Capturing traffic on an interface and reviewing later in wireshark on Cisco CSR 1000v

TL;DR: On CISCO router, capture traffic locally to a pcap file and send it later to your computer.

I don’t know how did I missed that! I needed to capture a traffic on an interface, however for some reason, i couldn’t use live capture. So I was trying to find a way to capture, using the “?” a lot in CISCO terminal. Accidentally, I found a way to store a capture locally. I pretty sure everyone knows about this but me, but I”ll write this anyway.

After the capture is complete it needed to be sent somewhere. In my case I will send it to tftp server. So make sure you have tftp server running somewhere.

Performing the capture

Configure capture to match some traffic. In my case I want to capture any IPv6 traffic. For me the command would be :

Router# monitor capture cap_name match ipv6 any any interface gigabitEthernet 2 both

The command breakdown with some of the fields explained:

Router#monitor capture cap_name match ipv6 any any interface gigabitEthernet 2 both
                        ^              ^    ^   ^
                        |              |    |   +----------------+
              +---------+  +-----------+    +-------------+      |
              |            |                              |  Destination selection
              +            +                              |
   Capture name    Match traffic type                Source selection
                     any   all packets                 A.B.C.D/nn  IPv4 source Prefix ...
                     ip^4  IP^4 packets only              or
                     ipv6  IPv6 packets only           X:X:X:X::X/<0-128>  IPv6 source...
                     mac   MAC filter configuration    any         Any source prefix
                                                       host        A single source host
                                                       protocol    Protocols

Now I can start the capture:

Router# monitor capture cap_name start

Now the capture runs. It is probably a good idea to have some good match for a specific traffic to make sure to keep the capture file small and memory of the CISCO free.

While the capture runs, I can check it status:

Router#show monitor capture cap_name

Status Information for Capture cap_name
  Target Type:
   Interface: GigabitEthernet2, Direction: both
   Status : Active
  Filter Details:
    Source IP:  any
    Destination IP:  any
   Protocol: any
  Buffer Details:
   Buffer Type: LINEAR (default)
   Buffer Size (in MB): 10
  Limit Details:
   Number of Packets to capture: 0 (no limit)
   Packet Capture duration: 0 (no limit)
   Packet Size to capture: 0 (no limit)
   Maximum number of packets to capture per second: 1000
   Packet sampling rate: 0 (no sampling)

When the capture is done, I can stop it:

Router#monitor capture cap_name stop

And now I need to send the capture to my tftp server:

Router#monitor capture cap_name export tftp://
Exported Successfully

Other destinations where a traffic can be exported to:

Router#monitor capture cap_name export ?
  bootflash:  Location of the file
  flash:      Location of the file
  ftp:        Location of the file
  http:       Location of the file
  https:      Location of the file
  pram:       Location of the file
  rcp:        Location of the file
  scp:        Location of the file
  tftp:       Location of the file

This is it! Just open the file you’ve received in wireshark.

Kernel seminar – part 4


Simultaneous device access

Several user space programs access the same device, data or hardware
Several kernel processes executing the same code on behalf of parallel user processes
The code can be running on another processor
Kernel code can be interrupted at any time
Kernel may be preempted

Linux Locking primitives

Atomic variable are not locks, but help avoid synchronization issues


Semaphore can go sleep. Meaning cannot be used in tasklets, timers interrupts
It safe to block while holding a semaphore
Semaphores manipulated in two ways:
down – blocking operation
up – release operation

Initialize semaphores

Attempt to acquire a semaphore:
int down_interruptible (stuct semaphore*);
returns 0 on success
only use if event 100% will happen
interrupt can cancel the semphore

int down(struct semaphore*)
same as above, without the interrupt thing

int down_trylock (struct semaphore *sem)
return 0 if success or 1 if semaphore cannot be acquired

release semaphore:
void up(struct semaphore*)


Same as semaphore, but more advanced.
Requier #include <linux/mutex.h>
init statically:
init dynamically:
void mutex_init(struct mutex *lock)


A section a code that executed in a loop, while checking if a lock is free or not. The spinlock occupy the CPU
requires #include <linux/spinlock.h>
static init:
Dynamic init:
void spin_lock_init(spinlock_t *lock)


Atomic variables
Useful when the shared resource is an integer value
requires <asm/atomic.h>
atomic_set(atomic_t * int)
int atomic_read(atomic_t *)
Operations without return values:
void atomic_int (atomic_t *)
void atomic_dec (atomic_t *)
void atomic_add (int, atomic_t *)
void atomic_sub (int, atomic_t *)

Later subjects are mostly concern heavy hands on, therefore I will not note them