Cisco IOS Packet Capture

On an IOS router (for example a 890, 1900, 2900. 3900, 7200 Series Router) there is a capability to capture network traffic that is traversing the device. This functionality was introduced in IOS version 12.4(20)T. The steps below will guide in configuring the capture and extracting the dump via the command line interface. Exporting the capture via a network transfer is also possible.

1. Configure the capture

config terminal
 ip access-list extended CAP-FILTER
  permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 
  permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 

monitor capture buffer CAP-BUF max-size 1514 
monitor capture buffer CAP-BUF filter access-list CAP-FILTER
monitor capture point ip cef CAP-POINT GigabitEthernet 0/0/0 both
monitor capture point associate CAP-POINT CAP-BUF

2. Start the capture

monitor capture point start CAP-POINT

3. Stop the capture

monitor capture point stop CAP-POINT

4. Verify the capture is collecting packets

show monitor capture buffer CAP-BUF parameters

Should see packets captured in the output:

Router#show monitor capture buffer CAP-BUF parameters
Capture buffer CAP-BUF (linear buffer)
Buffer Size : 1048576 bytes, Max Element Size : 1500 bytes, Packets : 260
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : CAP-POINT, Status : Inactive
Configuration:
monitor capture buffer CAP-BUF max-size 1500
monitor capture point associate CAP-POINT CAP-BUF
monitor capture buffer CAP-BUF filter access-list CAP-FILTER-FILTER

5. Collect the dump and decode it in the next step.

terminal length 0
show monitor capture buffer CAP-BUF dump

6. Remove the capture and access list (ACL) if necessary:

no monitor capture point ip cef CAP-POINT GigabitEthernet 0/0/0 both
no monitor capture buffer CAP-BUF
config terminal
 no ip access-list extended CAP-FILTER
 exit
More Stories
IPv4 CIDR Blocks