In quite a few instances I found myself in a situation where, for troubleshooting & traffic flow analysis purposes, I just wanted to get a capture of the traffic going over a specific link or between specific networks. There is few ways I could think of to achieve this:

  1. Configure SPAN (on switches, for L2 traffic only)
  2. Use a dedicated hardware device in-line with the traffic flow – likely, downtime involved
  3. Use Netflow –  but that’s probably, not complex, rather inconvenient at times; also, some devices require specific license for NetFlow

You would then get the traffic in a pcap format and load it in Wireshark.

But there is also yet another way, through Cisco Embedded Packet Capture (EPC) feature. Now here are few things you need to consider when implementing this feature:

  • all configuration is done in privilege mode
  • the configuration is not saved; hence, it doesn’t persists upon reloads – it doesn’t show in show run either!
  • can capture both CEF (cached L3), as well as Process Switched packets
  • can capture both IPv4 and IPv6 traffic
  • can be enabled for physical interfaces, sub-interfaces and tunnel interfaces
  • it is *not* available on switches
  • capture can be later exported to an external server via tftp, ftp, scp, etc.
  • requires at least Cisco IOS Release 12.4(20)T or later

So I will show you next how easy it is to implement this; I will be working on the following network:

epc-01

R1 is a Cisco 7200 Router running IOS 12.4(24)T; R2 is a Cisco 2691 running IOS 12.4(25d). I will configure EPC on R1 so that it captures all IPv4 traffic flowing in/out interface Fa0/0.

Configuring …

  1. Configure Buffer (B) :: R1#monitor capture buffer CAP-BUFFER circular
  2. Set the Capture Point (CP) :: R1#monitor capture point ip cef CAP-POINT-FA0/0 fa0/0 both
  3. Associate the CP to B :: R1#monitor capture point associate CAP-POINT-FA0/0 CAP-BUFFER
  4. Start the capture :: R1#monitor capture point start CAP-POINT-FA0/0
  5. Stop capture :: R1#monitor capture point stop CAP-POINT-FA0/0
  6. Optionally, Export capture (must stop first) :: R1#monitor capture buffer CAP-BUFFER export tftp://192.168.1.230

Verifying … 

  1. show monitor capture buffer CAP-BUFFER dump Raw Capture 
  2. show monitor capture buffer CAP-BUFFER parameters Config. Parameters
  3. show monitor event-trace adjacency all Show Events

 

Once exported, we could then open the .pcap file in Wireshark – see screenshot below:

screenshot1

NOTE
I have used here the most basic configuration possible, accepting pretty much all defaults. There are however few options you could customise such as, which traffic to filter based on an ACL, buffer size, etc.Download EPC Command Reference

 


Thank you,
Signature
View Rafael A Couto Cabral's profile on LinkedIn



Posted in ALL.

Leave a reply

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>