I had to use the built-in embedded packet capture
on a Cisco router in order to troubleshoot and prove a routing issue with our ISP. This is a very handy packet capturing tool to perform deep-packet
analysis and troubleshooting.
R1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.137.2 YES manual up up
FastEthernet1/0 unassigned YES unset administratively down down
FastEthernet1/1 200.1.1.1 YES manual up up
NVI0 192.168.137.2 YES unset up up
R1#ping 192.168.137.1 // PING MY NUC WIFI SHARED ADAPTER IP
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.137.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/14/32 ms
R1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/8/12 ms
R1#monitor ?
call Monitor call
capture Packet Capture
elog Event-logging control commands
event-trace Control event tracing
processes Monitor processes
R1#monitor capture ?
buffer Control Capture Buffers
point Control Capture Points
R1#monitor capture buffer ?
WORD Name of the Capture Buffer
R1#monitor capture buffer BUF ?
circular Circular Buffer
clear Clear contents of capture buffer
export Export in Pcap format
filter Configure filters
limit Limit the packets dumped to the buffer
linear Linear Buffer(Default)
max-size Maximum size of element in the buffer (in bytes)
size Packet Dump buffer size (in Kbytes)
<cr>
R1#monitor capture buffer BUF size ?
<256-102400> Buffer size in Kbytes : 102400K or less (default is 1024K)
R1#monitor capture buffer BUF size 2048 ?
circular Circular Buffer
linear Linear Buffer(Default)
max-size Maximum size of element in the buffer (in bytes)
<cr>
R1#monitor capture buffer BUF size 2048 max-size ?
<68-9500> Element size in bytes : 9500 bytes or less (default is 68 bytes)
R1#monitor capture buffer BUF size 2048 max-size 1518 ?
circular Circular Buffer
linear Linear Buffer(Default)
<cr>
R1#monitor capture buffer BUF size 2048 max-size 1518 linear // DEFINE A CAPTURE BUFFER
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip access-list extended BUF-ACL // LIMIT THE CAPTURE USING ACL
R1(config-ext-nacl)#permit icmp any host 8.8.8.8
R1(config-ext-nacl)#permit icmp host 8.8.8.8 any
R1(config-ext-nacl)#end
R1#
*Mar 31 06:20:41.237: %SYS-5-CONFIG_I: Configured from console by console
R1#monitor capture ?
buffer Control Capture Buffers
point Control Capture Points
R1#monitor capture point ?
associate Associate capture point with capture buffer
disassociate Dis-associate capture point from capture buffer
ip IPv4
ipv6 IPv6
start Enable Capture Point
stop Disable Capture Point
R1#monitor capture point associate ?
WORD Name of the Capture Point
R1#monitor capture point associate POINT ?
WORD Name of the Capture Buffer
R1#monitor capture buffer BUF ?
circular Circular Buffer
clear Clear contents of capture buffer
export Export in Pcap format
filter Configure filters
limit Limit the packets dumped to the buffer
linear Linear Buffer(Default)
max-size Maximum size of element in the buffer (in bytes)
size Packet Dump buffer size (in Kbytes)
<cr>
R1#monitor capture buffer BUF filter ?
access-list Set access list
R1#monitor capture buffer BUF filter access-list ?
<1-199> IP access list
<1300-2699> IP expanded access list
WORD Access-list name
R1#monitor capture buffer BUF filter access-list BUF-ACL
Filter Association succeeded
R1#monitor capture point ?
associate Associate capture point with capture buffer
disassociate Dis-associate capture point from capture buffer
ip IPv4
ipv6 IPv6
start Enable Capture Point
stop Disable Capture Point
R1#monitor capture point ip ?
cef IPv4 CEF
process-switched Process switched packets
R1#monitor capture point ip cef ?
WORD Name of the Capture Point
R1#monitor capture point ip cef POINT ?
Async Async interface
Auto-Template Auto-Template interface
BVI Bridge-Group Virtual Interface
CDMA-Ix CDMA Ix interface
CTunnel CTunnel interface
Dialer Dialer interface
FastEthernet FastEthernet IEEE 802.3
GMPLS MPLS interface
Group-Async Async Group interface
LISP Locator/ID Separation Protocol Virtual Interface
LongReachEthernet Long-Reach Ethernet interface
Loopback Loopback interface
MFR Multilink Frame Relay bundle interface
Multilink Multilink-group interface
Null Null interface
Port-channel Ethernet Channel of interfaces
Tunnel Tunnel interface
Vif PGM Multicast Host interface
Virtual-PPP Virtual PPP interface
Virtual-Template Virtual Template interface
Virtual-TokenRing Virtual TokenRing
all All interfaces
drop Drop on any interface
punt Punt on any interface
vmi Virtual Multipoint Interface
R1#monitor capture point ip cef POINT fastethernet 0/0 ?
both capture ingress and egress
in capture on ingress
out capture on egress
R1#monitor capture point ip cef POINT fastethernet 0/0 both // DEFINE CAPTURE POINT
R1#
*Mar 31 06:23:04.985: %BUFCAP-6-CREATE: Capture Point POINT created.
R1#monitor capture point ?
associate Associate capture point with capture buffer
disassociate Dis-associate capture point from capture buffer
ip IPv4
ipv6 IPv6
start Enable Capture Point
stop Disable Capture Point
R1#monitor capture point associate ?
WORD Name of the Capture Point
R1#monitor capture point associate POINT ?
WORD Name of the Capture Buffer
R1#monitor capture point associate POINT BUF // ATTACHED BUFFER CREATED EARLIER
R1#monitor capture point start POINT // START CAPTURING PACKETS
R1#
*Mar 31 06:23:38.593: %BUFCAP-6-ENABLE: Capture Point POINT enabled.
R1#ping 8.8.8.8 // GENERATE ICMP PACKETS
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/34/68 ms
R1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/19/32 ms
R1#show monitor capture buffer BUF dump // DISPLAY PACKET CAPTURE
06:23:50.765 UTC Mar 31 2018 : IPv4 CEF Turbo : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 00644009 ....LOOP..E..d@.
6981B2D0: 00003501 EBD50808 0808C0A8 89020000 ..5.kU....@(....
6981B2E0: EC110014 00000000 00003D30 5CF4ABCD l.........=0\t+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:50.765 UTC Mar 31 2018 : IPv4 LES CEF : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 00644009 ....LOOP..E..d@.
6981B2D0: 00003501 EBD50808 0808C0A8 89020000 ..5.kU....@(....
6981B2E0: EC110014 00000000 00003D30 5CF4ABCD l.........=0\t+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:50.797 UTC Mar 31 2018 : IPv4 CEF Turbo : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 00644011 ....LOOP..E..d@.
6981B2D0: 00003501 EBCD0808 0808C0A8 89020000 ..5.kM....@(....
6981B2E0: EBCC0014 00010000 00003D30 5D38ABCD kL........=0]8+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:50.797 UTC Mar 31 2018 : IPv4 LES CEF : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 00644011 ....LOOP..E..d@.
6981B2D0: 00003501 EBCD0808 0808C0A8 89020000 ..5.kM....@(....
6981B2E0: EBCC0014 00010000 00003D30 5D38ABCD kL........=0]8+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:50.825 UTC Mar 31 2018 : IPv4 CEF Turbo : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 0064401A ....LOOP..E..d@.
6981B2D0: 00003501 EBC40808 0808C0A8 89020000 ..5.kD....@(....
6981B2E0: EBAB0014 00020000 00003D30 5D58ABCD k+........=0]X+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:50.825 UTC Mar 31 2018 : IPv4 LES CEF : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 0064401A ....LOOP..E..d@.
6981B2D0: 00003501 EBC40808 0808C0A8 89020000 ..5.kD....@(....
6981B2E0: EBAB0014 00020000 00003D30 5D58ABCD k+........=0]X+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:50.853 UTC Mar 31 2018 : IPv4 CEF Turbo : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 0064402B ....LOOP..E..d@+
6981B2D0: 00003501 EBB30808 0808C0A8 89020000 ..5.k3....@(....
6981B2E0: EB8E0014 00030000 00003D30 5D74ABCD k.........=0]t+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:50.853 UTC Mar 31 2018 : IPv4 LES CEF : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 0064402B ....LOOP..E..d@+
6981B2D0: 00003501 EBB30808 0808C0A8 89020000 ..5.k3....@(....
6981B2E0: EB8E0014 00030000 00003D30 5D74ABCD k.........=0]t+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:50.869 UTC Mar 31 2018 : IPv4 CEF Turbo : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 0064403A ....LOOP..E..d@:
6981B2D0: 00003501 EBA40808 0808C0A8 89020000 ..5.k$....@(....
6981B2E0: EB710014 00040000 00003D30 5D90ABCD kq........=0].+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:50.869 UTC Mar 31 2018 : IPv4 LES CEF : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 0064403A ....LOOP..E..d@:
6981B2D0: 00003501 EBA40808 0808C0A8 89020000 ..5.k$....@(....
6981B2E0: EB710014 00040000 00003D30 5D90ABCD kq........=0].+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:54.657 UTC Mar 31 2018 : IPv4 CEF Turbo : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 006446DD ....LOOP..E..dF]
6981B2D0: 00003501 E5010808 0808C0A8 89020000 ..5.e.....@(....
6981B2E0: DCA80015 00000000 00003D30 6C5CABCD \(........=0l\+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:54.657 UTC Mar 31 2018 : IPv4 LES CEF : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 006446DD ....LOOP..E..dF]
6981B2D0: 00003501 E5010808 0808C0A8 89020000 ..5.e.....@(....
6981B2E0: DCA80015 00000000 00003D30 6C5CABCD \(........=0l\+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:54.669 UTC Mar 31 2018 : IPv4 CEF Turbo : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 006446E8 ....LOOP..E..dFh
6981B2D0: 00003501 E4F60808 0808C0A8 89020000 ..5.dv....@(....
6981B2E0: DC970015 00010000 00003D30 6C6CABCD \.........=0ll+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:54.669 UTC Mar 31 2018 : IPv4 LES CEF : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 006446E8 ....LOOP..E..dFh
6981B2D0: 00003501 E4F60808 0808C0A8 89020000 ..5.dv....@(....
6981B2E0: DC970015 00010000 00003D30 6C6CABCD \.........=0ll+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:54.689 UTC Mar 31 2018 : IPv4 CEF Turbo : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 006446F7 ....LOOP..E..dFw
6981B2D0: 00003501 E4E70808 0808C0A8 89020000 ..5.dg....@(....
6981B2E0: DC8A0015 00020000 00003D30 6C78ABCD \.........=0lx+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:54.689 UTC Mar 31 2018 : IPv4 LES CEF : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 006446F7 ....LOOP..E..dFw
6981B2D0: 00003501 E4E70808 0808C0A8 89020000 ..5.dg....@(....
6981B2E0: DC8A0015 00020000 00003D30 6C78ABCD \.........=0lx+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:54.721 UTC Mar 31 2018 : IPv4 CEF Turbo : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 0064470E ....LOOP..E..dG.
6981B2D0: 00003501 E4D00808 0808C0A8 89020000 ..5.dP....@(....
6981B2E0: DC750015 00030000 00003D30 6C8CABCD \u........=0l.+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:54.721 UTC Mar 31 2018 : IPv4 LES CEF : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 0064470E ....LOOP..E..dG.
6981B2D0: 00003501 E4D00808 0808C0A8 89020000 ..5.dP....@(....
6981B2E0: DC750015 00030000 00003D30 6C8CABCD \u........=0l.+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:54.741 UTC Mar 31 2018 : IPv4 CEF Turbo : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 00644714 ....LOOP..E..dG.
6981B2D0: 00003501 E4CA0808 0808C0A8 89020000 ..5.dJ....@(....
6981B2E0: DC500015 00040000 00003D30 6CB0ABCD \P........=0l0+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:54.741 UTC Mar 31 2018 : IPv4 LES CEF : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 00644714 ....LOOP..E..dG.
6981B2D0: 00003501 E4CA0808 0808C0A8 89020000 ..5.dJ....@(....
6981B2E0: DC500015 00040000 00003D30 6CB0ABCD \P........=0l0+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
R1#monitor capture point stop POINT // STOP PACKET CAPTURE AND CLEAN UP CONFIG
R1#
*Mar 31 06:24:30.309: %BUFCAP-6-DISABLE: Capture Point POINT disabled.
R1#no monitor capture point ip cef POINT fastethernet 0/0 both
R1#
*Mar 31 06:24:57.709: %BUFCAP-6-DELETE: Capture Point POINT deleted.
R1#no monitor capture buffer BUF
Capture Buffer deleted
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#no ip access-list extended BUF-ACL
The packet capture output on a router doesn't make sense, you'll need to export this to an external TFTP server in .pcap file format. For this scenario, I just want to quickly view packet capture. I copied and pasted the buffer output, removed the timestamp and split the data into columns using MS Excel.
To split the data into columns, select the data > click Text to Columns > choose Fixed Width > click Next > double-click to put column lines > click Next.
You can use a free online HEX to pcap converter tool to view the packet capture. Copy the middle column HEX data, paste the data in the tool (box on the left hand side) and click Decode this packet.
capture Packet Capture
elog Event-logging control commands
event-trace Control event tracing
platform Monitor platform information
processes Monitor processes
ASR#monitor capture ?
WORD Name of the Capture
ASR#monitor capture CAP ?
access-list access-list to be attached
buffer Buffer options
class-map class name to attached
clear Clear Buffer
control-plane Control Plane
export Export Buffer
interface Interface
limit Limit Packets Captured
match Describe filters inline
start Enable Capture
stop Disable Capture
ASR#monitor capture CAP interface ?
GigabitEthernet GigabitEthernet IEEE 802.3z
Multilink Multilink-group interface
Port-channel Ethernet Channel of interfaces
TenGigabitEthernet Ten Gigabit Ethernet
Tunnel Tunnel interface
range interface range command
ASR#monitor capture CAP interface GigabitEthernet0/0/1 ?
both Inbound and outbound packets
in Inbound packets
out Outbound packets
ASR#monitor capture CAP interface GigabitEthernet0/0/1 both
ipv4 IPv4 packets only
ipv6 IPv6 packets only
mac MAC filter configuration
ASR#monitor capture CAP match ipv4 ?
A.B.C.D/nn IPv4 source Prefix <network>/<length>, e.g., 192.168.0.0/16
any Any source prefix
host A single source host
protocol Protocols
ASR#monitor capture CAP match ipv4 protocol ?
tcp Filter by TCP protocol
udp Filter by UDP protocol
ASR#monitor capture CAP match ipv4 protocol tcp ?
A.B.C.D/nn IPv4 source Prefix <network>/<length>, e.g., 192.168.0.0/16
any Any source prefix
host A single source host
ASR#monitor capture CAP match ipv4 protocol tcp any ?
A.B.C.D/nn IPv4 destination Prefix <network>/<length>, e.g., 192.168.0.0/16
any Any destination prefix
eq Match only packets on a given port number
gt Match only packets with a greater port number
host A single destination host
lt Match only packets with a lower port number
neq Match only packets not on a given port number
range Match only packets in the range of port numbers
ASR#monitor capture CAP match ipv4 protocol tcp any any
# size timestamp source destination protocol
-------------------------------------------------------------
0 1514 0.000000 10.6.0.2 -> 10.6.101.9 TCP
1 118 0.000000 10.6.0.2 -> 10.6.101.9 TCP
2 54 0.000000 10.6.101.9 -> 10.6.0.2 TCP
3 1514 0.001007 10.6.0.2 -> 10.6.101.9 TCP
# size timestamp source destination protocol
-------------------------------------------------------------
0 1514 0.000000 10.6.0.2 -> 10.6.101.9 TCP
0000: A08CFDA2 FD3100BE 7539A703 08004500 .....1..u9....E.
0010: 05DCD97B 40003E06 E3670A74 000C0A74 ...{@.>..g.t...t
0020: 65450B2D C9F50AC7 56D64CEB 2DC35010 eE.-....V.L.-.P.
0030: 003F3DA8 00000000 05F00000 C3C05AC4 .?=...........Z.
ASR#ping 172.27.5.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.27.5.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/6 ms
Exported Successfully
R1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.137.2 YES manual up up
FastEthernet1/0 unassigned YES unset administratively down down
FastEthernet1/1 200.1.1.1 YES manual up up
NVI0 192.168.137.2 YES unset up up
R1#ping 192.168.137.1 // PING MY NUC WIFI SHARED ADAPTER IP
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.137.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/14/32 ms
R1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/8/12 ms
R1#monitor ?
call Monitor call
capture Packet Capture
elog Event-logging control commands
event-trace Control event tracing
processes Monitor processes
R1#monitor capture ?
buffer Control Capture Buffers
point Control Capture Points
R1#monitor capture buffer ?
WORD Name of the Capture Buffer
R1#monitor capture buffer BUF ?
circular Circular Buffer
clear Clear contents of capture buffer
export Export in Pcap format
filter Configure filters
limit Limit the packets dumped to the buffer
linear Linear Buffer(Default)
max-size Maximum size of element in the buffer (in bytes)
size Packet Dump buffer size (in Kbytes)
<cr>
R1#monitor capture buffer BUF size ?
<256-102400> Buffer size in Kbytes : 102400K or less (default is 1024K)
R1#monitor capture buffer BUF size 2048 ?
circular Circular Buffer
linear Linear Buffer(Default)
max-size Maximum size of element in the buffer (in bytes)
<cr>
R1#monitor capture buffer BUF size 2048 max-size ?
<68-9500> Element size in bytes : 9500 bytes or less (default is 68 bytes)
R1#monitor capture buffer BUF size 2048 max-size 1518 ?
circular Circular Buffer
linear Linear Buffer(Default)
<cr>
R1#monitor capture buffer BUF size 2048 max-size 1518 linear // DEFINE A CAPTURE BUFFER
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip access-list extended BUF-ACL // LIMIT THE CAPTURE USING ACL
R1(config-ext-nacl)#permit icmp any host 8.8.8.8
R1(config-ext-nacl)#permit icmp host 8.8.8.8 any
R1(config-ext-nacl)#end
R1#
*Mar 31 06:20:41.237: %SYS-5-CONFIG_I: Configured from console by console
R1#monitor capture ?
buffer Control Capture Buffers
point Control Capture Points
R1#monitor capture point ?
associate Associate capture point with capture buffer
disassociate Dis-associate capture point from capture buffer
ip IPv4
ipv6 IPv6
start Enable Capture Point
stop Disable Capture Point
R1#monitor capture point associate ?
WORD Name of the Capture Point
R1#monitor capture point associate POINT ?
WORD Name of the Capture Buffer
R1#monitor capture buffer BUF ?
circular Circular Buffer
clear Clear contents of capture buffer
export Export in Pcap format
filter Configure filters
limit Limit the packets dumped to the buffer
linear Linear Buffer(Default)
max-size Maximum size of element in the buffer (in bytes)
size Packet Dump buffer size (in Kbytes)
<cr>
R1#monitor capture buffer BUF filter ?
access-list Set access list
R1#monitor capture buffer BUF filter access-list ?
<1-199> IP access list
<1300-2699> IP expanded access list
WORD Access-list name
R1#monitor capture buffer BUF filter access-list BUF-ACL
Filter Association succeeded
R1#monitor capture point ?
associate Associate capture point with capture buffer
disassociate Dis-associate capture point from capture buffer
ip IPv4
ipv6 IPv6
start Enable Capture Point
stop Disable Capture Point
R1#monitor capture point ip ?
cef IPv4 CEF
process-switched Process switched packets
R1#monitor capture point ip cef ?
WORD Name of the Capture Point
R1#monitor capture point ip cef POINT ?
Async Async interface
Auto-Template Auto-Template interface
BVI Bridge-Group Virtual Interface
CDMA-Ix CDMA Ix interface
CTunnel CTunnel interface
Dialer Dialer interface
FastEthernet FastEthernet IEEE 802.3
GMPLS MPLS interface
Group-Async Async Group interface
LISP Locator/ID Separation Protocol Virtual Interface
LongReachEthernet Long-Reach Ethernet interface
Loopback Loopback interface
MFR Multilink Frame Relay bundle interface
Multilink Multilink-group interface
Null Null interface
Port-channel Ethernet Channel of interfaces
Tunnel Tunnel interface
Vif PGM Multicast Host interface
Virtual-PPP Virtual PPP interface
Virtual-Template Virtual Template interface
Virtual-TokenRing Virtual TokenRing
all All interfaces
drop Drop on any interface
punt Punt on any interface
vmi Virtual Multipoint Interface
R1#monitor capture point ip cef POINT fastethernet 0/0 ?
both capture ingress and egress
in capture on ingress
out capture on egress
R1#monitor capture point ip cef POINT fastethernet 0/0 both // DEFINE CAPTURE POINT
R1#
*Mar 31 06:23:04.985: %BUFCAP-6-CREATE: Capture Point POINT created.
R1#monitor capture point ?
associate Associate capture point with capture buffer
disassociate Dis-associate capture point from capture buffer
ip IPv4
ipv6 IPv6
start Enable Capture Point
stop Disable Capture Point
R1#monitor capture point associate ?
WORD Name of the Capture Point
R1#monitor capture point associate POINT ?
WORD Name of the Capture Buffer
R1#monitor capture point associate POINT BUF // ATTACHED BUFFER CREATED EARLIER
R1#monitor capture point start POINT // START CAPTURING PACKETS
R1#
*Mar 31 06:23:38.593: %BUFCAP-6-ENABLE: Capture Point POINT enabled.
R1#ping 8.8.8.8 // GENERATE ICMP PACKETS
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/34/68 ms
R1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/19/32 ms
R1#show monitor capture buffer BUF dump // DISPLAY PACKET CAPTURE
06:23:50.765 UTC Mar 31 2018 : IPv4 CEF Turbo : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 00644009 ....LOOP..E..d@.
6981B2D0: 00003501 EBD50808 0808C0A8 89020000 ..5.kU....@(....
6981B2E0: EC110014 00000000 00003D30 5CF4ABCD l.........=0\t+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:50.765 UTC Mar 31 2018 : IPv4 LES CEF : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 00644009 ....LOOP..E..d@.
6981B2D0: 00003501 EBD50808 0808C0A8 89020000 ..5.kU....@(....
6981B2E0: EC110014 00000000 00003D30 5CF4ABCD l.........=0\t+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:50.797 UTC Mar 31 2018 : IPv4 CEF Turbo : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 00644011 ....LOOP..E..d@.
6981B2D0: 00003501 EBCD0808 0808C0A8 89020000 ..5.kM....@(....
6981B2E0: EBCC0014 00010000 00003D30 5D38ABCD kL........=0]8+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:50.797 UTC Mar 31 2018 : IPv4 LES CEF : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 00644011 ....LOOP..E..d@.
6981B2D0: 00003501 EBCD0808 0808C0A8 89020000 ..5.kM....@(....
6981B2E0: EBCC0014 00010000 00003D30 5D38ABCD kL........=0]8+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:50.825 UTC Mar 31 2018 : IPv4 CEF Turbo : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 0064401A ....LOOP..E..d@.
6981B2D0: 00003501 EBC40808 0808C0A8 89020000 ..5.kD....@(....
6981B2E0: EBAB0014 00020000 00003D30 5D58ABCD k+........=0]X+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:50.825 UTC Mar 31 2018 : IPv4 LES CEF : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 0064401A ....LOOP..E..d@.
6981B2D0: 00003501 EBC40808 0808C0A8 89020000 ..5.kD....@(....
6981B2E0: EBAB0014 00020000 00003D30 5D58ABCD k+........=0]X+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:50.853 UTC Mar 31 2018 : IPv4 CEF Turbo : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 0064402B ....LOOP..E..d@+
6981B2D0: 00003501 EBB30808 0808C0A8 89020000 ..5.k3....@(....
6981B2E0: EB8E0014 00030000 00003D30 5D74ABCD k.........=0]t+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:50.853 UTC Mar 31 2018 : IPv4 LES CEF : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 0064402B ....LOOP..E..d@+
6981B2D0: 00003501 EBB30808 0808C0A8 89020000 ..5.k3....@(....
6981B2E0: EB8E0014 00030000 00003D30 5D74ABCD k.........=0]t+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:50.869 UTC Mar 31 2018 : IPv4 CEF Turbo : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 0064403A ....LOOP..E..d@:
6981B2D0: 00003501 EBA40808 0808C0A8 89020000 ..5.k$....@(....
6981B2E0: EB710014 00040000 00003D30 5D90ABCD kq........=0].+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:50.869 UTC Mar 31 2018 : IPv4 LES CEF : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 0064403A ....LOOP..E..d@:
6981B2D0: 00003501 EBA40808 0808C0A8 89020000 ..5.k$....@(....
6981B2E0: EB710014 00040000 00003D30 5D90ABCD kq........=0].+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:54.657 UTC Mar 31 2018 : IPv4 CEF Turbo : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 006446DD ....LOOP..E..dF]
6981B2D0: 00003501 E5010808 0808C0A8 89020000 ..5.e.....@(....
6981B2E0: DCA80015 00000000 00003D30 6C5CABCD \(........=0l\+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:54.657 UTC Mar 31 2018 : IPv4 LES CEF : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 006446DD ....LOOP..E..dF]
6981B2D0: 00003501 E5010808 0808C0A8 89020000 ..5.e.....@(....
6981B2E0: DCA80015 00000000 00003D30 6C5CABCD \(........=0l\+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:54.669 UTC Mar 31 2018 : IPv4 CEF Turbo : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 006446E8 ....LOOP..E..dFh
6981B2D0: 00003501 E4F60808 0808C0A8 89020000 ..5.dv....@(....
6981B2E0: DC970015 00010000 00003D30 6C6CABCD \.........=0ll+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:54.669 UTC Mar 31 2018 : IPv4 LES CEF : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 006446E8 ....LOOP..E..dFh
6981B2D0: 00003501 E4F60808 0808C0A8 89020000 ..5.dv....@(....
6981B2E0: DC970015 00010000 00003D30 6C6CABCD \.........=0ll+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:54.689 UTC Mar 31 2018 : IPv4 CEF Turbo : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 006446F7 ....LOOP..E..dFw
6981B2D0: 00003501 E4E70808 0808C0A8 89020000 ..5.dg....@(....
6981B2E0: DC8A0015 00020000 00003D30 6C78ABCD \.........=0lx+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:54.689 UTC Mar 31 2018 : IPv4 LES CEF : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 006446F7 ....LOOP..E..dFw
6981B2D0: 00003501 E4E70808 0808C0A8 89020000 ..5.dg....@(....
6981B2E0: DC8A0015 00020000 00003D30 6C78ABCD \.........=0lx+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:54.721 UTC Mar 31 2018 : IPv4 CEF Turbo : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 0064470E ....LOOP..E..dG.
6981B2D0: 00003501 E4D00808 0808C0A8 89020000 ..5.dP....@(....
6981B2E0: DC750015 00030000 00003D30 6C8CABCD \u........=0l.+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:54.721 UTC Mar 31 2018 : IPv4 LES CEF : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 0064470E ....LOOP..E..dG.
6981B2D0: 00003501 E4D00808 0808C0A8 89020000 ..5.dP....@(....
6981B2E0: DC750015 00030000 00003D30 6C8CABCD \u........=0l.+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:54.741 UTC Mar 31 2018 : IPv4 CEF Turbo : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 00644714 ....LOOP..E..dG.
6981B2D0: 00003501 E4CA0808 0808C0A8 89020000 ..5.dJ....@(....
6981B2E0: DC500015 00040000 00003D30 6CB0ABCD \P........=0l0+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
06:23:54.741 UTC Mar 31 2018 : IPv4 LES CEF : Fa0/0 None
6981B2B0: CA011AAC J..,
6981B2C0: 00000200 4C4F4F50 08004500 00644714 ....LOOP..E..dG.
6981B2D0: 00003501 E4CA0808 0808C0A8 89020000 ..5.dJ....@(....
6981B2E0: DC500015 00040000 00003D30 6CB0ABCD \P........=0l0+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00 +M+M+M+M+M+M+M.
R1#monitor capture point stop POINT // STOP PACKET CAPTURE AND CLEAN UP CONFIG
R1#
*Mar 31 06:24:30.309: %BUFCAP-6-DISABLE: Capture Point POINT disabled.
R1#no monitor capture point ip cef POINT fastethernet 0/0 both
R1#
*Mar 31 06:24:57.709: %BUFCAP-6-DELETE: Capture Point POINT deleted.
R1#no monitor capture buffer BUF
Capture Buffer deleted
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#no ip access-list extended BUF-ACL
The packet capture output on a router doesn't make sense, you'll need to export this to an external TFTP server in .pcap file format. For this scenario, I just want to quickly view packet capture. I copied and pasted the buffer output, removed the timestamp and split the data into columns using MS Excel.
To split the data into columns, select the data > click Text to Columns > choose Fixed Width > click Next > double-click to put column lines > click Next.
You can use a free online HEX to pcap converter tool to view the packet capture. Copy the middle column HEX data, paste the data in the tool (box on the left hand side) and click Decode this packet.
This was a packet capture I performed on a Cisco ASR1K router to troubleshoot a TCP handshake issue. I exported and analyzed the output using Wireshark.
ASR#monitor ?
call Monitor callcapture Packet Capture
elog Event-logging control commands
event-trace Control event tracing
platform Monitor platform information
processes Monitor processes
ASR#monitor capture ?
WORD Name of the Capture
ASR#monitor capture CAP ?
access-list access-list to be attached
buffer Buffer options
class-map class name to attached
clear Clear Buffer
control-plane Control Plane
export Export Buffer
interface Interface
limit Limit Packets Captured
match Describe filters inline
start Enable Capture
stop Disable Capture
ASR#monitor capture CAP interface ?
GigabitEthernet GigabitEthernet IEEE 802.3z
Multilink Multilink-group interface
Port-channel Ethernet Channel of interfaces
TenGigabitEthernet Ten Gigabit Ethernet
Tunnel Tunnel interface
range interface range command
ASR#monitor capture CAP interface GigabitEthernet0/0/1 ?
both Inbound and outbound packets
in Inbound packets
out Outbound packets
ASR#monitor capture CAP interface GigabitEthernet0/0/1 both
ASR#monitor capture CAP match ?
any all packetsipv4 IPv4 packets only
ipv6 IPv6 packets only
mac MAC filter configuration
ASR#monitor capture CAP match ipv4 ?
A.B.C.D/nn IPv4 source Prefix <network>/<length>, e.g., 192.168.0.0/16
any Any source prefix
host A single source host
protocol Protocols
ASR#monitor capture CAP match ipv4 protocol ?
tcp Filter by TCP protocol
udp Filter by UDP protocol
ASR#monitor capture CAP match ipv4 protocol tcp ?
A.B.C.D/nn IPv4 source Prefix <network>/<length>, e.g., 192.168.0.0/16
any Any source prefix
host A single source host
ASR#monitor capture CAP match ipv4 protocol tcp any ?
A.B.C.D/nn IPv4 destination Prefix <network>/<length>, e.g., 192.168.0.0/16
any Any destination prefix
eq Match only packets on a given port number
gt Match only packets with a greater port number
host A single destination host
lt Match only packets with a lower port number
neq Match only packets not on a given port number
range Match only packets in the range of port numbers
ASR#monitor capture CAP match ipv4 protocol tcp any any
ASR#monitor capture CAP start
ASR#show monitor capture CAP buffer brief
-------------------------------------------------------------# size timestamp source destination protocol
-------------------------------------------------------------
0 1514 0.000000 10.6.0.2 -> 10.6.101.9 TCP
1 118 0.000000 10.6.0.2 -> 10.6.101.9 TCP
2 54 0.000000 10.6.101.9 -> 10.6.0.2 TCP
3 1514 0.001007 10.6.0.2 -> 10.6.101.9 TCP
<OUTPUT TRUNCATED>
ASR#show monitor capture CAP buffer brief detailed
-------------------------------------------------------------# size timestamp source destination protocol
-------------------------------------------------------------
0 1514 0.000000 10.6.0.2 -> 10.6.101.9 TCP
0000: A08CFDA2 FD3100BE 7539A703 08004500 .....1..u9....E.
0010: 05DCD97B 40003E06 E3670A74 000C0A74 ...{@.>..g.t...t
0020: 65450B2D C9F50AC7 56D64CEB 2DC35010 eE.-....V.L.-.P.
0030: 003F3DA8 00000000 05F00000 C3C05AC4 .?=...........Z.
<OUTPUT TRUNCATED>
For some reason the TFTP export failed so I tried FTP instead.
ASR#monitor capture CAP export tftp://172.27.5.6/CAP.pcap
.....Failed to Export: Failed to create export fileASR#ping 172.27.5.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.27.5.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/6 ms
ASR#monitor capture CAP export tftp://172.27.5.6/CAP.pcap
Writing CAP.pcap Exported Successfully
Disable and remove the packet capture feature once it's finished.
ASR#monitor capture CAP stop
ASR#no monitor capture CAP
No comments:
Post a Comment