On an IOS router (for example a 890, 1900, 2900. 3900, 7200 Series Router) there is a capability to capture network traffic that is traversing the device. This functionality was introduced in IOS version 12.4(20)T. The steps below will guide in configuring the capture and extracting the dump via the command line interface. Exporting the capture via a network transfer is also possible.
1. Configure the capture
config terminal ip access-list extended CAP-FILTER permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 monitor capture buffer CAP-BUF max-size 1514 monitor capture buffer CAP-BUF filter access-list CAP-FILTER monitor capture point ip cef CAP-POINT GigabitEthernet 0/0/0 both monitor capture point associate CAP-POINT CAP-BUF
2. Start the capture
monitor capture point start CAP-POINT
3. Stop the capture
monitor capture point stop CAP-POINT
4. Verify the capture is collecting packets
show monitor capture buffer CAP-BUF parameters
Should see packets captured in the output:
Router#show monitor capture buffer CAP-BUF parameters Capture buffer CAP-BUF (linear buffer) Buffer Size : 1048576 bytes, Max Element Size : 1500 bytes, Packets : 260 Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0 Associated Capture Points: Name : CAP-POINT, Status : Inactive Configuration: monitor capture buffer CAP-BUF max-size 1500 monitor capture point associate CAP-POINT CAP-BUF monitor capture buffer CAP-BUF filter access-list CAP-FILTER-FILTER
5. Collect the dump and decode it in the next step.
terminal length 0 show monitor capture buffer CAP-BUF dump
6. Remove the capture and access list (ACL) if necessary:
no monitor capture point ip cef CAP-POINT GigabitEthernet 0/0/0 both no monitor capture buffer CAP-BUF config terminal no ip access-list extended CAP-FILTER exit