Embedded Packet Capture on a Virtual Tunnel Interface

Unanswered Question

I've noticed something idiosyncratic with respect to the behavior of the IOS Embedded Packet Capture (EPC) feature in IOS 12.4(22T).

I have a DMVPN virtual tunnel interface (IPSEC encrypted). When I apply an outbound-only EPC capture point for cef-switched packets to the tunnel interface and view the capture, I see only what I would expect to (and do) see on the tunnel's parent interface: ESP packets with the source and destination addresses of the DMVPN headends - the packets which comprise the tunnel, i.e. the outside of the tunnel. Inbound I see the traffic within the tunnel, as expected.

If the capture point is set to collect outbound-only process-switched packets instead of cef, I seem to see BOTH the process-switched packets within the tunnel and the encapsulating ESP packets.

Is this behavior documented anywhere?

Is there any way to capture the outbound tunnel contents for cef-switched packets?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Thu, 09/10/2009 - 03:57
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Ben,

Cisco declares to be able to capture CEF switched packets


However, you have evidence that for DMVPN packets this doesn't happen.

I don't know if adding a capture point can help.

You may open a Cisco SR for this with TAC.

Clearly the feature is new and the code may need to be tuned to cover a scenario like yours.

Hope to help


Regardless of whether the traffic is CEF or process-switched, when capturing on a tunnel interface, I would never expect to see the packets that make up the tunnel. I would only expect to see the contents of the tunnel.

I should emphasize that this problem only occurs outbound; inbound packet capture works as expected, and I see the contents of the tunnel (and, quite properly, nothing else) when I capture either CEF or process-switched traffic.


This Discussion