Traffic Capture on Cisco IOS

Here’s a quick how-to for a traffic capture on Cisco IOS routers.

Interesting traffic

at first, you have to create an access-list, which filters the traffic you want to capture. It is important to add entries for both directions. In my example I want to capture every traffic which flows from and to the host 192.168.10.22

conf t
access-list 144 permit ip host 192.168.10.22 any
access-list 144 permit ip any host 192.168.10.22
exit

Creation of a Capture Buffer

Now you have to create a Capture Buffer, which will save our captured packets. In my example its called C-BUFFER but you can name it whatever you want. In the next step, it will be linked to the previously-created access-list. In the example it has a size of 2 MB, current routers can save up to 10 MB. The packet size is defined with the command max-size. If you would use circular instead of linear, the buffer would get overwritten if it gets full.

monitor capture buffer C-BUFFER size 2048 max-size 1518 linear
monitor capture buffer C-BUFFER filter access-list 144

Creation of a Capture Point

Now we have to create a Capture Point and link it with the previously-created Buffer. The keyword both means that we capture traffic in both directions. We have to differentiate between cef traffic and process-switched traffic. Nowadays, as good as every packet which flows through a router is cef-switched. (Cisco Express Forwarding). This is why we use the cef keyword in the command. If you want to capture traffic, which is destined for the router, or fragmented packets, then you would have to use the process-switched command. This line is commented out in my example.

monitor capture point ip cef C-POINT all both
!monitor capture point ip process-switched C-POINT both
monitor capture point associate C-POINT C-BUFFER

Start of the capture

with this command, the capture will be started. Now create the traffic you want to capture.

monitor capture point start C-POINT

Stop of the capture

If the traffic is captured, you have to stop the running capture on the router. In the next step, the data is exported as pcap, so it can be viewed with for example Wireshark.

monitor capture point stop C-POINT
monitor capture buffer C-BUFFER export tftp://1.2.3.4/filename.pcap

Cleanup

You have the traffic you want in the pcap? Time to clean up the router.

!no monitor capture point ip process-switched C-POINT both
no monitor capture point ip cef C-POINT all both
no monitor capture buffer C-BUFFER
conf t
no access-list 144
exit

Whole configuration

for all who just quickly needs the commands as a reference:

conf t
access-list 144 permit ip host 192.168.10.22 any
access-list 144 permit ip any host 192.168.10.22
exit
monitor capture buffer C-BUFFER size 2048 max-size 1518 linear
monitor capture buffer C-BUFFER filter access-list 144
monitor capture point ip cef C-POINT all both
!monitor capture point ip process-switched C-POINT both
monitor capture point associate C-POINT C-BUFFER
monitor capture point start C-POINT
!---
! Traffic produzieren
!---
monitor capture point stop C-POINT
monitor capture buffer C-BUFFER export tftp://1.2.3.4/filename.pcap
!----
!no monitor capture point ip process-switched C-POINT both
no monitor capture point ip cef C-POINT all both
no monitor capture buffer C-BUFFER
conf t
no access-list 144
exit

Leave a Reply

Your email address will not be published.