Friday, December 18, 2015

Cisco - Packet Sniffing on a Router

This is very cool and usefull feature that not many people know about, this allows you to capture packets like you do with a PC using Wireshark, and then export them to a file so that you can open and analise it with Wireshark.

This feature is called Cisco’s Embedded Packet Capture (EPC), and it has been around  since IOS 12.4.20T.

Here Im going to show you how to:

  • Capture (Buffer)
  • Save capture to a file on the router’s flash
  • Export the file to a TFTP server on a PC

I tested this on GNS3, this is the topology I created:

PIC1(cut)

you can download my lab at:

note that the PC and Server in the topology are also routers so that you can test it out all in GNS3.

The only external device is the TFTP server, for which I used a host on my local network.

 

PC1

enable
conf t

interface FastEthernet 0/0
ip address 192.168.2.1 255.255.255.0
no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.2.254
do write

 

SERVER

enable
conf t

interface FastEthernet 0/1
ip address 172.16.2.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.2.254

do write

 

TFTP SERVER

image_thumb1

 

ROUTER

enable
conf t

interface FastEthernet 0/0
description *** PC1 - LAN ***
ip address 192.168.2.254 255.255.255.0
no shutdown

interface FastEthernet 0/1
description *** SERVER - LAN ***
ip address 172.16.2.254 255.255.255.0
no shutdown

interface FastEthernet 1/0
description *** TFPT - YOUR REAL LAN ***
ip address 192.168.1.240 255.255.255.0
no shutdown

exit

!--- Capture Buffer ------------------------------------------------------
monitor capture buffer BUFFER_CAP size 1024 linear

!-- ID Traffic (ACL) to Capture -------------------------------------
conf t

ip access-list extended ACL_TRAFFIC_SEL  
permit ip host 192.168.2.1 host 172.16.2.1
permit ip host 172.16.2.1  host 192.168.2.1

exit

!-- Relate Buffer and ACL (ID Traffic) --------------------------
monitor capture buffer BUFFER_CAP filter access-list ACL_TRAFFIC_SEL

!-- Capture Point - Fe0 ------------------------------------------------
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! CEF needs to be On
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

conf t
  ip cef
exit

monitor capture point ip cef CAPTURE_POINT_FE0 FastEthernet 0/0 both

!-- Relate Buffer to Capture Point -------------------------------
monitor capture point associate CAPTURE_POINT_FE0 BUFFER_CAP

!-- Start / Stop Capture -----------------------------------------------
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! Start Capture
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

monitor capture point start CAPTURE_POINT_FE0

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! Stop Capture
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

monitor capture point stop CAPTURE_POINT_FE0

!--TSHOOT ------------------------------------------------------------------
show monitor capture buffer all parameters             ! Config and Stats
show monitor capture buffer BUFFER_CAP dump    ! Captured Data
show monitor capture buffer BUFFER_CAP               ! Captured Data - Summary
show monitor capture point all

!-- Export Data to TFTP Server –-----------------------------------
monitor capture point stop CAPTURE_POINT_FE0
monitor capture buffer BUFFER_CAP export tftp://192.168.1.30/capture.pcap

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! The capture.pcap opens on Wireshark
! if you have Wireshark installed just
! double click on the file to open it
! on wireshark
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

do write

Now on the TFTP SERVER you have a capture.pcap file:

image_thumb2

that you can open with a double click on it if you have Wireshark instaled.

image_thumb4

And there you have it…. start Sniffing…… wlEmoticon-smile2

image_thumb5

Related Links