Cisco Router packet capture

• IOS XE (Cisco C1111-8P)
  • Starting the capture
  • Show capture
  • Export/Download capture

IOS XE (Cisco C1111-8P)

Starting the capture

To monitor and capture traffic on IOS XE you need to create an extended ip access-list to filter for what you want in your capture.

In this case I will filter for UDP SIP packages on port 5060 inbound and outbound:

ip access-list extended thorFilter
 10 permit udp host 10.219.100.52 any eq 5060
 20 permit udp any host 10.219.100.52 eq 5060
 30 deny ip any any

Now create a Capture, assign access-list and interface and start the capture all in one command.

monitor capture thorCap access-list thorFilter interface GigabitEthernet0/0/0 both buffer size 100 start

This will do the following:

• Create capture: thorCap
• Assign access-list: thorFilter
• Assign interface: gigabitethernet0/0/0 in both directions
• Create a buffer with 100MB size
• Start the capture

Show capture

Show what we created

sh monitor capture thorCap

Status Information for Capture thorCap
  Target Type:
 Interface: GigabitEthernet0/0/0, Direction: BOTH
   Status : Active
  Filter Details:
   Access-list: thorFilter
  Buffer Details:
   Buffer Type: LINEAR (default)
   Buffer Size (in MB): 100
  Limit Details:
   Number of Packets to capture: 0 (no limit)
   Packet Capture duration: 0 (no limit)
   Packet Size to capture: 0 (no limit)
   Maximum number of packets to capture per second: 1000
   Packet sampling rate: 0 (no sampling)

Show what’s in the capture

sh monitor capture thorCap buffer
 buffer size (KB) : 102400
 buffer used (KB) : 896
 packets in buf   : 1314
 packets dropped  : 0
 packets per sec  : 0

Dump the capture content to console

sh monitor capture thorCap buffer dump
0
  0000:  D009C825 DB028C1E 804B3B00 080045B8   ...%.....K;...E.
  0010:  020CCDC1 40003E11 F35E0ADB 64340ADB   ....@.>..^..d4..
  0020:  FF1E13C4 13C401F8 9E294F50 54494F4E   .........)OPTION
  0030:  53207369 703A6172 69666C65 65742E63   S sip:
  [...]

Export/Download capture

I’m doing this via SCP.
Maybe you need to enable the scp server in IOS

ip scp server enable

Now export the content of your capture buffer to a file on disk

monitor capture thorCap export flash:/thorCap.pcap

Grab the file from the router to your workstation

me@workstation$ scp -O user@CiscoRouter:flash:/thorCap.pcap ./thorCap_SIP.pcap