Cisco : EPC (Embedded Packet Capture)

An interesting useful tool available in IOS 12.4(20)T and prior : Embedded Packet Capture (EPC). This tool is useful to avoid configure SPAN and RSPAN to be able to capture and analyze trafic.
You can now do it by means of defining a capture buffer, then a capture point, link them and start the capture.
Then you can upload this capture (in pcap) and read analyze it with wireshark 🙂

R1#monitor capture buffer TEST_BUFFER size 512 max-size 128 circular

R1#sh monitor capture buffer all parameters
Capture buffer TEST_BUFFER (circular buffer)
Buffer Size : 524288 bytes, Max Element Size : 128 bytes, Packets : 0
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Configuration:
monitor capture buffer TEST_BUFFER size 512 max-size 128 circular

Then configure the capture point :

R1#monitor capture point ip cef TEST_CP-1 fa 1/0 both
*Feb 13 18:32:36.039: %BUFCAP-6-CREATE: Capture Point TEST_CP-1 created.

R1#monitor capture point ip process-switched TEST_CP-2 from-us
*Feb 13 18:32:41.535: %BUFCAP-6-CREATE: Capture Point TEST_CP-2 created.

R1#sh monitor capture point all
Status Information for Capture Point TEST_CP-2
IPv4 Process
Switch Path: IPv4 Process        , Capture Buffer: None
Status : Inactive

Configuration:
monitor capture point ip process-switched TEST_CP-2 from-us

Status Information for Capture Point TEST_CP-1
IPv4 CEF
Switch Path: IPv4 CEF            , Capture Buffer: None
Status : Inactive

Configuration:
monitor capture point ip cef TEST_CP-1 FastEthernet1/0 both

Then, we associate buffer to capture point :

R1#monitor capture point associate TEST_CP-1 TEST_BUFFER

R1#sh monitor capture point all
Status Information for Capture Point TEST_CP-2
IPv4 Process
Switch Path: IPv4 Process        , Capture Buffer: TEST_BUFFER
Status : Inactive

Configuration:
monitor capture point ip process-switched TEST_CP-2 from-us

Status Information for Capture Point TEST_CP-1
IPv4 CEF
Switch Path: IPv4 CEF            , Capture Buffer: TEST_BUFFER
Status : Inactive

Configuration:
monitor capture point ip cef TEST_CP-1 FastEthernet1/0 both

R1#sh monitor capture buffer all parameters
Capture buffer TEST_BUFFER (circular buffer)
Buffer Size : 524288 bytes, Max Element Size : 128 bytes, Packets : 0
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : TEST_CP-1, Status : Inactive
Name : TEST_CP-2, Status : Inactive
Configuration:
monitor capture buffer TEST_BUFFER size 512 max-size 128 circular
monitor capture point associate TEST_CP-1 TEST_BUFFER
monitor capture point associate TEST_CP-2 TEST_BUFFER

Then:

R1#monitor capture point start TEST_CP-2
R1#
*Feb 13 18:45:48.495: %BUFCAP-6-ENABLE: Capture Point TEST_CP-1 enabled.
*Feb 13 18:45:49.495: %BUFCAP-6-ENABLE: Capture Point TEST_CP-2 enabled.

R1#sh monitor capture point all
Status Information for Capture Point TEST_CP-2
IPv4 Process
Switch Path: IPv4 Process        , Capture Buffer: TEST_BUFFER
Status : Active

Configuration:
monitor capture point ip process-switched TEST_CP-2 from-us

Status Information for Capture Point TEST_CP-1
IPv4 CEF
Switch Path: IPv4 CEF            , Capture Buffer: TEST_BUFFER
Status : Active

Configuration:
monitor capture point ip cef TEST_CP-1 FastEthernet1/0 both

R1#sh monitor capture buffer all parameters
Capture buffer TEST_BUFFER (circular buffer)
Buffer Size : 524288 bytes, Max Element Size : 128 bytes, Packets : 0
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : TEST_CP-1, Status : Active
Name : TEST_CP-2, Status : Active
Configuration:
monitor capture buffer TEST_BUFFER size 512 max-size 128 circular
monitor capture point associate TEST_CP-1 TEST_BUFFER
monitor capture point associate TEST_CP-2 TEST_BUFFER

Do some stuff and wait for traffic :

R1#ping 10.0.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

R1#sh monitor capture buffer TEST_BUFFER
18:51:47.483 UTC Feb 13 2011 : IPv4 Process    : None Fa1/0
18:51:47.491 UTC Feb 13 2011 : IPv4 CEF Turbo  : Fa1/0 None
18:51:47.491 UTC Feb 13 2011 : IPv4 LES CEF    : Fa1/0 None
18:51:47.499 UTC Feb 13 2011 : IPv4 Process    : None Fa1/0
18:51:47.503 UTC Feb 13 2011 : IPv4 CEF Turbo  : Fa1/0 None
18:51:47.503 UTC Feb 13 2011 : IPv4 LES CEF    : Fa1/0 None
18:51:47.503 UTC Feb 13 2011 : IPv4 Process    : None Fa1/0

R1#sh monitor capture buffer TEST_BUFFER dump

18:51:50.023 UTC Feb 13 2011 : IPv4 CEF Turbo  : Fa1/0 None

672C4650:          CA003713 001CCA01 3713001C      J.7...J.7...
672C4660: 08004500 00640009 0000FE01 A68D0A00  ..E..d....~.&...
672C4670: 01020A00 01010000 DCA70001 00040000  ........'......
672C4680: 0000002D A970ABCD ABCDABCD ABCDABCD  ...-)p+M+M+M+M+M
672C4690: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
672C46A0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
672C46B0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
672C46C0: ABCDABCD ABCD00                      +M+M+M.

18:51:50.023 UTC Feb 13 2011 : IPv4 LES CEF    : Fa1/0 None

672C4650:          CA003713 001CCA01 3713001C      J.7...J.7...
672C4660: 08004500 00640009 0000FE01 A68D0A00  ..E..d....~.&...
672C4670: 01020A00 01010000 DCA70001 00040000  ........'......
672C4680: 0000002D A970ABCD ABCDABCD ABCDABCD  ...-)p+M+M+M+M+M
672C4690: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
672C46A0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
672C46B0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
672C46C0: ABCDABCD ABCD00                      +M+M+M.

You can now export this capture by means of lot of remote transfert protocol :

R1#monitor capture buffer TEST_BUFFER export ?
  ftp:    Location to dump buffer
  http:   Location to dump buffer
  https:  Location to dump buffer
  pram:   Location to dump buffer
  rcp:    Location to dump buffer
  scp:    Location to dump buffer
  tftp:   Location to dump buffer

Source : http://routerjockey.com/2011/02/14/ios-embedded-packet-capture/ from @tonhe

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.