How to Capture Packets on Cisco Devices

Document

Jun 7, 2012 11:10 AM
Jun 7th, 2012

We all know that sometimes we need to see the packets. Often however, getting a packet capture  in the right place, or spanning the right VLAN’s, can take time. To make capturing packets easier, many Cisco products allow packet captures to be done directly on the devices. This is a handy reference to "how to" documents for Cisco products that support packet capture.

On Cisco IOS, there is Enhanced Packet Capture (EPC):

http://www.cisco.com/go/epc

https://supportforums.cisco.com/docs/DOC-5799

On Cisco IOS-XE (ASR), EPC was introduced in 3.7.0:

http://www.cisco.com/en/US/docs/ios-xml/ios/epc/configuration/xe-3s/epc-xe-3s-book.pdf

For the 7600 platform, there is a similar concept called Mini Protocol, which extends EPC into the hardware forwarding path:

http://www.cisco.com/en/US/partner/docs/routers/7600/ios/15S/configuration/guide/mpa.html

For the ASA, FWSM and PIX products, you can capture ingress and egress packets via the CLI and ADSM:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml

Additionally, you can capture packets which were dropped by the Accelerated Security Path (ASP) within the ASA and PIX by using a capture type of "asp-drop".

The Nexus platform has built in WireShark capability:

http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/ps9512/white_paper_c11-554444.html

On the Wireless LAN Controller (WLC), you can trace packets to/from the CPU with the debug packet logging facility:

http://www.cisco.com/en/US/docs/wireless/controller/5.0/configuration/guide/c5err.html#wp1018313

On the Cisco Unified Communications Manager (CUCM), Unity Connection (UC), Cisco Unified Presence Server (CUP), and Unified Contact Center Express (UCCX), packets can be captured on the Command Line Interface (CLI):

https://supportforums.cisco.com/docs/DOC-11599

It is possible to capture packets on a PC connected to the back of a Cisco IP Phone:

https://supportforums.cisco.com/docs/DOC-11735

The ACS 5.x can show you the text output of a standard TCPDump:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/command/reference/cli_app_a.html#wp1890347

It's best to redirect that to a file when using SSH/telnet so you don't see your own management traffic, so "tech dumptcp 0 > my-cap.txt".

Average Rating: 4.5 (4 ratings)

Comments

r.cheung Fri, 06/22/2012 - 04:49

Thanks for consolidating this into one page, Julie!

Quick note, the ASR9k dbg tool link appears dead...is there an alternate?

slav Fri, 01/03/2014 - 12:57

Hi Julie, this is a great summary of capturing capabilities across most platforms ... except for the one I need

What about capturing packets on a CRS router with IOS-XR?  Disappointingly IOS-XR doesn't seem to support EPC. There is a packet  capture interface configuration command, but after entering it we can't  commit - probably isn't supported in our s/w version (4.1.2). Would you  know any other way of capturing on a CRS?

Thanks!

pgasparovic Wed, 03/05/2014 - 06:44

After having this bookmarked 3/4-year ago, utilizing it today for 1st time by sniffing 3G WAN interface on ISR G2 router - was a beauty. Great tool!

Actions

Login or Register to take actions

This Document

Posted June 7, 2012 at 11:10 AM
Stats:
Comments:6 Avg. Rating:4.5
Views:14016 Contributors:6
Shares:0

Related Content

Documents Leaderboard

Rank Username Points
1 106
2 20
3 9
4 5
Rank Username Points
15