Cisco IOS-XE Built-in Packet Capture
The Embedded Packet Capture feature was introduced in IOS-XE 15.2(4)S. This enables us to easily take captures directly from the switch and export them for analysis. The process is very straightforward and only takes a couple of minutes to set it up.
Once you configured the capture, the switch/router captures the packets sent and received. The packets are then stored in a buffer temporarily or you can optionally save them to the local flash. Once the packets are captured and saved, they can be viewed in a summary or detailed view on the CLI. The captures can also be exported as a pcap file to allow for further analysis.
The capture can be performed on physical interfaces, sub-interfaces, and tunnel interfaces.
Diagram
The following example shows, how to capture all the traffic between the laptop and both servers.
Configuration
Packet capture is configured in exec mode so, the configuration is not stored within the running-configuration and will not remain in place after a system reload.
1. Configure the ACL (optional)
switch-1(config)#ip access-list extended PACKET-ACL
switch-1(config-ext-nacl)#permit ip host 10.10.10.10 host 192.168.10.10
switch-1(config-ext-nacl)#permit ip host 10.10.10.10 host 172.16.10.10
switch-1(config-ext-nacl)#permit ip host 192.168.10.10 host 10.10.10.10
switch-1(config-ext-nacl)#permit ip host 172.16.10.10 host 10.10.10.10Please note that havingdeny ip any anyat the end has resulted in packets not being captured, so please don't adddenystatement at the end.
2. Configure and start a packet capture
switch-1#monitor capture PACKET interface Gi1/0/10 both access-list PACKET-ACL
switch-1#monitor capture PACKET start3. Stop the capture and view the buffer
switch-1#monitor capture PACKET stop
Capture statistics collected at software:
Capture duration - 12 seconds
Packets received - 14
Packets dropped - 0
Packets oversized - 0
Bytes dropped in asic - 12757253
Capture buffer will exists till exported or cleared
Stopped capture point : PACKET switch-1#show monitor capture PACKET buffer
1 0.000000 10.10.10.10 -> 192.168.10.10 ICMP 98 Echo (ping) request id=0x1d97, seq=0/0, ttl=64
2 0.000163 192.168.10.10 -> 10.10.10.10 ICMP 102 Echo (ping) reply id=0x1d97, seq=0/0, ttl=62 (request in 1)
3 2.000840 10.10.10.10 -> 192.168.10.10 ICMP 98 Echo (ping) request id=0x1d97, seq=1/256, ttl=64
4 2.000985 192.168.10.10 -> 10.10.10.10 ICMP 102 Echo (ping) reply id=0x1d97, seq=1/256, ttl=62 (request in 3)
5 4.001058 10.10.10.10 -> 192.168.10.10 ICMP 98 Echo (ping) request id=0x1d97, seq=2/512, ttl=64
6 4.001162 192.168.10.10 -> 10.10.10.10 ICMP 102 Echo (ping) reply id=0x1d97, seq=2/512, ttl=62 (request in 5)
7 6.001423 10.10.10.10 -> 172.16.10.10 ICMP 98 Echo (ping) request id=0x1d97, seq=3/768, ttl=64
8 6.001606 172.16.10.10 -> 10.10.10.10 ICMP 102 Echo (ping) reply id=0x1d97, seq=3/768, ttl=62 (request in 7)
9 8.001790 10.10.10.10 -> 172.16.10.10 ICMP 98 Echo (ping) request id=0x1d97, seq=4/1024, ttl=64
10 8.001914 172.16.10.10 -> 10.10.10.10 ICMP 102 Echo (ping) reply id=0x1d97, seq=4/1024, ttl=62 (request in 9)
11 10.002202 10.10.10.10 -> 172.16.10.10 ICMP 98 Echo (ping) request id=0x1d97, seq=5/1280, ttl=64
12 10.002311 172.16.10.10 -> 10.10.10.10 ICMP 102 Echo (ping) reply id=0x1d97, seq=5/1280, ttl=62 (request in 11)
13 12.002566 10.10.10.10 -> 172.16.10.10 ICMP 98 Echo (ping) request id=0x1d97, seq=6/1536, ttl=64
14 12.002679 172.16.10.10 -> 10.10.10.10 ICMP 102 Echo (ping) reply id=0x1d97, seq=6/1536, ttl=62 (request in 13)4. Export the capture file for analysis
switch-1#monitor capture PACKET export location flash:PACKET.pcap
Export Started Successfullyswitch-1#copy flash:PACKET.pcap ftp://user:password@10.100.100.5
Address or name of remote host [10.100.100.5]?
Destination filename [PACKET.pcap]?
Writing PACKET.pcap !
860 bytes copied in 0.170 secs (5059 bytes/sec)5. Remove the captures
Once the necessary data is collected, you can remove the capture by running no monitor capture PACKET
Reference
Thank you for reading. As always your comments and feedbacks are always welcome