>\n1841_Router#<\/p><\/blockquote>\n<p><strong>STEP 2 &#8211; START CAPTURING:<\/strong><\/p>\n<blockquote><p>1841_Router#monitor capture point start all<\/p>\n<p>To see a summary of the frames in the buffer during the capture:<\/p>\n<p>1841_Router#show monitor capture buffer DM_TEST_CAPTURE<\/p>\n<p>To see a dump of the frames in the buffer during the capture:<\/p>\n<p>1841_Router#show monitor capture buffer DM_TEST_CAPTURE dump<\/p><\/blockquote>\n<p><strong>EXAMPLE CAPTURE<\/strong> (generate some pings while capture buffer is started, show the buffer):<\/p>\n<blockquote><p>1841_Router#ping 192.168.150.254<\/p>\n<p>Type escape sequence to abort.<br \/>\nSending 5, 100-byte ICMP Echos to 192.168.150.254, timeout is 2 seconds:<br \/>\n!!!!!<br \/>\nSuccess rate is 100 percent (5\/5), round-trip min\/avg\/max = 1\/1\/4 ms<\/p><\/blockquote>\n<p><strong>Show the capture buffer:<\/strong><\/p>\n<blockquote><p>1841_Router#show monitor capture buffer DM_TEST_CAPTURE dump<br \/>\n14:42:25.151 UTC Apr 25 2010 : IPv4 LES CEF\u00a0\u00a0\u00a0 : Fa0\/1 None<\/p>\n<p>657F3A20:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 001BD509\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ..U.<br \/>\n657F3A30: E773000F 8FB76C80 08004500 0064000A\u00a0 gs&#8230;7l&#8230;E..d..<br \/>\n657F3A40: 0000FE01 0E3EC0A8 96FEC0A8 96010000\u00a0 ..~..&gt;@(.~@(&#8230;.<br \/>\n657F3A50: 2E250002 00000000 0000000B 5818ABCD\u00a0 .%&#8230;&#8230;&#8230;.X.+M<br \/>\n657F3A60: ABCDABCD ABCDABCD ABCDABCD ABCDABCD\u00a0 +M+M+M+M+M+M+M+M<br \/>\n657F3A70: 00\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 .<\/p>\n<p>14:42:25.155 UTC Apr 25 2010 : IPv4 LES CEF\u00a0\u00a0\u00a0 : Fa0\/1 None<\/p>\n<p>657F3A20:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 001BD509\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ..U.<br \/>\n657F3A30: E773000F 8FB76C80 08004500 0064000B\u00a0 gs&#8230;7l&#8230;E..d..<br \/>\n657F3A40: 0000FE01 0E3DC0A8 96FEC0A8 96010000\u00a0 ..~..=@(.~@(&#8230;.<br \/>\n657F3A50: 2E240002 00010000 0000000B 5818ABCD\u00a0 .$&#8230;&#8230;&#8230;.X.+M<br \/>\n657F3A60: ABCDABCD ABCDABCD ABCDABCD ABCDABCD\u00a0 +M+M+M+M+M+M+M+M<br \/>\n657F3A70: 00\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 .<\/p>\n<p>14:42:25.155 UTC Apr 25 2010 : IPv4 LES CEF\u00a0\u00a0\u00a0 : Fa0\/1 None<\/p>\n<p>657F3A20:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 001BD509\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ..U.<br \/>\n657F3A30: E773000F 8FB76C80 08004500 0064000C\u00a0 gs&#8230;7l&#8230;E..d..<br \/>\n657F3A40: 0000FE01 0E3CC0A8 96FEC0A8 96010000\u00a0 ..~..&lt;@(.~@(&#8230;.<br \/>\n657F3A50: 2E1F0002 00020000 0000000B 581CABCD\u00a0 &#8230;&#8230;&#8230;&#8230;X.+M<br \/>\n657F3A60: ABCDABCD ABCDABCD ABCDABCD ABCDABCD\u00a0 +M+M+M+M+M+M+M+M<br \/>\n657F3A70: 00\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 .<\/p>\n<p>14:42:25.155 UTC Apr 25 2010 : IPv4 LES CEF\u00a0\u00a0\u00a0 : Fa0\/1 None<\/p>\n<p>657F3A20:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 001BD509\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ..U.<br \/>\n657F3A30: E773000F 8FB76C80 08004500 0064000D\u00a0 gs&#8230;7l&#8230;E..d..<br \/>\n657F3A40: 0000FE01 0E3BC0A8 96FEC0A8 96010000\u00a0 ..~..;@(.~@(&#8230;.<br \/>\n657F3A50: 2E1E0002 00030000 0000000B 581CABCD\u00a0 &#8230;&#8230;&#8230;&#8230;X.+M<br \/>\n657F3A60: ABCDABCD ABCDABCD ABCDABCD ABCDABCD\u00a0 +M+M+M+M+M+M+M+M<br \/>\n657F3A70: 00\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 .<\/p>\n<p>14:42:25.155 UTC Apr 25 2010 : IPv4 LES CEF\u00a0\u00a0\u00a0 : Fa0\/1 None<\/p>\n<p>657F3A20:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 001BD509\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ..U.<br \/>\n657F3A30: E773000F 8FB76C80 08004500 0064000E\u00a0 gs&#8230;7l&#8230;E..d..<br \/>\n657F3A40: 0000FE01 0E3AC0A8 96FEC0A8 96010000\u00a0 ..~..:@(.~@(&#8230;.<br \/>\n657F3A50: 2E1D0002 00040000 0000000B 581CABCD\u00a0 &#8230;&#8230;&#8230;&#8230;X.+M<br \/>\n657F3A60: ABCDABCD ABCDABCD ABCDABCD ABCDABCD\u00a0 +M+M+M+M+M+M+M+M<br \/>\n657F3A70: 00\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 .<\/p>\n<p>1841_Router#<\/p><\/blockquote>\n<p><strong>STOPPING AND EXPORTING THE CAPTURE:<\/strong><\/p>\n<blockquote><p>1841_Router#mon capture point stop all<br \/>\n1841_Router#<br \/>\n*Apr 25 14:54:51.283: %BUFCAP-6-DISABLE: Capture Point CAP_POINT<\/p>\n<p>disabled.<br \/>\n1841_Router#<\/p><\/blockquote>\n<p>EXPORTING THE CAPTURE via tftp:<\/p>\n<blockquote><p>1841_Router#mon cap buff DM_TEST_CAPTURE export tftp:\/\/192.168.1.100\/capture.cap<br \/>\n!<br \/>\n1841_Router#<\/p><\/blockquote>\n<p><strong>And voila!\u00a0 You have a Wireshark capture of the traffic!<\/strong><\/p>\n<div id=\"attachment_831\" style=\"width: 529px\" class=\"wp-caption aligncenter\"><a rel=\"attachment wp-att-831\" href=\"http:\/\/darenmatthews.com\/blog\/?attachment_id=831\"><img aria-describedby=\"caption-attachment-831\" loading=\"lazy\" class=\"size-full wp-image-831\" title=\"DM_TEST_1841_capture_buffer_export\" src=\"http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2010\/03\/DM_TEST_1841_capture_buffer_export.JPG\" alt=\"(Hmmm, I have RIP version 1 coming in from another router?  Glad I tried this capture buffer thing!\" width=\"519\" height=\"309\" srcset=\"http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2010\/03\/DM_TEST_1841_capture_buffer_export.JPG 519w, http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2010\/03\/DM_TEST_1841_capture_buffer_export-300x178.jpg 300w\" sizes=\"(max-width: 519px) 100vw, 519px\" \/><\/a><p id=\"caption-attachment-831\" class=\"wp-caption-text\">(Hmmm, I have RIP version 1 enabled on some routers?  Glad I tried this capture buffer thing!<\/p><\/div>\n<p><strong>NOW TIDY UP BEHIND YOU:<\/strong><\/p>\n<blockquote><p>1841_Router#no mon cap buff DM_TEST_CAPTURE<br \/>\nCapture Buffer deleted<\/p><\/blockquote>\n<p><a href=\"http:\/\/astore.amazon.co.uk\/mccltd-21\/detail\/1893939995\"><img src=\"http:\/\/ecx.images-amazon.com\/images\/I\/51RYq2ARheL._SL125_.jpg\" alt=\"Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide\" \/><\/a><\/p>\n<p><a href=\"http:\/\/astore.amazon.co.uk\/mccltd-21\/detail\/1893939995\">Wireshark Network Analysis<\/a><br \/>\nby <span>Laura Chappell<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A great alternative to SPAN and RSPAN, is to use the actual IOS itself as the packet sniffer! Capture traffic from the CLI and when you need to, export the data as a &#8220;.cap&#8221; (Wireshark, etc) file. to your PC.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[83],"tags":[37],"_links":{"self":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/546"}],"collection":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=546"}],"version-history":[{"count":20,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/546\/revisions"}],"predecessor-version":[{"id":830,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/546\/revisions\/830"}],"wp:attachment":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=546"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=546"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=546"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}