TL;DR: On CISCO router, capture traffic locally to a pcap file and send it later to your computer.
I don’t know how did I missed that! I needed to capture a traffic on an interface, however for some reason, i couldn’t use live capture. So I was trying to find a way to capture, using the “?” a lot in CISCO terminal. Accidentally, I found a way to store a capture locally. I pretty sure everyone knows about this but me, but I”ll write this anyway.
After the capture is complete it needed to be sent somewhere. In my case I will send it to tftp server. So make sure you have tftp server running somewhere.
Performing the capture
Configure capture to match some traffic. In my case I want to capture any IPv6 traffic. For me the command would be :
Router# monitor capture cap_name match ipv6 any any interface gigabitEthernet 2 bothThe command breakdown with some of the fields explained:
Router#monitor capture cap_name match ipv6 any any interface gigabitEthernet 2 both
^ ^ ^ ^
| | | +----------------+
+---------+ +-----------+ +-------------+ |
| | | Destination selection
+ + |
Capture name Match traffic type Source selection
any all packets A.B.C.D/nn IPv4 source Prefix ...
ip^4 IP^4 packets only or
ipv6 IPv6 packets only X:X:X:X::X/<0-128> IPv6 source...
mac MAC filter configuration any Any source prefix
host A single source host
protocol Protocols
Now I can start the capture:
Router# monitor capture cap_name startNow the capture runs. It is probably a good idea to have some good match for a specific traffic to make sure to keep the capture file small and memory of the CISCO free.
While the capture runs, I can check it status:
Router#show monitor capture cap_name
Status Information for Capture cap_name
Target Type:
Interface: GigabitEthernet2, Direction: both
Status : Active
Filter Details:
IPv6
Source IP: any
Destination IP: any
Protocol: any
Buffer Details:
Buffer Type: LINEAR (default)
Buffer Size (in MB): 10
Limit Details:
Number of Packets to capture: 0 (no limit)
Packet Capture duration: 0 (no limit)
Packet Size to capture: 0 (no limit)
Maximum number of packets to capture per second: 1000
Packet sampling rate: 0 (no sampling)
When the capture is done, I can stop it:
Router#monitor capture cap_name stopAnd now I need to send the capture to my tftp server:
Router#monitor capture cap_name export tftp://10.0.0.44/my_capture.pcap
!
Exported Successfully
Other destinations where a traffic can be exported to:
Router#monitor capture cap_name export ?
bootflash: Location of the file
flash: Location of the file
ftp: Location of the file
http: Location of the file
https: Location of the file
pram: Location of the file
rcp: Location of the file
scp: Location of the file
tftp: Location of the fileThis is it! Just open the file you’ve received in wireshark.
Good day very cool web site!! Guy .. Beautiful .. Wonderful
.. I will bookmark your site and take the feeds also?
I’m glad to search out so many helpful info
here in the publish, we’d like work out extra strategies in this regard, thanks for sharing.
. . . . .
This design is incredible! You obviously know how
to keep a reader entertained. Between your wit and your videos,
I was almost moved to start my own blog (well, almost…HaHa!) Fantastic job.
I really enjoyed what you had to say, and more than that, how you presented it.
Too cool!