Cisco IOS-XE Built-in Packet Capture

Cisco IOS-XE Built-in Packet Capture
In: Cisco

The Embedded Packet Capture feature was introduced in IOS-XE 15.2(4)S. This enables us to easily take captures directly from the switch and export them for analysis. The process is very straightforward and only takes a couple of minutes to set it up.

Once you configured the capture, the switch/router captures the packets sent and received. The packets are then stored in a buffer temporarily or you can optionally save them to the local flash. Once the packets are captured and saved, they can be viewed in a summary or detailed view on the CLI. The captures can also be exported as a pcap file to allow for further analysis.

The capture can be performed on physical interfaces, sub-interfaces, and tunnel interfaces.

Diagram

The following example shows, how to capture all the traffic between the laptop and both servers.

Configuration

Packet capture is configured in exec mode so, the configuration is not stored within the running-configuration and will not remain in place after a system reload.

1. Configure the ACL (optional)

switch-1(config)#ip access-list extended PACKET-ACL 
switch-1(config-ext-nacl)#permit ip host 10.10.10.10 host 192.168.10.10 
switch-1(config-ext-nacl)#permit ip host 10.10.10.10 host 172.16.10.10
switch-1(config-ext-nacl)#permit ip host 192.168.10.10 host 10.10.10.10 
switch-1(config-ext-nacl)#permit ip host 172.16.10.10 host 10.10.10.10
Please note that having deny ip any any at the end has resulted in packets not being captured, so please don't add deny statement at the end.

2. Configure and start a packet capture

switch-1#monitor capture PACKET interface Gi1/0/10 both access-list PACKET-ACL

switch-1#monitor capture PACKET start

3. Stop the capture and view the buffer

switch-1#monitor capture PACKET stop

Capture statistics collected at software:
        Capture duration - 12 seconds
        Packets received - 14
        Packets dropped - 0
        Packets oversized - 0

Bytes dropped in asic - 12757253

Capture buffer will exists till exported or cleared

Stopped capture point : PACKET
  switch-1#show monitor capture PACKET buffer
  
  1   0.000000   10.10.10.10 -> 192.168.10.10  ICMP 98 Echo (ping) request  id=0x1d97, seq=0/0, ttl=64
  2   0.000163 192.168.10.10 -> 10.10.10.10   ICMP 102 Echo (ping) reply    id=0x1d97, seq=0/0, ttl=62 (request in 1)
  3   2.000840   10.10.10.10 -> 192.168.10.10  ICMP 98 Echo (ping) request  id=0x1d97, seq=1/256, ttl=64
  4   2.000985 192.168.10.10 -> 10.10.10.10   ICMP 102 Echo (ping) reply    id=0x1d97, seq=1/256, ttl=62 (request in 3)
  5   4.001058   10.10.10.10 -> 192.168.10.10  ICMP 98 Echo (ping) request  id=0x1d97, seq=2/512, ttl=64
  6   4.001162 192.168.10.10 -> 10.10.10.10   ICMP 102 Echo (ping) reply    id=0x1d97, seq=2/512, ttl=62 (request in 5)
  7   6.001423   10.10.10.10 -> 172.16.10.10  ICMP 98 Echo (ping)  request  id=0x1d97, seq=3/768, ttl=64
  8   6.001606  172.16.10.10 -> 10.10.10.10   ICMP 102 Echo (ping) reply    id=0x1d97, seq=3/768, ttl=62 (request in 7)
  9   8.001790   10.10.10.10 -> 172.16.10.10  ICMP 98 Echo (ping)  request  id=0x1d97, seq=4/1024, ttl=64
 10   8.001914  172.16.10.10 -> 10.10.10.10   ICMP 102 Echo (ping) reply    id=0x1d97, seq=4/1024, ttl=62 (request in 9)
 11  10.002202   10.10.10.10 -> 172.16.10.10  ICMP 98 Echo (ping)  request  id=0x1d97, seq=5/1280, ttl=64
 12  10.002311  172.16.10.10 -> 10.10.10.10   ICMP 102 Echo (ping) reply    id=0x1d97, seq=5/1280, ttl=62 (request in 11)
 13  12.002566   10.10.10.10 -> 172.16.10.10  ICMP 98 Echo (ping)  request  id=0x1d97, seq=6/1536, ttl=64
 14  12.002679  172.16.10.10 -> 10.10.10.10   ICMP 102 Echo (ping) reply    id=0x1d97, seq=6/1536, ttl=62 (request in 13)

4. Export the capture file for analysis

switch-1#monitor capture PACKET export location flash:PACKET.pcap
Export Started Successfully
switch-1#copy flash:PACKET.pcap ftp://user:password@10.100.100.5
Address or name of remote host [10.100.100.5]? 
Destination filename [PACKET.pcap]? 
Writing PACKET.pcap !
860 bytes copied in 0.170 secs (5059 bytes/sec)

5. Remove the captures

Once the necessary data is collected, you can remove the capture by running no monitor capture PACKET


Reference

Embedded Packet Capture for Cisco IOS and IOS-XE Configuration Example
This document describes the Embedded Packet Capture (EPC) feature in Cisco IOS? software.

Thank you for reading. As always your comments and feedbacks are always welcome

Table of Contents
Written by
Suresh Vina
Tech enthusiast sharing Networking, Cloud & Automation insights. Join me in a welcoming space to learn & grow with simplicity and practicality.
Comments
More from Packetswitch
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Packetswitch.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.