Traffic Capture on IOS router

Ever run into scenario that you need to capture the traffic on production network but you can not do SPAN or put the capture device inline to network without bring down network briefly? The answer is capture on the IOS router directly.

First, Create a monitor buffer on router:

Router# monitor capture buffer MYCAPBUFFER Circular

Then create a capture point on router:

Router# monitor capture point ip cef MYCAP serial 1/0 both

Then, Associate the buffer and capture point

Router# monitor capture point associate MYCAP MYCAPBUFFER

Now, Turn on the capture point

Router# monitor capture point start MYCAP

The following message should show up on the console of router.

*May 2 16:25:46.727: %BUFCAP-6-ENABLE: Capture Point MYCAP enabled.

Then try to generate some traffic on network, or simply just use ping. 

Once you think enough traffic has been generated and captured, stop the traffic capture

Router# monitor capture point stop MYCAP

You can view the status of capture, it should show “inactive”.

Router# show monitor capture buffer all parameters

You can also view the traffic dump on router but not much making sense to me though…

Router# show monitor capture buffer MYCAPBUFFER dump

Router# show monitor capture buffer MYCAPBUFFER

I prefer to Export the dump/capture into a proper capture file for further analysis

Router# monitor capture buffer MYCAPBUFFER export ?

bootflash: Location to dump buffer

disk0:     Location to dump buffer

disk1:     Location to dump buffer

flash:     Location to dump buffer

ftp:       Location to dump buffer

http:       Location to dump buffer

https:     Location to dump buffer

pram:       Location to dump buffer

rcp:       Location to dump buffer

scp:       Location to dump buffer

slot0:     Location to dump buffer

slot1:     Location to dump buffer

tftp:       Location to dump buffer

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s