This page is simply to provide quick and dirty notes for performing standard packet captures on various Cisco devices. I use these fairly often and needed a place for quick reference. Always refer to vendor documentation for more detail.
Embedded Packet Capture – 3850 Series
# Quick reference
monitor capture mycap int X both
monitor capture mycap match ipv4 host host X
monitor capture mycap limit duration 60
monitor capture mycap file location flash:mycap.pcap
monitor capture mycap start
# show commands
show monitor capture file flash:mycap.pcap
show monitor capture
# Capture with ACL
ip access-list extended acl-cap
10 permit tcp host X host X eq X
11 permit tcp host X eq X host X
monitor capture mycap access-list acl-cap
# Capture control-plane
monitor capture mycap control-plane both
Embedded Packet Capture – ASR
monitor capture mycap interface GigabitEthernet0/0/0 both
monitor capture mycap access-list trans
monitor capture mycap buffer size 2
monitor capture mycap limit duration 600 pps 1000
monitor capture mycap start
monitor capture mycap expert
# See buffer config
show monitor capture mycap parameter
# See buffer contents
show monitor capture mycap buffer
Nexus NX-OS (Ethanalyzer) Capture
Capture Control Plane
http://www.cisco.com/c/en/us/products/collateral/switches/nexus-3000-series-switches/white_paper_c11-673817.html
Capture Data Plane
# Data VDC
ip access-list acl-cap
statistics per-entry
10 permit tcp any eq XXX X.X.X.X/32 log
100 permit ip any any
int x
ip access-group acl-cap in | out
# Admin VDC
ethanalyzer local interface inband capture-filter "host X.X.X.X and tcp port YYY" limit-captured-frames 100 write bootflash:cap1.cap
ethanalyzer local read bootflash:cap1.cap
ethanalyzer local read bootflash:cap1.cap detail
ASA Capture
# Capture Traffic
capture capin int XXX match tcp any eq XXX any
# Capture via ACL
access-list acl-cap ext permit tcp any4 eq XXX any4
access-list acl-cap ext permit tcp any4 any4 eq XXX
capture capin int XXX access-list acl-cap headers-only buff 1024000
capture capout type raw-data access-list acl-cap buffer 1024000 interface OUTSIDE headers-only
capture capin type raw-data access-list acl-cap buffer 1024000 interface INSIDE headers-only
# If you want full packets, don't specify headers-only. Use "packet-length X" instead.
# Show commands
sh cap capin
# Capture ASP Drops
capture mydrops type asp-drop all headers-only buffer 1024000
capture mydrops type asp-drop all match tcp any any eq 10002
# Show commands
sh cap mydrops
sh cap mydrops packet-number XXX detail dump
sh cap mydrops packet-number XXX detail dump trace
sh asp drop flow
sh asp drop frame
# Export
copy /pcap capture:capout tftp://X.X.X.X/
# Export capture from context
copy /pcap capture:c8/capout tftp://X.X.X.X/
Embedded Packet Capture – IOS/ISR
access-list 111 permit ip host X.X.X.X any
access-list 111 permit ip any host X.X.X.X
monitor capture buffer cap1 max-size 9500
monitor capture buffer cap1 filter access-list 111
monitor capture point ip cef cap1 all both
monitor capture point associate cap1 cap1
monitor capture point start cap1
monitor capture point stop all
# Export
monitor capture buffer cap1 export flash:/cap1.pcap
# Show commands
show monitor capture point all
show monitor capture buffer all parameters
show monitor capture buffer cap1
1 Response
[…] Source: Cisco Packet Capture Reference […]