Capturing traffic on an interface and reviewing later in wireshark on Cisco CSR 1000v

TL;DR: On CISCO router, capture traffic locally to a pcap file and send it later to your computer.

I don’t know how did I missed that! I needed to capture a traffic on an interface, however for some reason, i couldn’t use live capture. So I was trying to find a way to capture, using the “?” a lot in CISCO terminal. Accidentally, I found a way to store a capture locally. I pretty sure everyone knows about this but me, but I”ll write this anyway.

After the capture is complete it needed to be sent somewhere. In my case I will send it to tftp server. So make sure you have tftp server running somewhere.

Performing the capture

Configure capture to match some traffic. In my case I want to capture any IPv6 traffic. For me the command would be :

Router# monitor capture cap_name match ipv6 any any interface gigabitEthernet 2 both

The command breakdown with some of the fields explained:

Router#monitor capture cap_name match ipv6 any any interface gigabitEthernet 2 both
                        ^              ^    ^   ^
                        |              |    |   +----------------+
              +---------+  +-----------+    +-------------+      |
              |            |                              |  Destination selection
              +            +                              |
   Capture name    Match traffic type                Source selection
                     any   all packets                 A.B.C.D/nn  IPv4 source Prefix ...
                     ip^4  IP^4 packets only              or
                     ipv6  IPv6 packets only           X:X:X:X::X/<0-128>  IPv6 source...
                     mac   MAC filter configuration    any         Any source prefix
                                                       host        A single source host
                                                       protocol    Protocols

Now I can start the capture:

Router# monitor capture cap_name start

Now the capture runs. It is probably a good idea to have some good match for a specific traffic to make sure to keep the capture file small and memory of the CISCO free.

While the capture runs, I can check it status:

Router#show monitor capture cap_name

Status Information for Capture cap_name
  Target Type:
   Interface: GigabitEthernet2, Direction: both
   Status : Active
  Filter Details:
    Source IP:  any
    Destination IP:  any
   Protocol: any
  Buffer Details:
   Buffer Type: LINEAR (default)
   Buffer Size (in MB): 10
  Limit Details:
   Number of Packets to capture: 0 (no limit)
   Packet Capture duration: 0 (no limit)
   Packet Size to capture: 0 (no limit)
   Maximum number of packets to capture per second: 1000
   Packet sampling rate: 0 (no sampling)

When the capture is done, I can stop it:

Router#monitor capture cap_name stop

And now I need to send the capture to my tftp server:

Router#monitor capture cap_name export tftp://
Exported Successfully

Other destinations where a traffic can be exported to:

Router#monitor capture cap_name export ?
  bootflash:  Location of the file
  flash:      Location of the file
  ftp:        Location of the file
  http:       Location of the file
  https:      Location of the file
  pram:       Location of the file
  rcp:        Location of the file
  scp:        Location of the file
  tftp:       Location of the file

This is it! Just open the file you’ve received in wireshark.