IOS-XE Packet Capture

IOS-XE Packet Capture

Last Updated: [last-modified] (UTC)

 

Cisco Routers can perform packet captures for troubleshooting. You can export the captures and open them in Wireshark or you can view them on the router.

Please note that the syntax is for IOX-XE. The IOS syntax is a little different.

Packet Captures

Defining the Capture

There are three steps to creating a packet capture:

  1. Define the interface to capture on, and the direction of the traffic
  2. Assign a capture filter
  3. Start the capture
Defining a capture
! Create a capture called 'PCAP', and capture packets in both directions on Gi0/0/1
Router# monitor capture PCAP interface GigabitEthernet 0/0/1 both

! Capture any IPv4 packets going to host 8.8.8.8
Router# monitor capture PCAP match ipv4 any 8.8.8.8/32

! Start the packet capture
Router# monitor capture PCAP start

 

Showing the Capture

Packets are stored a buffer. Use the buffer brief sub-command to show the contents of the buffer.

Showing the capture
Router# show monitor capture PCAP buffer brief
 -------------------------------------------------------------
 #   size   timestamp     source             destination   protocol
 -------------------------------------------------------------
   0  114    0.000000   10.225.254.49    ->  8.8.8.8          ICMP
   1  114    1.994995   10.225.254.49    ->  8.8.8.8          ICMP
   2  114    3.994995   10.225.254.49    ->  8.8.8.8          ICMP
   3  114    5.994995   10.225.254.49    ->  8.8.8.8          ICMP
   4  114    7.994995   10.225.254.49    ->  8.8.8.8          ICMP
   5  114   14.200038   10.225.254.49    ->  8.8.8.8          ICMP
   6  114   16.194042   10.225.254.49    ->  8.8.8.8          ICMP
   7  114   18.194042   10.225.254.49    ->  8.8.8.8          ICMP
   8  114   20.194042   10.225.254.49    ->  8.8.8.8          ICMP
   9  114   22.193035   10.225.254.49    ->  8.8.8.8          ICMP

 

Exporting The Capture

You can save the buffer to flash, or export it to an FTP, TFTP, HTTP/S, RCP or SCP server.

Wireshark can open exported pcap files.

Exporting the capture
Router# monitor capture PCAP export ftp://x.x.x.x/PCAP.pcap

 

Cleaning Up

When you’re done, remember to stop the capture and remove it.

Defining a capture
! Show captures in progress
Router# show monitor capture

Status Information for Capture PCAP
  Target Type:
   Interface: GigabitEthernet0/0/1, Direction: both
   Status : Active
  Filter Details:
   IPv4
    Source IP:  any
    Destination IP:  8.8.8.8/32
   Protocol: any
  Buffer Details:
   Buffer Type: LINEAR (default)
   Buffer Size (in MB): 10
  Limit Details:
   Number of Packets to capture: 0 (no limit)
   Packet Capture duration: 0 (no limit)
   Packet Size to capture: 0 (no limit)
   Maximum number of packets to capture per second: 1000
   Packet sampling rate: 0 (no sampling)

! Stop the packet capture
Router# monitor capture PCAP stop

! Remove the capture
Router# no monitor capture PCAP
 

References

Network Direction – Embedded Packet Capture for Cisco IOS and IOS-XE Configuration Example

 

Leave a Reply