.

Packet Capture on Cisco Router

<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Fri Feb 03, 2012 10:59 am

Packet Capture on Cisco Router

Hey all, this is a neat trick I found and used to assist some network troubleshooting at a remote site earlier this week and thought I'd share.

Starting in IOS version 12.4T, the packet capture feature was added to Cisco Routers.  I haven't seen this work on switches, but if you can get access to a router you actually have more power since you'll have access to two networks rather than one.


First, let's look at a basic "capture all" configuration.

From privileged exec mode:
! create a capture buffer
monitor capture buffer CAP_BUFFER circular

! create a capture point used for filling the buffer, all interfaces, both directions
monitor capture point ip cef CAP_POINT all both

! tie the capture point to the buffer
monitor capture point associate CAP_POINT CAP_BUFFER

! start the capture
monitor capture point start CAP_POINT

! wait.....

! stop the capture
monitor capture point stop CAP_POINT

! save the buffer to a file
monitor capture buffer CAP_BUFFER export flash:/capture.pcap


Now it's just a matter of copying the pcap file off the router, which is easily accomplished with scp:
! enable scp server
configure terminal
  ip scp server enable

! use scp tool included with PuTTY suite (windows)
pscp -scp <user>@<router_ip>:/capture.pcap .\capture.pcap

! disable scp server
  no ip scp server enable


Pretty cool?  Second, we can also limit our capture filter based on an access-list.

! create access list
configure terminal
  ip access-list extended CAPUTRE_LIST
  permit ip host <source_ip> any
  end

! create a capture buffer
monitor capture buffer CAP_BUFFER circular

! apply the capture filter to the buffer
monitor capture buffer CAP_BUFFER filter access-list CAPTURE_LIST

! create a capture point used for filling the buffer, all interfaces, both directions
monitor capture point ip cef CAP_POINT all both

! tie the capture point to the buffer
monitor capture point associate CAP_POINT CAP_BUFFER

! start the capture
monitor capture point start CAP_POINT

! wait.....

! stop the capture
monitor capture point stop CAP_POINT

! save the buffer to a file
monitor capture buffer CAP_BUFFER export flash:/capture.pcap


Copy the file off the router and you're done!

Anyway, I thought this was pretty cool, didn't know it was possible until this week.  I can imagine using this to not only sniff cleartext passwords from telnet, but also VoIP... HTTP... all from a router that is typically not looked at every day.
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Fri Feb 03, 2012 12:15 pm

Re: Packet Capture on Cisco Router

Nice writeup and decent feature Yatz!  Thanks!
Certs: GCWN
(@)Dewser
<<

kerpap

User avatar

Newbie
Newbie

Posts: 8

Joined: Tue Jul 08, 2008 2:55 pm

Post Wed Feb 15, 2012 11:28 pm

Re: Packet Capture on Cisco Router

for a cisco switch you can configure one of the ports to be a switch port analyzer.
(SPAN)
this is used for IDS alliances to monitor traffic.
all you need to do is plug your laptop into the SPAN port and turn on wire shark.

most switches use the same command. here I did it on a 6509 switch:

Router(config)#monitor session 1 source interface g1/1 - 48 both
Router(config)#monitor session 1 destination int g2/1

as you can see I am monitoring the range G1/1 - 48 and sending the traffic to port g2/1
"both" indicates that I want to monitor both sent and received packets.
<<

knwminus

User avatar

Full Member
Full Member

Posts: 100

Joined: Thu Feb 25, 2010 11:26 pm

Post Wed Feb 22, 2012 10:56 am

Re: Packet Capture on Cisco Router

Nice writeup. Good to see new features being added on the IOS. I am going to try this out today.
A+ N+ CCNA CCNA:S CNSS 4011 Security+

Next Up: CCNP CCNP:S
<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Wed Feb 22, 2012 11:19 am

Re: Packet Capture on Cisco Router

One thing to add that I discovered later on - By default, the packets are truncated at 68 bytes (anyone know why 68 is the default???).

To increase this and get full packets, use the following command:
monitor capture buffer CAP_BUFFER max-size 1500
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software