Embedded Packet Capture

Embedded packet capture

An embedded packet capture is a network troubleshooting feature that

  • enables administrators to trace and analyze data packets in real time

  • allows capture of packets flowing through, to, and from a Cisco device, and

  • supports filtering, buffer management, and packet analysis for diagnosing complex network issues.

The Embedded Packet Capture on the controller is used for troubleshooting multiple issues, such as authentication failures with RADIUS, AP joining or disconnection, client forwarding, disconnection, and roaming. It can also help with specific features, including multicast, mDNS, Umbrella, and mobility. When troubleshooting an AP join or client onboarding issue, you might lose important information if you are unable to stop the capture immediately when the issue occurs. In most cases, a buffer of 100 MB is not sufficient for data capture. Moreover, the existing Embedded Packet Capture feature supports only the filtering of one inner MAC address, which captures the traffic of a specific client. At times, it is difficult to pinpoint which wireless client is experiencing an issue.

Beginning with Cisco IOS XE Dublin 17.12.1, the Embedded Packet Capture feature supports increased buffer size, continuous capture, and filtering of multiple MAC addresses in one session. You cannot configure the Embedded Packet Capture enhancement using the GUI.

Feature history for embedded packet capture

This table provides release and related information about the feature explained in this section.

This feature is also available in all the releases subsequent to the one in which they are introduced in, unless noted otherwise.

Table 1. Feature history for embedded packet capture

Release

Feature

Feature Information

Cisco IOS XE Dublin 17.12.1

Embedded Packet Capture

The embedded packet capture feature is enhanced to support increased buffer size, continuous capture, and filtering of multiple MAC addresses in one embedded packet capture (EPC) session.

Configure embedded packet capture (CLI)

Configure and manage embedded packet capture on your Cisco device using commands to analyze live packet traffic and gather data for troubleshooting.

With the Embedded Packet Capture feature enhancement, the buffer size is increased from 100 MB to 500 MB.


Note
Buffer is of memory type. You can either maintain a memory buffer or copy the memory buffer that is present in a file to store more information.

Procedure

Step 1

Enable privileged EXEC mode.

Example:

Device> enable

Enter your password, if prompted.

Step 2

Configure the Gigabit Ethernet interface for inbound, outbound, or both inbound and outbound packets.

Example:

Device# monitor capture epc_session-name interface GigabitEthernet interface-number {both | in | out}

For Cisco 9800-CL controllers, use Gigabit interfaces such as Gi1, Gi2, or Gi3. For physical controllers, specify the port channel if one is configured. Supported physical interfaces include Te or Tw.

Note

 
To capture packets punted to the CPU, run the control-plane command.

Step 3

(Optional) Configure monitor capture limit, in seconds.

Example:

Device# monitor capture epc_session-name limit duration limit-duration

Step 4

(Optional) Configures the file in circular buffer. (The buffer can be circular or linear.)

Example:

Device# monitor capture epc_session-name buffer circular file no-of-files file-size per-file-size

When circular is configured, the files work as a ring buffer. The value range of the number of files to be configured is from two to five. The file size can range from 1 MB to 500 MB.

The buffer command supports various keywords, such as circular , file , and size . The circular command is optional.

Note

 

A circular buffer is required for continuous capture.

This step generates swap files on the controller. Swap files are not packet capture (PCAP) files and cannot be analyzed directly. When you run the export command, the swap files are combined and exported as one PCAP file.

Step 5

Configure inline filters and configure a monitor capture specifying an access list as the filter for the packet capture.

Example:

Device# monitor capture epc_session-name match {any | ipv4 | ipv6 | mac | pklen-range}
Device# monitor capture epc_session-name access-list access-list-name

Note

 

You can configure filters and ACLs.

Step 6

(Optional) Configure continuous packet capture.

Example:

Device# monitor capture epc_session-name continuous-capture http: location/filename

Enable the automatic export of files to a specific location before the buffer is overwritten.

Note

 

  • A circular buffer is required for continuous capture.

  • Configure the filename with a .pcap extension.

  • An example of the filename and nomenclature used to generate the filename is as follows: CONTINUOUS_CAP_20230601130203.pcap

    CONTINUOUS_CAP_20230601130240.pcap

  • After packets are exported automatically, the buffer is not cleared until it is overwritten by new incoming capture packets, cleared, or deleted using commands.

Step 7

(Optional) Configure up to 10 MAC addresses as inner MAC filter.

Example:

Device# monitor capture epc_session-name inner mac [ MAC1 | MAC2 | MAC3......... ] 

Device# no monitor capture epc_session-name inner mac [ MAC1 | MAC2 | MAC3......... ]

Note

 

  • You cannot modify the inner MAC addresses while the capture is in progress.

  • You can enter the MAC addresses in a single command or over multiple command lines. Because of the character string limitation, you can enter only five MAC addresses in a single command line. To enter the remaining MAC addresses, use the next command line.

  • If you have configured 10 inner MAC addresses, you must delete an existing address before adding a new one.

Step 8

Start capture of packet data and stop capture of packet data.

Example:

Device# no monitor capture epc_session-name start
Device# no monitor capture epc_session-name stop

Step 9

Export captured data for analysis when continuous capture is not configured.

Example:

Device# monitor capture epc_session-name export filelocation/filename

Verify embedded packet capture

To view the configured file number and per file size, run this command:


Note

This command is displayed irrespective of whether continuous capture is enabled or not. The configured inner MAC addresses are also displayed using this command. 

Device# show monitor capture epc_session1
Status Information for Capture epc_session1
  Target Type: 
 Interface: TwoGigabitEthernet0/0/0, Direction: BOTH
   Status : Inactive
  Filter Details: 
    Capture all packets
                Inner Filter Details:
                Continuous capture: enabled
                Continuous capture path:
                 ftp://mgcusr:mgcusr@10.124.19.169//home/mgcusr/xij/repo.pcap
                Buffer Details: Buffer Type: CIRCULAR No of files: 5 File Size (in MB): 21
  Limit Details: 
   Number of Packets to capture: 0 (no limit)
   Packet Capture duration: 3600
   Packet Size to capture: 0 (no limit)
   Maximum number of packets to capture per second: 1000
   Packet sampling rate: 0 (no sampling)

To view the configured Embedded Packet Capture buffer files, run these commands:

Device# show monitor capture epc_session1 buffer brief 
 ----------------------------------------------------------------------------
 #   size   timestamp     source             destination      dscp    protocol
 ----------------------------------------------------------------------------
   0 1386    0.000000   192.168.10.117   ->  192.168.10.100   0  BE   UDP
   1 1378    0.000000   192.168.10.100   ->  192.168.10.117   0  BE   UDP
   2 1386    0.001007   192.168.10.117   ->  192.168.10.100   0  BE   UDP

Note

This command works for normal embedded packet capture (EPC) but is not supported in continuous captures.

 
Device# show monitor capture epc_session1 buffer dump 
0
  0000:  6C8BD3FE AEC0F4BD 9E566E4B 8100000A   l........VnK....
  0010:  08004500 05500000 0000FF11 2073C0A8   ..E..P...... s..
  0020:  0A64C0A8 0A75147F 1480053C 00000010   .d...u.....<....
  0030:  03000000 00000288 0000C48E 8FC860CF   ..............`.
  0040:  DC8C3759 4B203468 95299EA5 00000000   ..7YK 4h.)......
  0050:  AAAA0300 00000800 4500050A 92154000   ........E.....@.
  0060:  40060BBC C0A80B67 C0A80B65 A7E0139D   @......g...e....
  0070:  32595FD8 0F2D6065 801001F6 EA440000   2Y_..-`e.....D..
  0080:  0101080A BFCB4934 A959414F 36373839   ......I4.YAO6789
  0090:  30313233 34353637 38393031 32333435   0123456789012345
  00A0:  36373839 30313233 34353637 38393031   6789012345678901
  00B0:  32333435 36373839 30313233 34353637   2345678901234567
  00C0:  38393031 32333435 36373839 30313233   8901234567890123
  00D0:  34353637 38393031 32333435 36373839   4567890123456789
  00E0:  30313233 34353637 38393031 32333435   0123456789012345
  00F0:  36373839 30313233 34353637 38393031   6789012345678901
  0100:  32333435 36373839 30313233 34353637   2345678901234567
.
.
.