Cisco Packet Capture Reference

This page is simply to provide quick and dirty notes for performing standard packet captures on various Cisco devices.   I use these fairly often and needed a place for quick reference.  Always refer to vendor documentation for more detail.

Embedded Packet Capture – 3850 Series

# Quick reference
monitor capture mycap int X both 
monitor capture mycap match ipv4 host host X 
monitor capture mycap limit duration 60
monitor capture mycap file location flash:mycap.pcap
monitor capture mycap start
# show commands
show monitor capture file flash:mycap.pcap 
show monitor capture
# Capture with ACL
ip access-list extended acl-cap
 10 permit tcp host X host X eq X
 11 permit tcp host X eq X host X
monitor capture mycap access-list acl-cap
# Capture control-plane
monitor capture mycap control-plane both

Embedded Packet Capture – ASR

monitor capture mycap interface GigabitEthernet0/0/0 both
monitor capture mycap access-list trans
monitor capture mycap buffer size 2
monitor capture mycap limit duration 600 pps 1000
monitor capture mycap start
monitor capture mycap expert
# See buffer config
show monitor capture mycap parameter
# See buffer contents
show monitor capture mycap buffer

Nexus NX-OS (Ethanalyzer) Capture

Capture Control Plane

http://www.cisco.com/c/en/us/products/collateral/switches/nexus-3000-series-switches/white_paper_c11-673817.html

Capture Data Plane

# Data VDC
 ip access-list acl-cap
 statistics per-entry 
 10 permit tcp any eq XXX X.X.X.X/32 log
 100 permit ip any any
 int x
 ip access-group acl-cap in | out
 
 # Admin VDC
 ethanalyzer local interface inband capture-filter "host X.X.X.X and tcp port YYY" limit-captured-frames 100 write bootflash:cap1.cap
 ethanalyzer local read bootflash:cap1.cap
 ethanalyzer local read bootflash:cap1.cap detail

ASA Capture

# Capture Traffic
capture capin int XXX match tcp any eq XXX any
# Capture via ACL
access-list acl-cap ext permit tcp any4 eq XXX any4 
access-list acl-cap ext permit tcp any4 any4 eq XXX
capture capin int XXX access-list acl-cap headers-only buff 1024000 
capture capout type raw-data access-list acl-cap buffer 1024000 interface OUTSIDE headers-only
capture capin type raw-data access-list acl-cap buffer 1024000 interface INSIDE headers-only

# If you want full packets, don't specify headers-only.  Use "packet-length X" instead.
# Show commands
sh cap capin
# Capture ASP Drops
capture mydrops type asp-drop all headers-only buffer 1024000
capture mydrops type asp-drop all match tcp any any eq 10002
# Show commands
sh cap mydrops
sh cap mydrops packet-number XXX detail dump 
sh cap mydrops packet-number XXX detail dump trace
 
sh asp drop flow
sh asp drop frame
# Export
copy /pcap capture:capout tftp://X.X.X.X/

# Export capture from context
copy /pcap capture:c8/capout tftp://X.X.X.X/

Embedded Packet Capture – IOS/ISR

access-list 111 permit ip host X.X.X.X any
access-list 111 permit ip any host X.X.X.X
monitor capture buffer cap1 max-size 9500
monitor capture buffer cap1 filter access-list 111
monitor capture point ip cef cap1 all both
monitor capture point associate cap1 cap1
monitor capture point start cap1
monitor capture point stop all
# Export
monitor capture buffer cap1 export flash:/cap1.pcap
# Show commands
show monitor capture point all 
show monitor capture buffer all parameters 
show monitor capture buffer cap1

 

 

One comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s