Sunday 30 June 2013

Capturing Packets from a Cisco Router for Wireshark pcap

In case you wish to troubleshoot issues and view specific packet flow traversing your routers, you will need a tftp server setup so that you can export your captures.

I use tftpd64 or tftpd32. It's a nice free, simple tftp daemon that runs on Windows: http://www.jounin.net/tftpd32.html

In this example, my tftp server is on 10.0.0.55.

First off, we need to create an access-list the matches the traffic you wish to capture. I am wanting to capture traffic traversing my router, destined to and from 32.55.55.32

Router(config)# access-list 140 permit ip host 32.55.55.32 any
Router(config)# access-list 140 permit ip any host 32.55.55.32

This ACL will capture all traffic to and from this IP address.

Next we need to enable the Cisco packet monitoring service:

Router# monitor capture buffer holdpackets

Now we can filter the monitored traffic by filtering it through our access-list:

Router# monitor capture buffer holdpackets filter access-list 140

Now for some tweaks so that we actually get complete packet data for inspection in Wireshark

Router# monitor capture buffer holdpackets size 10240 max-size 9500

Now we need to name our particular packet capture. I have called mine "testcap"

Router# monitor capture point ip cef testcap all both
Router# monitor capture point associate testcap holdpackets

Now we can start our capture!

Router# monitor capture point start testcap

Once you think you have acquired enough packets, to stop the capture, type:

Router# monitor capture point stop testcap

Now you can export your data to your tftp server by typing in the following command. You can then open the .pcap file in Wireshark for viewing

Router# monitor capture buffer holdpackets export tftp://10.0.0.55/testcap.pcap

Once uploaded you can clear your capture buffer by typing the following:

Router# no monitor capture buffer holdpackets

Router# no monitor capture point ip cef testcap all both

To check if there are any current captures or parameters configured, you can use the following command:

Router# sh monitor capture point all

2 comments:

  1. Hi, On which Cisco Router Model is this feature available ?

    ReplyDelete
    Replies
    1. This config was written especially for a Cisco ISR

      Delete