Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1530
Views
5
Helpful
0
Comments

Taking capture on IOS router for inbound and outbound traffic generated by the Router

Jeet Kumar
Cisco Employee
Cisco Employee

on ‎04-21-2016 02:24 PM

Introduction

This document describe how to take capture on Cisco IOS router for inbound and outbound traffic generated by the router.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco IOS Release 12.4(20)T or later
  • Cisco IOS-XE Release 15.2(4)S - 3.7.0 or later

The information in this document was created from devices in a lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Background Information

When enabled, the router captures the packets sent and received. The packets are stored within a buffer in DRAM and are thus not persistent through a reload. Once the data is captured, it can be examined in a summary or detailed view on the router. In addition, the data can be exported as a packet capture (PCAP) file to allow for further examination. The tool is configured in exec mode and is considered a temporary assistance tool. As a result, the tool configuration is not stored within the router configuration and will not remain in place after a system reload.

Cisco IOS Configuration Example

To capture both inbound and outbound traffic from the router we need two sets of captures on the router:

  • CEF switching path capture for inbound IKE packets
  • Process-switching path capture for outbound IKE packets

Capture for inbound packet:

monitor capture buffer in-buffer max-size 1500 linear

monitor capture point ip cef in-capture GigabitEthernet0/0 in

monitor capture point associate in-capture in-buffer

Capture for outbound Packet:

monitor capture buffer out-buffer max-size 1500 linear

monitor capture point ip process-switched out-capture from-us

monitor capture point associate out-capture out-buffer

Start the captures simultaneously:

monitor capture point start all

Stop the captures:

monitor capture point stop all

Transfer the capture to a TFTP server for further analysis:

monitor capture buffer out-buffer export tftp://x.x.x.x/out-buffer.pcap

monitor capture buffer in-buffer export tftp://x.x.x.x/in-buffer.pcap

Once the necessary data has been collected, delete the "capture point" and "capture buffer":

  no monitor capture buffer in-buffer
  no monitor capture buffer out-buffer
  no monitor capture point ip cef in-capture GigabitEthernet0/0 in
  no monitor capture point ip process-switched out-capture from-us

Labels:
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents