Cisco IOS-XE Packet Capture


1. Configure the capture

config terminal
 ip access-list extended CAP-FILTER
  permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 
  permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 
  exit
 exit
monitor capture CAP access-list CAP-FILTER buffer size 10 interface GigabitEthernet 0/0/0 both

2. Start the capture

monitor capture CAP start

3. Stop the capture

monitor capture CAP stop

4. Verify the capture is collecting packets

show monitor capture CAP buffer

Should see packets captured in the output:

Router#show monitor capture CAP buffer
buffer size (KB) : 14336
buffer used (KB) : 128
packets in buf : 184
packets dropped : 0
packets per sec : 7

5. Collect the dump and decode it in the next step.

show monitor capture CAP buffer brief

Can be used to see a basic decode of the captured packetst:

Router#show monitor capture CAPi buffer brief 
 -------------------------------------------------------------
 #   size   timestamp     source         destination   protocol
 -------------------------------------------------------------
   0   60    0.000000   10.7.7.130       ->  10.7.7.43        TCP
   1   60    0.000992   10.7.7.43        ->  10.7.7.130       TCP
   2   75    0.000992   10.7.7.43        ->  10.7.7.130       TCP
   3   58    0.001999   10.7.7.130       ->  10.7.7.43        TCP
   4   58    0.001999   10.7.7.130       ->  10.7.7.43        TCP
   5   60    0.128000   10.7.7.130       ->  10.7.7.43        TCP
   6   60    0.128992   10.7.7.43        ->  10.7.7.130       TCP

Or collect the full dump and decode it in the Dump Decoder tab above if more detailed analysis is necessary

terminal length 0
show monitor capture CAP buffer dump

6. Remove the capture and access list (ACL) if necessary:

no monitor capture CAP
config terminal
 no ip access-list extended CAP-FILTER
 exit