An interesting useful tool available in IOS 12.4(20)T and prior : Embedded Packet Capture (EPC). This tool is useful to avoid configure SPAN and RSPAN to be able to capture and analyze trafic.
You can now do it by means of defining a capture buffer, then a capture point, link them and start the capture.
Then you can upload this capture (in pcap) and read analyze it with wireshark 🙂
R1#monitor capture buffer TEST_BUFFER size 512 max-size 128 circular R1#sh monitor capture buffer all parameters Capture buffer TEST_BUFFER (circular buffer) Buffer Size : 524288 bytes, Max Element Size : 128 bytes, Packets : 0 Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0 Associated Capture Points: Configuration: monitor capture buffer TEST_BUFFER size 512 max-size 128 circular
Then configure the capture point :
R1#monitor capture point ip cef TEST_CP-1 fa 1/0 both *Feb 13 18:32:36.039: %BUFCAP-6-CREATE: Capture Point TEST_CP-1 created. R1#monitor capture point ip process-switched TEST_CP-2 from-us *Feb 13 18:32:41.535: %BUFCAP-6-CREATE: Capture Point TEST_CP-2 created. R1#sh monitor capture point all Status Information for Capture Point TEST_CP-2 IPv4 Process Switch Path: IPv4 Process , Capture Buffer: None Status : Inactive Configuration: monitor capture point ip process-switched TEST_CP-2 from-us Status Information for Capture Point TEST_CP-1 IPv4 CEF Switch Path: IPv4 CEF , Capture Buffer: None Status : Inactive Configuration: monitor capture point ip cef TEST_CP-1 FastEthernet1/0 both
Then, we associate buffer to capture point :
R1#monitor capture point associate TEST_CP-1 TEST_BUFFER R1#sh monitor capture point all Status Information for Capture Point TEST_CP-2 IPv4 Process Switch Path: IPv4 Process , Capture Buffer: TEST_BUFFER Status : Inactive Configuration: monitor capture point ip process-switched TEST_CP-2 from-us Status Information for Capture Point TEST_CP-1 IPv4 CEF Switch Path: IPv4 CEF , Capture Buffer: TEST_BUFFER Status : Inactive Configuration: monitor capture point ip cef TEST_CP-1 FastEthernet1/0 both R1#sh monitor capture buffer all parameters Capture buffer TEST_BUFFER (circular buffer) Buffer Size : 524288 bytes, Max Element Size : 128 bytes, Packets : 0 Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0 Associated Capture Points: Name : TEST_CP-1, Status : Inactive Name : TEST_CP-2, Status : Inactive Configuration: monitor capture buffer TEST_BUFFER size 512 max-size 128 circular monitor capture point associate TEST_CP-1 TEST_BUFFER monitor capture point associate TEST_CP-2 TEST_BUFFER
Then:
R1#monitor capture point start TEST_CP-2 R1# *Feb 13 18:45:48.495: %BUFCAP-6-ENABLE: Capture Point TEST_CP-1 enabled. *Feb 13 18:45:49.495: %BUFCAP-6-ENABLE: Capture Point TEST_CP-2 enabled. R1#sh monitor capture point all Status Information for Capture Point TEST_CP-2 IPv4 Process Switch Path: IPv4 Process , Capture Buffer: TEST_BUFFER Status : Active Configuration: monitor capture point ip process-switched TEST_CP-2 from-us Status Information for Capture Point TEST_CP-1 IPv4 CEF Switch Path: IPv4 CEF , Capture Buffer: TEST_BUFFER Status : Active Configuration: monitor capture point ip cef TEST_CP-1 FastEthernet1/0 both R1#sh monitor capture buffer all parameters Capture buffer TEST_BUFFER (circular buffer) Buffer Size : 524288 bytes, Max Element Size : 128 bytes, Packets : 0 Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0 Associated Capture Points: Name : TEST_CP-1, Status : Active Name : TEST_CP-2, Status : Active Configuration: monitor capture buffer TEST_BUFFER size 512 max-size 128 circular monitor capture point associate TEST_CP-1 TEST_BUFFER monitor capture point associate TEST_CP-2 TEST_BUFFER
Do some stuff and wait for traffic :
R1#ping 10.0.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms R1#sh monitor capture buffer TEST_BUFFER 18:51:47.483 UTC Feb 13 2011 : IPv4 Process : None Fa1/0 18:51:47.491 UTC Feb 13 2011 : IPv4 CEF Turbo : Fa1/0 None 18:51:47.491 UTC Feb 13 2011 : IPv4 LES CEF : Fa1/0 None 18:51:47.499 UTC Feb 13 2011 : IPv4 Process : None Fa1/0 18:51:47.503 UTC Feb 13 2011 : IPv4 CEF Turbo : Fa1/0 None 18:51:47.503 UTC Feb 13 2011 : IPv4 LES CEF : Fa1/0 None 18:51:47.503 UTC Feb 13 2011 : IPv4 Process : None Fa1/0 R1#sh monitor capture buffer TEST_BUFFER dump 18:51:50.023 UTC Feb 13 2011 : IPv4 CEF Turbo : Fa1/0 None 672C4650: CA003713 001CCA01 3713001C J.7...J.7... 672C4660: 08004500 00640009 0000FE01 A68D0A00 ..E..d....~.&... 672C4670: 01020A00 01010000 DCA70001 00040000 ........'...... 672C4680: 0000002D A970ABCD ABCDABCD ABCDABCD ...-)p+M+M+M+M+M 672C4690: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M 672C46A0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M 672C46B0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M 672C46C0: ABCDABCD ABCD00 +M+M+M. 18:51:50.023 UTC Feb 13 2011 : IPv4 LES CEF : Fa1/0 None 672C4650: CA003713 001CCA01 3713001C J.7...J.7... 672C4660: 08004500 00640009 0000FE01 A68D0A00 ..E..d....~.&... 672C4670: 01020A00 01010000 DCA70001 00040000 ........'...... 672C4680: 0000002D A970ABCD ABCDABCD ABCDABCD ...-)p+M+M+M+M+M 672C4690: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M 672C46A0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M 672C46B0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M 672C46C0: ABCDABCD ABCD00 +M+M+M.
You can now export this capture by means of lot of remote transfert protocol :
R1#monitor capture buffer TEST_BUFFER export ? ftp: Location to dump buffer http: Location to dump buffer https: Location to dump buffer pram: Location to dump buffer rcp: Location to dump buffer scp: Location to dump buffer tftp: Location to dump buffer
Source : http://routerjockey.com/2011/02/14/ios-embedded-packet-capture/ from @tonhe