Guest

Cisco IOS 15.0M

Simultaneous Embedded Packet Capture from Two Interfaces Configuration Example

Simultaneous Embedded Packet Capture from Two Interfaces Configuration Example

Document ID: 115805

Updated: Aug 01, 2013

Contributed by Ajeet Singh and John Casale, Cisco TAC Engineers.

   Print

Introduction

This document describes an example Embedded Packet Capture (EPC) configuration that captures frames up to 1550 bytes in a circular capture buffer of 10 megabytes from GigabitEthernet 0/0 and GigabitEthernet 0/1 interfaces.

EPC is an onboard packet capture facility that allows network administrators to capture packets that flow to, through, or from the device and to analyze them locally or save and export them (to a tool such as Wireshark) for offline analysis.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on the Cisco IOS® Software Release 15.x.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Configure

Note: Use the Command Lookup Tool (registered customers only) in order to obtain more information on the commands used in this section.

This configuration captures frames up to 1550 bytes in a circular capture buffer of 10MB from GigabitEthernet 0/0 and GigabitEthernet 0/1 interfaces:

!-- Define a capture buffer.


monitor capture buffer pcap-buffer1 size 10000 max-size 1550


!-- Define a capture point.


monitor capture point ip cef pcap-point1 g0/0 both
monitor capture point ip process-switched pcap-point2 both


!-- Associates the capture point with the capture buffer
!-- so that packets captured from the specified capture
!-- point can be dumped to the associated capture buffer.



monitor capture point associate pcap-point1 pcap-buffer1
monitor capture point associate pcap-point2 pcap-buffer1


!-- Repeat the same steps for second interface.


monitor capture buffer pcap-bufferA size 10000 max-size 1550
monitor capture point ip cef pcap-pointA g0/1 both
monitor capture point ip process-switched pcap-pointB both
monitor capture point associate pcap-pointA pcap-bufferA
monitor capture point associate pcap-pointB pcap-bufferA


!-- Optionally you can specify an access-list in order to capture
!-- only interesting traffic as defined by access-lists 110 and 120.


monitor capture buffer pcap-buffer1 filter access-list 110
monitor capture buffer pcap-bufferA filter access-list 120


!-- Enable the capture point in order to start packet data capture.


monitor capture point start pcap-point1
monitor capture point start pcap-point2
monitor capture point start pcap-pointA
monitor capture point start pcap-pointB


!-- Verify the configuration.


show monitor capture point all
show monitor capture buffer all


!-- Disable the capture point, and stop the packet data capture process.


monitor capture point stop pcap-point1
monitor capture point stop pcap-point2
monitor capture point stop pcap-pointA
monitor capture point stop pcap-pointB


!-- Export the data for analysis.


monitor capture buffer pcap-buffer1 export tftp://192.0.2.100/1.cap
monitor capture buffer pcap-bufferA export tftp://192.0.2.100/A.cap

Note: This feature was introduced in Cisco IOS Software Release 12.4(20)T. Cisco recommends that you use version 15.x, since Version 12.4 code captures only the first 512 bytes of the packet.

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Related Information

Updated: Aug 01, 2013
Document ID: 115805