Packet Capture on Cisco Router

[yatz]

Hey all, this is a neat trick I found and used to assist some network troubleshooting at a remote site earlier this week and thought I'd share.

Starting in IOS version 12.4T, the packet capture feature was added to Cisco Routers.  I haven't seen this work on switches, but if you can get access to a router you actually have more power since you'll have access to two networks rather than one.


First, let's look at a basic "capture all" configuration.

From privileged exec mode:
 ! create a capture buffer
 monitor capture buffer CAP_BUFFER circular
 
! create a capture point used for filling the buffer, all interfaces, both directions
 monitor capture point ip cef CAP_POINT all both
 
 ! tie the capture point to the buffer
 monitor capture point associate CAP_POINT CAP_BUFFER

 ! start the capture
 monitor capture point start CAP_POINT

 ! wait.....

 ! stop the capture
 monitor capture point stop CAP_POINT

 ! save the buffer to a file
 monitor capture buffer CAP_BUFFER export flash:/capture.pcap


Now it's just a matter of copying the pcap file off the router, which is easily accomplished with scp:
 ! enable scp server
 configure terminal
  ip scp server enable

 ! use scp tool included with PuTTY suite (windows)
 pscp -scp <user>@<router_ip>:/capture.pcap .\capture.pcap

 ! disable scp server
  no ip scp server enable


Pretty cool?  Second, we can also limit our capture filter based on an access-list.

 ! create access list
 configure terminal
  ip access-list extended CAPUTRE_LIST
   permit ip host <source_ip> any
   end
 
 ! create a capture buffer
 monitor capture buffer CAP_BUFFER circular

 ! apply the capture filter to the buffer
 monitor capture buffer CAP_BUFFER filter access-list CAPTURE_LIST
 
 ! create a capture point used for filling the buffer, all interfaces, both directions
 monitor capture point ip cef CAP_POINT all both
 
 ! tie the capture point to the buffer
 monitor capture point associate CAP_POINT CAP_BUFFER

 ! start the capture
 monitor capture point start CAP_POINT

 ! wait.....

 ! stop the capture
 monitor capture point stop CAP_POINT

 ! save the buffer to a file
 monitor capture buffer CAP_BUFFER export flash:/capture.pcap


Copy the file off the router and you're done!

Anyway, I thought this was pretty cool, didn't know it was possible until this week.  I can imagine using this to not only sniff cleartext passwords from telnet, but also VoIP... HTTP... all from a router that is typically not looked at every day.

[3xban]

Nice writeup and decent feature Yatz!  Thanks!

[kerpap]

for a cisco switch you can configure one of the ports to be a switch port analyzer.
(SPAN)
this is used for IDS alliances to monitor traffic.
all you need to do is plug your laptop into the SPAN port and turn on wire shark.

most switches use the same command. here I did it on a 6509 switch:

Router(config)#monitor session 1 source interface g1/1 - 48 both
Router(config)#monitor session 1 destination int g2/1

as you can see I am monitoring the range G1/1 - 48 and sending the traffic to port g2/1
"both" indicates that I want to monitor both sent and received packets.

[knwminus]

Nice writeup. Good to see new features being added on the IOS. I am going to try this out today.

[yatz]

One thing to add that I discovered later on - By default, the packets are truncated at 68 bytes (anyone know why 68 is the default???).

To increase this and get full packets, use the following command:
 monitor capture buffer CAP_BUFFER max-size 1500