I use tftpd64 or tftpd32. It's a nice free, simple tftp daemon that runs on Windows: http://www.jounin.net/tftpd32.html
In this example, my tftp server is on 10.0.0.55.
First off, we need to create an access-list the matches the traffic you wish to capture. I am wanting to capture traffic traversing my router, destined to and from 32.55.55.32
Router(config)# access-list 140 permit ip host 32.55.55.32 any
Router(config)# access-list 140 permit ip any host 32.55.55.32
This ACL will capture all traffic to and from this IP address.
Next we need to enable the Cisco packet monitoring service:
Router# monitor capture buffer holdpackets
Now we can filter the monitored traffic by filtering it through our access-list:
Router# monitor capture buffer holdpackets filter access-list 140
Now for some tweaks so that we actually get complete packet data for inspection in Wireshark
Router# monitor capture buffer holdpackets size 10240 max-size 9500
Now we need to name our particular packet capture. I have called mine "testcap"
Router# monitor capture point ip cef testcap all both
Router# monitor capture point associate testcap holdpackets
Now we can start our capture!
Router# monitor capture point start testcap
Once you think you have acquired enough packets, to stop the capture, type:
Router# monitor capture point stop testcap
Now you can export your data to your tftp server by typing in the following command. You can then open the .pcap file in Wireshark for viewing
Router# monitor capture buffer holdpackets export tftp://10.0.0.55/testcap.pcap
Once uploaded you can clear your capture buffer by typing the following:
Router# no monitor capture buffer holdpackets
Router# no monitor capture point ip cef testcap all both
To check if there are any current captures or parameters configured, you can use the following command:
Router# sh monitor capture point all
Hi, On which Cisco Router Model is this feature available ?
ReplyDeleteThis config was written especially for a Cisco ISR
Delete