IOS Embedded Packet Capture
- Tony Mattke
- Cisco
- February 14, 2011
Tired of setting up SPAN sessions? Need to do some packet analysis? Since IOS 12.4(20)T Cisco has made Embedded Packet Capture (EPC) available. EPC is a powerful troubleshooting tool that allows engineers to capture packets inside a Cisco router which can be essential in many troubleshooting scenarios.
Configuring EPC
The following steps will guide you through the EPC configuration process.
Define a capture buffer
The capture buffer is an area in memory for holding packet data. Here you have the option for two types of buffers, circular and linear. A linear buffer stops capturing data when full, while a circular buffer continues capturing while overwriting older data, acting like a FIFO (First in, First out) buffer.
R1#monitor capture buffer TEST_BUFFER ? circular Circular Buffer clear Clear contents of capture buffer export Export in Pcap format filter Configure filters limit Limit the packets dumped to the buffer linear Linear Buffer(Default) max-size Maximum size of element in the buffer (in bytes) size Packet Dump buffer size (in Kbytes) R1#monitor capture buffer TEST_BUFFER size ? <1-512> Buffer size in Kbytes : 512K or less (default is 256K)
You can also limit the number of bytes to capture per packet, truncating any excess data.
R1#monitor capture buffer TEST_BUFFER max-size ? <68-1024> Element size in bytes : 1024 bytes or less (default is 68 bytes)
You can also enable rate limiting and/or filtering (via ACL). Rate limiting can be defined by a capture rate (pps (packets per second)) or by a set iteration (capture every nth packet).
R1#monitor capture buffer TEST_BUFFER limit ? allow-nth-pak Allow every nth packet through duration Duration of capture packet-count Limit total Number of packets captured packets-per-sec Limit number of packets copied per sec R1#monitor capture buffer TEST_BUFFER filter ? access-list Set access list
Our example buffer is going to use a combination of these options. We’re going to setup a circular capture buffer, 512KB in size, including 128 bytes per packet, and we’re going to name this buffer TEST_BUFFER
R1#monitor capture buffer TEST_BUFFER size 512 max-size 128 circular R1#sh monitor capture buffer all parameters Capture buffer TEST_BUFFER (circular buffer) Buffer Size : 524288 bytes, Max Element Size : 128 bytes, Packets : 0 Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0 Associated Capture Points: Configuration: monitor capture buffer TEST_BUFFER size 512 max-size 128 circular
Define a capture point
The capture point is a traffic transit point where a packet is captured and associated with a buffer. Capture points can be either IPv4 or IPv6 via CEF or process switching. You can also specify a specific interface to capture traffic from and from which direction you wish to capture.
R1#monitor capture point ? associate Associate capture point with capture buffer disassociate Dis-associate capture point from capture buffer ip IPv4 ipv6 IPv6 start Enable Capture Point stop Disable Capture Point R1#monitor capture point ip ? cef IPv4 CEF process-switched Process switched packets R1#monitor capture point ip cef FOO fa 1/0 both
You can even specify all interfaces, or just look at drops, punts, or locally generated traffic.
R1#monitor capture point ip cef FOO all ? both capture ingress and egress in capture on ingress out capture on egress R1#monitor capture point ip cef FOO ? ... drop Drop on any interface punt Punt on any interface R1#monitor cap point ip process-switched FOO ? both Inbound and outbound and packets from-us Packets originating locally in Inbound packets out Outbound packets
In our example we’re going to use two capture points. One to grab process-switched packets that were originated from the router, while the other grabs traffic passing through Fa1/0 in both directions.
R1#monitor capture point ip cef TEST_CP-1 fa 1/0 both *Feb 13 18:32:36.039: %BUFCAP-6-CREATE: Capture Point TEST_CP-1 created. R1#monitor capture point ip process-switched TEST_CP-2 from-us *Feb 13 18:32:41.535: %BUFCAP-6-CREATE: Capture Point TEST_CP-2 created. R1#sh monitor capture point all Status Information for Capture Point TEST_CP-2 IPv4 Process Switch Path: IPv4 Process , Capture Buffer: None Status : Inactive Configuration: monitor capture point ip process-switched TEST_CP-2 from-us Status Information for Capture Point TEST_CP-1 IPv4 CEF Switch Path: IPv4 CEF , Capture Buffer: None Status : Inactive Configuration: monitor capture point ip cef TEST_CP-1 FastEthernet1/0 both
Associate capture points with the capture buffer
A capture point can only be associated with one capture buffer, while a capture buffer can be associated with many capture points. You can also have multiple capture points active on an interface filtering packets based on an ACL sending data to separate buffers.
R1#monitor capture point ? associate Associate capture point with capture buffer disassociate Dis-associate capture point from capture buffer R1#monitor capture point associate TEST_CP-1 TEST_BUFFER R1#monitor capture point associate TEST_CP-1 TEST_BUFFER R1#sh monitor capture point all Status Information for Capture Point TEST_CP-2 IPv4 Process Switch Path: IPv4 Process , Capture Buffer: TEST_BUFFER Status : Inactive Configuration: monitor capture point ip process-switched TEST_CP-2 from-us Status Information for Capture Point TEST_CP-1 IPv4 CEF Switch Path: IPv4 CEF , Capture Buffer: TEST_BUFFER Status : Inactive Configuration: monitor capture point ip cef TEST_CP-1 FastEthernet1/0 both R1#sh monitor capture buffer all parameters Capture buffer TEST_BUFFER (circular buffer) Buffer Size : 524288 bytes, Max Element Size : 128 bytes, Packets : 0 Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0 Associated Capture Points: Name : TEST_CP-1, Status : Inactive Name : TEST_CP-2, Status : Inactive Configuration: monitor capture buffer TEST_BUFFER size 512 max-size 128 circular monitor capture point associate TEST_CP-1 TEST_BUFFER monitor capture point associate TEST_CP-2 TEST_BUFFER
Start the capture point
Capture points needs to be manually started. You can also stop them at any points in time.
R1#monitor capture point ? associate Associate capture point with capture buffer disassociate Dis-associate capture point from capture buffer ip IPv4 ipv6 IPv6 start Enable Capture Point stop Disable Capture Point R1#monitor capture point start ? WORD Name of the Capture Point all All Capture Points R1#monitor capture point start TEST_CP-1 R1#monitor capture point start TEST_CP-2 R1# *Feb 13 18:45:48.495: %BUFCAP-6-ENABLE: Capture Point TEST_CP-1 enabled. *Feb 13 18:45:49.495: %BUFCAP-6-ENABLE: Capture Point TEST_CP-2 enabled. R1#sh monitor capture point all Status Information for Capture Point TEST_CP-2 IPv4 Process Switch Path: IPv4 Process , Capture Buffer: TEST_BUFFER Status : Active Configuration: monitor capture point ip process-switched TEST_CP-2 from-us Status Information for Capture Point TEST_CP-1 IPv4 CEF Switch Path: IPv4 CEF , Capture Buffer: TEST_BUFFER Status : Active Configuration: monitor capture point ip cef TEST_CP-1 FastEthernet1/0 both R1#sh monitor capture buffer all parameters Capture buffer TEST_BUFFER (circular buffer) Buffer Size : 524288 bytes, Max Element Size : 128 bytes, Packets : 0 Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0 Associated Capture Points: Name : TEST_CP-1, Status : Active Name : TEST_CP-2, Status : Active Configuration: monitor capture buffer TEST_BUFFER size 512 max-size 128 circular monitor capture point associate TEST_CP-1 TEST_BUFFER monitor capture point associate TEST_CP-2 TEST_BUFFER
Review the bufer data
Now that everything is running, we can generate some traffic and view it.
R1#ping 10.0.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R1#sh monitor capture buffer TEST_BUFFER
18:51:47.483 UTC Feb 13 2011 : IPv4 Process : None Fa1/0
18:51:47.491 UTC Feb 13 2011 : IPv4 CEF Turbo : Fa1/0 None
18:51:47.491 UTC Feb 13 2011 : IPv4 LES CEF : Fa1/0 None
18:51:47.499 UTC Feb 13 2011 : IPv4 Process : None Fa1/0
18:51:47.503 UTC Feb 13 2011 : IPv4 CEF Turbo : Fa1/0 None
18:51:47.503 UTC Feb 13 2011 : IPv4 LES CEF : Fa1/0 None
18:51:47.503 UTC Feb 13 2011 : IPv4 Process : None Fa1/0
R1#sh monitor capture buffer TEST_BUFFER dump
18:51:50.023 UTC Feb 13 2011 : IPv4 CEF Turbo : Fa1/0 None
672C4650: CA003713 001CCA01 3713001C J.7...J.7...
672C4660: 08004500 00640009 0000FE01 A68D0A00 ..E..d....~.&...
672C4670: 01020A00 01010000 DCA70001 00040000 ........\'......
672C4680: 0000002D A970ABCD ABCDABCD ABCDABCD ...-)p+M+M+M+M+M
672C4690: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
672C46A0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
672C46B0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
672C46C0: ABCDABCD ABCD00 +M+M+M.
18:51:50.023 UTC Feb 13 2011 : IPv4 LES CEF : Fa1/0 None
672C4650: CA003713 001CCA01 3713001C J.7...J.7...
672C4660: 08004500 00640009 0000FE01 A68D0A00 ..E..d....~.&...
672C4670: 01020A00 01010000 DCA70001 00040000 ........\'......
672C4680: 0000002D A970ABCD ABCDABCD ABCDABCD ...-)p+M+M+M+M+M
672C4690: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
672C46A0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
672C46B0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
672C46C0: ABCDABCD ABCD00 +M+M+M.
Exporting data
The most useful thing you can do with this data is exporting it (in pcap format) and using wireshark to analyze it.
R1#monitor capture buffer TEST_BUFFER export ? ftp: Location to dump buffer http: Location to dump buffer https: Location to dump buffer pram: Location to dump buffer rcp: Location to dump buffer scp: Location to dump buffer tftp: Location to dump buffer
