{"id":155,"date":"2016-04-02T21:31:45","date_gmt":"2016-04-02T19:31:45","guid":{"rendered":"https:\/\/www.syn-flut.de\/?p=155"},"modified":"2016-08-30T14:08:06","modified_gmt":"2016-08-30T12:08:06","slug":"traffic-capture-on-cisco-ios","status":"publish","type":"post","link":"https:\/\/www.syn-flut.de\/en\/traffic-capture-on-cisco-ios","title":{"rendered":"Traffic Capture on Cisco IOS"},"content":{"rendered":"<p>Here&#8217;s a quick how-to for a traffic capture on Cisco IOS routers.<br \/>\n<!--more--><\/p>\n<h2>Interesting traffic<\/h2>\n<p>at first, you have to create an access-list, which filters the traffic you want to capture. It is important to add entries for both directions. In my example I want to capture every traffic which flows from and to the host 192.168.10.22<\/p>\n<pre class=\"brush: cisco; title: ; notranslate\" title=\"\">\r\nconf t\r\naccess-list 144 permit ip host 192.168.10.22 any\r\naccess-list 144 permit ip any host 192.168.10.22\r\nexit\r\n<\/pre>\n<h2>Creation of a Capture Buffer<\/h2>\n<p>Now you have to create a Capture Buffer, which will save our captured packets. In my example its called\u00a0<strong>C-BUFFER<\/strong> but you can name it whatever you want. In the next step, it will be linked to the previously-created access-list. In the example it has a size of 2 MB, current routers can save up to 10 MB. The packet size is defined with the command\u00a0<strong>max-size<\/strong>. If you would use\u00a0<strong>circular\u00a0<\/strong>instead of\u00a0<strong>linear<\/strong>, the buffer would get overwritten if it gets full.<\/p>\n<pre class=\"brush: cisco; title: ; notranslate\" title=\"\">\r\nmonitor capture buffer C-BUFFER size 2048 max-size 1518 linear\r\nmonitor capture buffer C-BUFFER filter access-list 144\r\n<\/pre>\n<h2>Creation of a Capture Point<\/h2>\n<p>Now we have to create a Capture Point and link it with the previously-created Buffer. The keyword\u00a0<strong>both<\/strong> means that we capture traffic in both directions. We have to differentiate between\u00a0<strong>cef<\/strong> traffic and\u00a0<strong>process-switched<\/strong> traffic. Nowadays, as good as every packet which flows through a router is\u00a0<strong>cef<\/strong>-switched. (<a href=\"https:\/\/en.wikipedia.org\/wiki\/Cisco_Express_Forwarding\" target=\"_blank\">Cisco Express Forwarding<\/a>). This is why we use the\u00a0<strong>cef<\/strong> keyword in the command. If you want to capture traffic, which is destined for the router, or fragmented packets, then you would have to use the\u00a0<strong>process-switched<\/strong> command. This line is commented out in my example.<\/p>\n<pre class=\"brush: cisco; title: ; notranslate\" title=\"\">\r\nmonitor capture point ip cef C-POINT all both\r\n!monitor capture point ip process-switched C-POINT both\r\nmonitor capture point associate C-POINT C-BUFFER\r\n<\/pre>\n<h2>Start of the capture<\/h2>\n<p>with this command, the capture will be started. Now create the traffic you want to capture.<\/p>\n<pre class=\"brush: cisco; title: ; notranslate\" title=\"\">\r\nmonitor capture point start C-POINT\r\n<\/pre>\n<h2>Stop of the capture<\/h2>\n<p>If the traffic is captured, you have to stop the running capture on the router. In the next step, the data is exported as\u00a0<strong>pcap<\/strong>, so it can be viewed with for example Wireshark.<\/p>\n<pre class=\"brush: cisco; title: ; notranslate\" title=\"\">\r\nmonitor capture point stop C-POINT\r\nmonitor capture buffer C-BUFFER export tftp:\/\/1.2.3.4\/filename.pcap\r\n<\/pre>\n<h2>Cleanup<\/h2>\n<p>You have the traffic you want in the pcap? Time to clean up the router.<\/p>\n<pre class=\"brush: cisco; title: ; notranslate\" title=\"\">\r\n!no monitor capture point ip process-switched C-POINT both\r\nno monitor capture point ip cef C-POINT all both\r\nno monitor capture buffer C-BUFFER\r\nconf t\r\nno access-list 144\r\nexit\r\n<\/pre>\n<h2>Whole configuration<\/h2>\n<p>for all who just quickly needs the commands as a reference:<\/p>\n<pre class=\"brush: cisco; title: ; notranslate\" title=\"\">\r\nconf t\r\naccess-list 144 permit ip host 192.168.10.22 any\r\naccess-list 144 permit ip any host 192.168.10.22\r\nexit\r\nmonitor capture buffer C-BUFFER&amp;amp;amp;nbsp;size 2048 max-size 1518 linear\r\nmonitor capture buffer C-BUFFER filter access-list 144\r\nmonitor capture point ip cef C-POINT all both\r\n!monitor capture point ip process-switched C-POINT both\r\nmonitor capture point associate C-POINT C-BUFFER\r\nmonitor capture point start C-POINT\r\n!---\r\n! Traffic produzieren\r\n!---\r\nmonitor capture point stop C-POINT\r\nmonitor capture buffer C-BUFFER export tftp:\/\/1.2.3.4\/filename.pcap\r\n!----\r\n!no monitor capture point ip process-switched C-POINT both\r\nno monitor capture point ip cef C-POINT all both\r\nno monitor capture buffer C-BUFFER\r\nconf t\r\nno access-list 144\r\nexit\r\n<\/pre>\n<p><\/p>","protected":false},"excerpt":{"rendered":"<p>Sorry, this entry is only available in Deutsch.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,33],"tags":[22,23,21,20],"class_list":["post-155","post","type-post","status-publish","format-standard","hentry","category-cisco","category-routing-switching","tag-cisco","tag-router","tag-tcpdump","tag-wireshark"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Traffic Capture on Cisco IOS | SYN-FLUT.de<\/title>\n<meta name=\"description\" content=\"So kann auf Cisco IOS Routern ein Traffic Capture erstellt, und im PCAP Format exportiert werden. Tutorial zum Netzwerkverkehr mitschneiden auf IOS Routern.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.syn-flut.de\/en\/traffic-capture-netzwerkverkehr-mitschneiden-cisco-ios\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Traffic Capture on Cisco IOS | SYN-FLUT.de\" \/>\n<meta property=\"og:description\" content=\"So kann auf Cisco IOS Routern ein Traffic Capture erstellt, und im PCAP Format exportiert werden. Tutorial zum Netzwerkverkehr mitschneiden auf IOS Routern.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.syn-flut.de\/en\/traffic-capture-netzwerkverkehr-mitschneiden-cisco-ios\" \/>\n<meta property=\"og:site_name\" content=\"SYN-FLUT.de\" \/>\n<meta property=\"article:published_time\" content=\"2016-04-02T19:31:45+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2016-08-30T12:08:06+00:00\" \/>\n<meta name=\"author\" content=\"Alex\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Alex\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.syn-flut.de\\\/traffic-capture-netzwerkverkehr-mitschneiden-cisco-ios#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.syn-flut.de\\\/traffic-capture-netzwerkverkehr-mitschneiden-cisco-ios\"},\"author\":{\"name\":\"Alex\",\"@id\":\"https:\\\/\\\/www.syn-flut.de\\\/#\\\/schema\\\/person\\\/2d4aca61da479250b630c64a870e78b7\"},\"headline\":\"Traffic Capture on Cisco IOS\",\"datePublished\":\"2016-04-02T19:31:45+00:00\",\"dateModified\":\"2016-08-30T12:08:06+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.syn-flut.de\\\/traffic-capture-netzwerkverkehr-mitschneiden-cisco-ios\"},\"wordCount\":1162,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.syn-flut.de\\\/#\\\/schema\\\/person\\\/2d4aca61da479250b630c64a870e78b7\"},\"keywords\":[\"Cisco\",\"Router\",\"tcpdump\",\"Wireshark\"],\"articleSection\":[\"Cisco\",\"Routing\\\/Switching\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.syn-flut.de\\\/traffic-capture-netzwerkverkehr-mitschneiden-cisco-ios#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.syn-flut.de\\\/en\\\/traffic-capture-netzwerkverkehr-mitschneiden-cisco-ios\",\"url\":\"https:\\\/\\\/www.syn-flut.de\\\/en\\\/traffic-capture-netzwerkverkehr-mitschneiden-cisco-ios\",\"name\":\"Traffic Capture on Cisco IOS | SYN-FLUT.de\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.syn-flut.de\\\/en\\\/#website\"},\"datePublished\":\"2016-04-02T19:31:45+00:00\",\"dateModified\":\"2016-08-30T12:08:06+00:00\",\"description\":\"So kann auf Cisco IOS Routern ein Traffic Capture erstellt, und im PCAP Format exportiert werden. Tutorial zum Netzwerkverkehr mitschneiden auf IOS Routern.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.syn-flut.de\\\/en\\\/traffic-capture-netzwerkverkehr-mitschneiden-cisco-ios#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[[\"https:\\\/\\\/www.syn-flut.de\\\/en\\\/traffic-capture-netzwerkverkehr-mitschneiden-cisco-ios\"]]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.syn-flut.de\\\/en\\\/traffic-capture-netzwerkverkehr-mitschneiden-cisco-ios#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.syn-flut.de\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cisco\",\"item\":\"https:\\\/\\\/www.syn-flut.de\\\/en\\\/tipps\\\/cisco\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Routing\\\/Switching\",\"item\":\"https:\\\/\\\/www.syn-flut.de\\\/en\\\/tipps\\\/cisco\\\/routing-switching\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Cisco IOS Netzwerkverkehr mitschneiden\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.syn-flut.de\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/www.syn-flut.de\\\/en\\\/\",\"name\":\"SYN-FLUT.de\",\"description\":\"my Blog about Linux, Open Source, Cisco Network, UC and more...\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.syn-flut.de\\\/en\\\/#\\\/schema\\\/person\\\/2d4aca61da479250b630c64a870e78b7\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.syn-flut.de\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/www.syn-flut.de\\\/en\\\/#\\\/schema\\\/person\\\/2d4aca61da479250b630c64a870e78b7\",\"name\":\"Alex\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/6e659a9a43aad87feaf72fea74fa87ae052341279fe08671a5b7f7e7136ad6d8?s=96&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/6e659a9a43aad87feaf72fea74fa87ae052341279fe08671a5b7f7e7136ad6d8?s=96&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/6e659a9a43aad87feaf72fea74fa87ae052341279fe08671a5b7f7e7136ad6d8?s=96&r=g\",\"caption\":\"Alex\"},\"logo\":{\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/6e659a9a43aad87feaf72fea74fa87ae052341279fe08671a5b7f7e7136ad6d8?s=96&r=g\"},\"url\":\"https:\\\/\\\/www.syn-flut.de\\\/en\\\/author\\\/al1x\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Traffic Capture on Cisco IOS | SYN-FLUT.de","description":"So kann auf Cisco IOS Routern ein Traffic Capture erstellt, und im PCAP Format exportiert werden. Tutorial zum Netzwerkverkehr mitschneiden auf IOS Routern.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.syn-flut.de\/en\/traffic-capture-netzwerkverkehr-mitschneiden-cisco-ios","og_locale":"en_US","og_type":"article","og_title":"Traffic Capture on Cisco IOS | SYN-FLUT.de","og_description":"So kann auf Cisco IOS Routern ein Traffic Capture erstellt, und im PCAP Format exportiert werden. Tutorial zum Netzwerkverkehr mitschneiden auf IOS Routern.","og_url":"https:\/\/www.syn-flut.de\/en\/traffic-capture-netzwerkverkehr-mitschneiden-cisco-ios","og_site_name":"SYN-FLUT.de","article_published_time":"2016-04-02T19:31:45+00:00","article_modified_time":"2016-08-30T12:08:06+00:00","author":"Alex","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Alex","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.syn-flut.de\/traffic-capture-netzwerkverkehr-mitschneiden-cisco-ios#article","isPartOf":{"@id":"https:\/\/www.syn-flut.de\/traffic-capture-netzwerkverkehr-mitschneiden-cisco-ios"},"author":{"name":"Alex","@id":"https:\/\/www.syn-flut.de\/#\/schema\/person\/2d4aca61da479250b630c64a870e78b7"},"headline":"Traffic Capture on Cisco IOS","datePublished":"2016-04-02T19:31:45+00:00","dateModified":"2016-08-30T12:08:06+00:00","mainEntityOfPage":{"@id":"https:\/\/www.syn-flut.de\/traffic-capture-netzwerkverkehr-mitschneiden-cisco-ios"},"wordCount":1162,"commentCount":0,"publisher":{"@id":"https:\/\/www.syn-flut.de\/#\/schema\/person\/2d4aca61da479250b630c64a870e78b7"},"keywords":["Cisco","Router","tcpdump","Wireshark"],"articleSection":["Cisco","Routing\/Switching"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.syn-flut.de\/traffic-capture-netzwerkverkehr-mitschneiden-cisco-ios#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.syn-flut.de\/en\/traffic-capture-netzwerkverkehr-mitschneiden-cisco-ios","url":"https:\/\/www.syn-flut.de\/en\/traffic-capture-netzwerkverkehr-mitschneiden-cisco-ios","name":"Traffic Capture on Cisco IOS | SYN-FLUT.de","isPartOf":{"@id":"https:\/\/www.syn-flut.de\/en\/#website"},"datePublished":"2016-04-02T19:31:45+00:00","dateModified":"2016-08-30T12:08:06+00:00","description":"So kann auf Cisco IOS Routern ein Traffic Capture erstellt, und im PCAP Format exportiert werden. Tutorial zum Netzwerkverkehr mitschneiden auf IOS Routern.","breadcrumb":{"@id":"https:\/\/www.syn-flut.de\/en\/traffic-capture-netzwerkverkehr-mitschneiden-cisco-ios#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":[["https:\/\/www.syn-flut.de\/en\/traffic-capture-netzwerkverkehr-mitschneiden-cisco-ios"]]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.syn-flut.de\/en\/traffic-capture-netzwerkverkehr-mitschneiden-cisco-ios#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.syn-flut.de\/en\/"},{"@type":"ListItem","position":2,"name":"Cisco","item":"https:\/\/www.syn-flut.de\/en\/tipps\/cisco"},{"@type":"ListItem","position":3,"name":"Routing\/Switching","item":"https:\/\/www.syn-flut.de\/en\/tipps\/cisco\/routing-switching"},{"@type":"ListItem","position":4,"name":"Cisco IOS Netzwerkverkehr mitschneiden"}]},{"@type":"WebSite","@id":"https:\/\/www.syn-flut.de\/en\/#website","url":"https:\/\/www.syn-flut.de\/en\/","name":"SYN-FLUT.de","description":"my Blog about Linux, Open Source, Cisco Network, UC and more...","publisher":{"@id":"https:\/\/www.syn-flut.de\/en\/#\/schema\/person\/2d4aca61da479250b630c64a870e78b7"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.syn-flut.de\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/www.syn-flut.de\/en\/#\/schema\/person\/2d4aca61da479250b630c64a870e78b7","name":"Alex","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/6e659a9a43aad87feaf72fea74fa87ae052341279fe08671a5b7f7e7136ad6d8?s=96&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/6e659a9a43aad87feaf72fea74fa87ae052341279fe08671a5b7f7e7136ad6d8?s=96&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6e659a9a43aad87feaf72fea74fa87ae052341279fe08671a5b7f7e7136ad6d8?s=96&r=g","caption":"Alex"},"logo":{"@id":"https:\/\/secure.gravatar.com\/avatar\/6e659a9a43aad87feaf72fea74fa87ae052341279fe08671a5b7f7e7136ad6d8?s=96&r=g"},"url":"https:\/\/www.syn-flut.de\/en\/author\/al1x"}]}},"_links":{"self":[{"href":"https:\/\/www.syn-flut.de\/en\/wp-json\/wp\/v2\/posts\/155","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.syn-flut.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.syn-flut.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.syn-flut.de\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.syn-flut.de\/en\/wp-json\/wp\/v2\/comments?post=155"}],"version-history":[{"count":12,"href":"https:\/\/www.syn-flut.de\/en\/wp-json\/wp\/v2\/posts\/155\/revisions"}],"predecessor-version":[{"id":260,"href":"https:\/\/www.syn-flut.de\/en\/wp-json\/wp\/v2\/posts\/155\/revisions\/260"}],"wp:attachment":[{"href":"https:\/\/www.syn-flut.de\/en\/wp-json\/wp\/v2\/media?parent=155"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.syn-flut.de\/en\/wp-json\/wp\/v2\/categories?post=155"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.syn-flut.de\/en\/wp-json\/wp\/v2\/tags?post=155"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}