This document describes the Embedded Packet Capture (EPC) feature in Cisco IOS® software.
There are no specific requirements for this document.
The information in this document is based on these software and hardware versions:
Cisco IOS Release 12.4(20)T or later
Cisco IOS-XE Release 15.2(4)S - 3.7.0 or later
The information in this document was created from devices in a lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
When enabled, the router captures the packets sent and received. The packets are stored within a buffer in DRAM and are thus not persistent through a reload. Once the data is captured, it can be examined in a summary or detailed view on the router. In addition, the data can be exported as a packet capture (PCAP) file to allow for further examination. The tool is configured in exec mode and is considered a temporary assistance tool. As a result, the tool configuration is not stored within the router configuration and will not remain in place after a system reload.
Cisco IOS Configuration Example
Basic EPC Configuration
Define a 'capture buffer', which is a temporary buffer that the captured packets are stored within. There are various options that can be selected when the buffer is defined; such as size, maxium packet size, and circular/linear:
monitor capture buffer BUF size 2048 max-size 1518 linear
A filter can also be applied to limit the capture to desired traffic. Define an Access Control List (ACL) within config mode and apply the filter to the buffer:
ip access-list extended BUF-FILTER permit ip host 192.168.1.1 host 172.16.1.1 permit ip host 172.16.1.1 host 192.168.1.1
Define a 'capture point', which defines the location where the capture occurs. The capture point also defines whether the capture occurs for IPv4 or IPv6 and in which switching path (process versus cef):
monitor capture point ip cef POINT fastEthernet 0 both
Attach the buffer to the capture point:
monitor capture point associate POINT BUF
Start the capture:
monitor capture point start POINT
The capture is now active. Allow collection of the necessary data.
Stop the capture:
monitor capture point stop POINT
Examine the buffer on the unit:
show monitor capture buffer BUF dump
Note: This output only shows the hex dump of the packets captures. In order to see them in human readble there are two ways:
Export the buffer from the router for further analysis:
However the previous method is not always practical as it required T/FTP access to the router. In such situations, you can take a copy of the hex dump and use any online hex-pcap convertor in order to view the files.
Once the necessary data has been collected, delete the "capture point" and "capture buffer":
no monitor capture point ip cef POINT fastEthernet 0 both no monitor capture buffer BUF
In releases earlier than Cisco IOS Release 15.0(1)M, the buffer size was limited to 512K.
In releases earlier than Cisco IOS Release 15.0(1)M, the captured packet size was limited to 1024 bytes.
The packet buffer is stored in DRAM and will not persist through reloads.
The capture configuration is not stored in NVRAM and will not persist through reloads.
The capture point can be defined to capture in the cef or process switching paths.
The capture point can be defined to capture only on an interface or globally.
When the capture buffer is exported in PCAP format, L2 information (such as Ethernet encapsulation) is not preserved.