Packet capture is a powerful troubleshooting tool that allows you to inspect network traffic and diagnose issues. In this article I will provide how you can perform Packet Capture on IOS-XE router itself, without need of any external device/equipment. IOS-XE router can be used either Autonomous mode or Controller mode (Cisco SD-WAN Solution).
Packet Capture Overview
Packet capture involves capturing network packets as they traverse a specific interface on the router. You can then analyze these captured packets to understand network behaviour, troubleshoot problems, or monitor traffic.
Prerequisites
Before configuring capture, ensure the following prerequisites:
- System Resources: Ensure that the router has adequate CPU, memory, and disk space for packet capture operations. Although packet capturing is not resource intensive but make sure router is not running at Critical resources level.
- You should have details of traffic you want to capture. Example ip addresses, protocol, egress/ingress interface etc, as generally there would be a lot of other traffic that might not interest you.
Topology
Configuring Packet Capture
Here are the steps to configure packet capture:-
- Create an ACL to match the desired traffic (Optional):
You have various options to match the desired traffic like based on source-ip/destination-ip, protocol, tcp/udp port etc. However, you want multiple source/destination/protocols defined then you would need an ACL to match the desired traffic.
Here are various options available for you.
R2#monitor capture CAP ?
WORD Name of the Capture
access-list access-list to be attached
bidirectional capture bidirectional packets
buffer Buffer options
class-map class name to attached
clear Clear Buffer
control-plane Control Plane
export Export Buffer
interface Interface
limit Limit Packets Captured
match Describe filters inline
start Enable Capture
stop Disable Capture
stop_export Disable Capture and Export Buffer
R2#monitor capture CAP match ?
any all packets
ipv4 IPv4 packets only
ipv6 IPv6 packets only
mac MAC filter configuration
pktlen-range Packet length range to capture
R2#monitor capture CAP match ipv4 ?
A.B.C.D/nn IPv4 source Prefix /, e.g., 192.168.0.0/16
any Any source prefix
host A single source host
protocol Protocols2. Here is example of an ACL to match SSH bidirectional traffic between host 10.12.1.1 & host 10.23.1.3
R2(config)#ip access-list extended Test1-CAP
R2(config-ext-nacl)#10 permit tcp host 10.12.1.1 host 10.23.1.3 eq
R2(config-ext-nacl)#10 permit tcp host 10.12.1.1 host 10.23.1.3 eq 22
R2(config-ext-nacl)#20 permit tcp host 10.23.1.3 eq 22 host 10.12.1.1
R2(config-ext-nacl)#do sh ip access-list Test1-CAP
Extended IP access list Test1-CAP
10 permit tcp host 10.12.1.1 host 10.23.1.3 eq 22
20 permit tcp host 10.23.1.3 eq 22 host 10.12.1.1
R2(config-ext-nacl)#end
R2#
3. Attach the ACL to capture and interface to capture.
R2#monitor cap CAP access-list Test1-CAP interface GigabitEthernet0/0/1 both4. Define the Capture size. Default it 10 MB and 100MB is max.
R2#monitor cap CAP buffer size 505. If you are troubleshooting an intermittent issue, then you can define circular option (Optional).
Choosing the option will allow router to overwrite old packets in buffer, if buffer size gone full, so capture will not stop automatically. You can use this option along with EEM script to stop the capture, once you hit the issue.
R2#monitor capture CAP buffer circular6. Start the capture.
R2#monitor capture CAP start7. Check capture status and parameters.
R2#show monitor cap CAP
Status Information for Capture CAP
Target Type:
Interface: GigabitEthernet0/0/1, Direction: BOTH
Status : Active
Filter Details:
Access-list: Test1-CAP
Buffer Details:
Buffer Type: LINEAR (default)
Buffer Size (in MB): 50
Limit Details:
Number of Packets to capture: 0 (no limit)
Packet Capture duration: 0 (no limit)
Packet Size to capture: 0 (no limit)
Maximum number of packets to capture per second: 1000
Packet sampling rate: 0 (no sampling)
R2#show monitor cap CAP buffer
buffer size (KB) : 51200
buffer used (KB) : 0
packets in buf : 0
packets dropped : 0
packets per sec : 0
8. Run the test i.e. initiate the traffic.
9. Check the capture buffer to see if the traffic is captured.
R2#show monitor cap CAP buffer
buffer size (KB) : 51200
buffer used (KB) : 128
packets in buf : 147
packets dropped : 0
packets per sec : 4
R2#show monitor cap CAP buffer brief
----------------------------------------------------------------------------
# size timestamp source destination dscp protocol
----------------------------------------------------------------------------
0 58 0.000000 10.12.1.1 -> 10.23.1.3 48 CS6 TCP
1 58 0.003005 10.23.1.3 -> 10.12.1.1 48 CS6 TCP
2 54 0.004012 10.12.1.1 -> 10.23.1.3 48 CS6 TCP
3 74 0.008010 10.23.1.3 -> 10.12.1.1 48 CS6 TCP
4 74 0.009002 10.12.1.1 -> 10.23.1.3 48 CS6 TCP
5 118 0.009002 10.12.1.1 -> 10.23.1.3 48 CS6 TCP
6 118 0.009002 10.12.1.1 -> 10.23.1.3 48 CS6 TCP
7 118 0.009002 10.12.1.1 -> 10.23.1.3 48 CS6 TCP
10. Now you can export the file to desired location. I am exporting to bootflash.
R2#monitor cap CAP export bootflash:/test-ssh.pcap
Exported Successfully
R2#dir bootflash: | i test-ssh
274182 -rw- 17558 Feb 13 2024 11:30:50 +00:00 test-ssh.pcap
11. Download this pcap file from router and open in any packet capture analysis tool like Wireshark.
Happy troubleshooting! 🛠️
This is real world example and useful in our day in day out job. Good one and keep it up.
Thank you Pradeep !
it’s really Good explanation and easy to understand, Thanks.
Thank you Jitendra !
It’s very helpful for me. you are a good knowledgeable person.
Thank you Soni !
Thanks Rakesh this is awesome
Thank you David for reviewing.