Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Packet capture using EPC (Embedded Packet Capture)

 

Introduction:

This document describes the procedure to perform EPC (Embedded Packet Capture), which is described in the following pages:

 

Core Issue:

 

This EPC function has been implemented in 12.4(20)T and later.Currently, capturing is possible up to 102400 Kbytes. It may be useful when it is difficult to install a capturing device remotely, or it is difficult to insert a switch for capturing.

Resolution:

 

Using the EPC allows you to capture packets in a buffer up to 102400 Kbytes and you can export them via TFTP/FTP and then open them by capture analysis software, such as Wireshark.

 

Steps to capture by EPC

 

c2821# monitor capture buffer pacbuf size 512

 

 
The above command sets the buffer name to pacbuf and assigns 512Kbytes as the size of the capture buffer.(Default is 1024 Kbytes.)
 
 
c2821# monitor capture point ip process-switched ipsw in
 
 
Specifying process-switched in the above command captures only the packets to be process-switched.By specifying cef instead of process-switched, you can capture the packets to be CEF-switched. "ipsw" is a capture point name.
 
 
c2821#
*Sep 23 12:37:05.899 JST: %BUFCAP-6-CREATE: Capture Point ipsw created.

c2821# monitor capture point associate ipsw pacbuf
 
 
The above command associates the capture point name with the buffer name.
 
 
c2821# monitor capture point start all
 
 
The above command starts the capture.
 
 
c2821#
*Sep 23 12:40:00.455 JST: %BUFCAP-6-ENABLE: Capture Point ipsw enabled.

c2821# show monitor capture buffer all parameters
Capture buffer pacbuf (linear buffer) Buffer Size : 524288 bytes, Max Element Size : 68 bytes, Packets : 3173Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0 Associated Capture Points: Name : ipsw, Status : ActiveConfiguration: monitor capture buffer pacbuf size 512 monitor capture point associate ipsw pacbuf
 
 
In the above example, 3173 packets have been captured and the status is Active since the buffer size has not yet reached 512 Kbytes.
 
 
c2821#
*Sep 23 12:41:14.575 JST: %BUFCAP-6-DISABLE: Capture Point ipsw disabled.
*Sep 23 12:41:14.575 JST: %BUFCAP-5-BUFFER_FULL: Linear Buffer associated with capture buffer pacbuf is full.
 
 
Once the buffer size reaches 512 Kbytes, the capture stops with above messages.
 
 
c2821# show monitor capture buffer all parameters
Capture buffer pacbuf (linear buffer) Buffer Size : 524288 bytes, Max Element Size : 68 bytes, Packets : 3855Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0 Associated Capture Points: Name : ipsw, Status : InactiveConfiguration: monitor capture buffer pacbuf size 512 monitor capture point associate ipsw pacbuf
 
 
The above shows that 3855 packets have been captured, and since the buffer size has reached its maximum of 512 Kbytes, status becomes Inactive and the capture has stopped.
If you want to stop the capture manually, you can use the following command:
 
 
c2821# monitor capture point stop all
 
 
Checking and Exporting Capture Data
 
 
c2821# show monitor capture buffer pacbuf12:40:00.463 JST Sep 23 2010 : IPv4 Process    : Di1 None

12:40:00.479 JST Sep 23 2010 : IPv4 Process    : Di1 None12:40:00.499 JST Sep 23 2010 : IPv4 Process    : Di1 None
(snip)
 
The above indicates that the packets to be process switched, received from Dialer1, have been captured.
Furthermore, adding the dump option as follows displays the packet dump.
 
c2821# show monitor capture buffer pacbuf dump12:40:00.463 JST Sep 23 2010 : IPv4 Process    : Di1 None

4465BE90: FF030021 45000064 8C850000 FF015753  ...!E..d......WS
4465BEA0: C0A80102 0B0B0B0B 08009F4A 0005320B  @(.........J..2.
4465BEB0: 00000000 651347DC ABCDABCD ABCDABCD  ....e.G\+M+M+M+M
4465BEC0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
4465BED0: ABCDABCD 00                          +M+M.

12:40:00.479 JST Sep 23 2010 : IPv4 Process    : Di1 None

4465BE90: FF030021 45000064 8C860000 FF015752  ...!E..d......WR
4465BEA0: C0A80102 0B0B0B0B 08009F35 0005320C  @(.........5..2.
4465BEB0: 00000000 651347F0 ABCDABCD ABCDABCD  ....e.Gp+M+M+M+M
4465BEC0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
4465BED0: ABCDABCD 00                          +M+M.
(snip)
 
 
By default, all packets are truncated at the designated maximum size, 68bytes, which means that just a little more than the header can be captured.This is enough to know Source, Destination, etc. If you need to know the content of the packet, use the following command to change the frame size from 68 bytes to 1024 bytes (you can configure to up to 9500 bytes).
 
 
c2821# monitor capture buffer pacbuf max-size 1024c2821# show monitor capture buffer all parameters
Capture buffer pacbuf (linear buffer) Buffer Size : 524288 bytes, Max Element Size : 1024 bytes, Packets : 0 Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0 Associated Capture Points: Name : ipsw, Status : Inactive Configuration: monitor capture buffer pacbuf size 512 max-size 1024monitor capture point associate ipsw pacbuf
 
 
You can export the buffer data to an FTP server by using the following command:
 
 
c2821# monitor capture buffer pacbuf export ftp://<ftp server address>/<filename>
 
 
The files exported to the FTP server can be opened by Wireshark.
 
If you want to clear the capture buffer, use the following command:
 
 
c2821# monitor capture buffer pacbuf clear

 

If you do not need to create several buffer names or capture points for different usage, it is easier to create an alias.

For example, here are some useful aliases.

 

(config)# alias exec cstart monitor capture point start all(config)# alias exec cclear monitor capture buffer pacbuf clear(config)# alias exec ccheck show monitor capture buffer all parameters(config)# alias exec ccopy monitor capture buffer pacbuf export ftp://192.168.1.1//files/pacbuf_c2821.pcap(config)# alias exec cstop monitor capture point stop all

 

Related Information

Original Document: Cisco Support Community Japan DOC-13124

Author: Takashi Higashimura

Posted on September 22, 2010

https://supportforums.cisco.com/docs/DOC-13124

Version history
Revision #:
2 of 2
Last update:
‎08-29-2017 02:42 PM
Updated by:
 
Labels (1)
Contributors