This is very cool and usefull feature that not many people know about, this allows you to capture packets like you do with a PC using Wireshark, and then export them to a file so that you can open and analise it with Wireshark.
This feature is called Cisco’s Embedded Packet Capture (EPC), and it has been around since IOS 12.4.20T.
Here Im going to show you how to:
- Capture (Buffer)
- Save capture to a file on the router’s flash
- Export the file to a TFTP server on a PC
I tested this on GNS3, this is the topology I created:
you can download my lab at:
note that the PC and Server in the topology are also routers so that you can test it out all in GNS3.
The only external device is the TFTP server, for which I used a host on my local network.
PC1
enable
conf t
interface FastEthernet 0/0
ip address 192.168.2.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.2.254
do write
SERVER
enable
conf t
interface FastEthernet 0/1
ip address 172.16.2.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.2.254
do write
TFTP SERVER
ROUTER
enable
conf t
interface FastEthernet 0/0
description *** PC1 - LAN ***
ip address 192.168.2.254 255.255.255.0
no shutdown
interface FastEthernet 0/1
description *** SERVER - LAN ***
ip address 172.16.2.254 255.255.255.0
no shutdown
interface FastEthernet 1/0
description *** TFPT - YOUR REAL LAN ***
ip address 192.168.1.240 255.255.255.0
no shutdown
exit
!--- Capture Buffer ------------------------------------------------------
monitor capture buffer BUFFER_CAP size 1024 linear
!-- ID Traffic (ACL) to Capture -------------------------------------
conf t
ip access-list extended ACL_TRAFFIC_SEL
permit ip host 192.168.2.1 host 172.16.2.1
permit ip host 172.16.2.1 host 192.168.2.1
exit
!-- Relate Buffer and ACL (ID Traffic) --------------------------
monitor capture buffer BUFFER_CAP filter access-list ACL_TRAFFIC_SEL
!-- Capture Point - Fe0 ------------------------------------------------
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! CEF needs to be On
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
conf t
ip cef
exit
monitor capture point ip cef CAPTURE_POINT_FE0 FastEthernet 0/0 both
!-- Relate Buffer to Capture Point -------------------------------
monitor capture point associate CAPTURE_POINT_FE0 BUFFER_CAP
!-- Start / Stop Capture -----------------------------------------------
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! Start Capture
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
monitor capture point start CAPTURE_POINT_FE0
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! Stop Capture
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
monitor capture point stop CAPTURE_POINT_FE0
!--TSHOOT ------------------------------------------------------------------
show monitor capture buffer all parameters ! Config and Stats
show monitor capture buffer BUFFER_CAP dump ! Captured Data
show monitor capture buffer BUFFER_CAP ! Captured Data - Summary
show monitor capture point all
!-- Export Data to TFTP Server –-----------------------------------
monitor capture point stop CAPTURE_POINT_FE0
monitor capture buffer BUFFER_CAP export tftp://192.168.1.30/capture.pcap
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! The capture.pcap opens on Wireshark
! if you have Wireshark installed just
! double click on the file to open it
! on wireshark
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
do write
Now on the TFTP SERVER you have a capture.pcap file:
that you can open with a double click on it if you have Wireshark instaled.
And there you have it…. start Sniffing……
Related Links