TL;DR: On CISCO router, capture traffic locally to a pcap file and send it later to your computer.
I don’t know how did I missed that! I needed to capture a traffic on an interface, however for some reason, i couldn’t use live capture. So I was trying to find a way to capture, using the “?” a lot in CISCO terminal. Accidentally, I found a way to store a capture locally. I pretty sure everyone knows about this but me, but I”ll write this anyway.
After the capture is complete it needed to be sent somewhere. In my case I will send it to tftp server. So make sure you have tftp server running somewhere.
Performing the capture
Configure capture to match some traffic. In my case I want to capture any IPv6 traffic. For me the command would be :
Router# monitor capture cap_name match ipv6 any any interface gigabitEthernet 2 bothThe command breakdown with some of the fields explained:
Router#monitor capture cap_name match ipv6 any any interface gigabitEthernet 2 both
^ ^ ^ ^
| | | +----------------+
+---------+ +-----------+ +-------------+ |
| | | Destination selection
+ + |
Capture name Match traffic type Source selection
any all packets A.B.C.D/nn IPv4 source Prefix ...
ip^4 IP^4 packets only or
ipv6 IPv6 packets only X:X:X:X::X/<0-128> IPv6 source...
mac MAC filter configuration any Any source prefix
host A single source host
protocol Protocols
Now I can start the capture:
Router# monitor capture cap_name startNow the capture runs. It is probably a good idea to have some good match for a specific traffic to make sure to keep the capture file small and memory of the CISCO free.
While the capture runs, I can check it status:
Router#show monitor capture cap_name
Status Information for Capture cap_name
Target Type:
Interface: GigabitEthernet2, Direction: both
Status : Active
Filter Details:
IPv6
Source IP: any
Destination IP: any
Protocol: any
Buffer Details:
Buffer Type: LINEAR (default)
Buffer Size (in MB): 10
Limit Details:
Number of Packets to capture: 0 (no limit)
Packet Capture duration: 0 (no limit)
Packet Size to capture: 0 (no limit)
Maximum number of packets to capture per second: 1000
Packet sampling rate: 0 (no sampling)
When the capture is done, I can stop it:
Router#monitor capture cap_name stopAnd now I need to send the capture to my tftp server:
Router#monitor capture cap_name export tftp://10.0.0.44/my_capture.pcap
!
Exported Successfully
Other destinations where a traffic can be exported to:
Router#monitor capture cap_name export ?
bootflash: Location of the file
flash: Location of the file
ftp: Location of the file
http: Location of the file
https: Location of the file
pram: Location of the file
rcp: Location of the file
scp: Location of the file
tftp: Location of the fileThis is it! Just open the file you’ve received in wireshark.