Sunday, 30 June 2013

Capturing Packets from a Cisco Router for Wireshark pcap

In case you wish to troubleshoot issues and view specific packet flow traversing your routers, you will need a tftp server setup so that you can export your captures.

I use tftpd64 or tftpd32. It's a nice free, simple tftp daemon that runs on Windows:

In this example, my tftp server is on

First off, we need to create an access-list the matches the traffic you wish to capture. I am wanting to capture traffic traversing my router, destined to and from

Router(config)# access-list 140 permit ip host any
Router(config)# access-list 140 permit ip any host

This ACL will capture all traffic to and from this IP address.

Next we need to enable the Cisco packet monitoring service:

Router# monitor capture buffer holdpackets

Now we can filter the monitored traffic by filtering it through our access-list:

Router# monitor capture buffer holdpackets filter access-list 140

Now for some tweaks so that we actually get complete packet data for inspection in Wireshark

Router# monitor capture buffer holdpackets size 10240 max-size 9500

Now we need to name our particular packet capture. I have called mine "testcap"

Router# monitor capture point ip cef testcap all both
Router# monitor capture point associate testcap holdpackets

Now we can start our capture!

Router# monitor capture point start testcap

Once you think you have acquired enough packets, to stop the capture, type:

Router# monitor capture point stop testcap

Now you can export your data to your tftp server by typing in the following command. You can then open the .pcap file in Wireshark for viewing

Router# monitor capture buffer holdpackets export tftp://

Once uploaded you can clear your capture buffer by typing the following:

Router# no monitor capture buffer holdpackets

Router# no monitor capture point ip cef testcap all both

To check if there are any current captures or parameters configured, you can use the following command:

Router# sh monitor capture point all

Wednesday, 19 June 2013

Example of CBWFQ QoS and Shaping

Shaping to 30mbps Maximum:

ip access-list extended ShapeMe
 permit ip any
 permit ip any
class-map match-any ShapeMe
match access-group name ShapeMe
policy-map ShapeMe
class ShapeMe
shape average 30m
! Will shape at 30mbps maximum
int g0/0
service-policy output ShapeMe
! Apply to output interface. If needed in both ingress and egress, apply to both inside and outside interfaces

Priority for SQL Traffic?

ip access-list extended SQL
 permit tcp range 1433 1434
 permit tcp range 1433 1434

class-map match-any SQL
match access-group name SQL

policy-map SQL
class SQL
priority 1024
! Guarantees 1mbps at all times

int g0/0
service-policy output SQL
! Apply to output interface. If needed in both ingress and egress, apply to both inside and outside interfaces

What is I just want to shape traffic by the interface that it enters? Eg an internet or WAN interface?

! Since you can only shape on output, not input, in this example I will shape the Upstream and Downstream CIR rate to 100mbps down and 40mbps up. The inbound or internet interface is GigabitEthernet0/1. GigabitEthernet0/0 is the LAN side.

class-map match-any QoS_DOWN
 match input-interface GigabitEthernet0/1

class-map match-any QoS_UP
 match any

policy-map QoS_DOWN
 class QoS_DOWN
  shape average 100m

policy-map QoS_UP
 class QoS_UP
  shape average 40m

interface GigabitEthernet0/0
description LAN Interface
 service-policy output QoS_DOWN

interface GigabitEthernet0/1
description Internet Interface
 service-policy output QoS_UP