Packet Capture on Cisco Router

Viewing 4 reply threads
  • Author
    Posts
    • #7320
      yatz
      Participant

      Hey all, this is a neat trick I found and used to assist some network troubleshooting at a remote site earlier this week and thought I’d share.

      Starting in IOS version 12.4T, the packet capture feature was added to Cisco Routers.  I haven’t seen this work on switches, but if you can get access to a router you actually have more power since you’ll have access to two networks rather than one.

      First, let’s look at a basic “capture all” configuration.

      From privileged exec mode:
      ! create a capture buffer
      monitor capture buffer CAP_BUFFER circular

      ! create a capture point used for filling the buffer, all interfaces, both directions
      monitor capture point ip cef CAP_POINT all both

      ! tie the capture point to the buffer
      monitor capture point associate CAP_POINT CAP_BUFFER

      ! start the capture
      monitor capture point start CAP_POINT

      ! wait…..

      ! stop the capture
      monitor capture point stop CAP_POINT

      ! save the buffer to a file
      monitor capture buffer CAP_BUFFER export flash:/capture.pcap

      Now it’s just a matter of copying the pcap file off the router, which is easily accomplished with scp:
      ! enable scp server
      configure terminal
        ip scp server enable

      ! use scp tool included with PuTTY suite (windows)
      pscp -scp @:/capture.pcap .capture.pcap

      ! disable scp server
        no ip scp server enable

      Pretty cool?  Second, we can also limit our capture filter based on an access-list.

      ! create access list
      configure terminal
        ip access-list extended CAPUTRE_LIST
        permit ip hostany
        end

      ! create a capture buffer
      monitor capture buffer CAP_BUFFER circular

      ! apply the capture filter to the buffer
      monitor capture buffer CAP_BUFFER filter access-list CAPTURE_LIST

      ! create a capture point used for filling the buffer, all interfaces, both directions
      monitor capture point ip cef CAP_POINT all both

      ! tie the capture point to the buffer
      monitor capture point associate CAP_POINT CAP_BUFFER

      ! start the capture
      monitor capture point start CAP_POINT

      ! wait…..

      ! stop the capture
      monitor capture point stop CAP_POINT

      ! save the buffer to a file
      monitor capture buffer CAP_BUFFER export flash:/capture.pcap

      Copy the file off the router and you’re done!

      Anyway, I thought this was pretty cool, didn’t know it was possible until this week.  I can imagine using this to not only sniff cleartext passwords from telnet, but also VoIP… HTTP… all from a router that is typically not looked at every day.

    • #45752
      Triban
      Participant

      Nice writeup and decent feature Yatz!  Thanks!

    • #45753
      kerpap
      Participant

      for a cisco switch you can configure one of the ports to be a switch port analyzer.
      (SPAN)
      this is used for IDS alliances to monitor traffic.
      all you need to do is plug your laptop into the SPAN port and turn on wire shark.

      most switches use the same command. here I did it on a 6509 switch:

      Router(config)#monitor session 1 source interface g1/1 – 48 both
      Router(config)#monitor session 1 destination int g2/1

      as you can see I am monitoring the range G1/1 – 48 and sending the traffic to port g2/1
      “both” indicates that I want to monitor both sent and received packets.

    • #45754
      knwminus
      Participant

      Nice writeup. Good to see new features being added on the IOS. I am going to try this out today.

    • #45755
      yatz
      Participant

      One thing to add that I discovered later on – By default, the packets are truncated at 68 bytes (anyone know why 68 is the default???).

      To increase this and get full packets, use the following command:
      monitor capture buffer CAP_BUFFER max-size 1500

Viewing 4 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?