Friday, May 10, 2019

Cisco Router Embedded Packet Capture

I had to use the built-in embedded packet capture on a Cisco router in order to troubleshoot and prove a routing issue with our ISP. This is a very handy packet capturing tool to perform deep-packet analysis and troubleshooting.

R1#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.137.2   YES manual up                    up     
FastEthernet1/0            unassigned      YES unset  administratively down down   
FastEthernet1/1            200.1.1.1       YES manual up                    up     
NVI0                       192.168.137.2   YES unset  up                    up     

R1#ping 192.168.137.1      // PING MY NUC WIFI SHARED ADAPTER IP
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.137.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/14/32 ms

R1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/8/12 ms

R1#monitor ?                 
  call         Monitor call
  capture      Packet Capture
  elog         Event-logging control commands
  event-trace  Control event tracing
  processes    Monitor processes

R1#monitor capture ?
  buffer  Control Capture Buffers
  point   Control Capture Points

R1#monitor capture buffer ?
  WORD  Name of the Capture Buffer

R1#monitor capture buffer BUF ?
  circular  Circular Buffer
  clear     Clear contents of capture buffer
  export    Export in Pcap format
  filter    Configure filters
  limit     Limit the packets dumped to the buffer
  linear    Linear Buffer(Default)
  max-size  Maximum size of element in the buffer (in bytes)
  size      Packet Dump buffer size (in Kbytes)
  <cr>

R1#monitor capture buffer BUF size ?
  <256-102400>  Buffer size in Kbytes : 102400K or less (default is 1024K)

R1#monitor capture buffer BUF size 2048 ?
  circular  Circular Buffer
  linear    Linear Buffer(Default)
  max-size  Maximum size of element in the buffer (in bytes)
  <cr>

R1#monitor capture buffer BUF size 2048 max-size ?
  <68-9500>  Element size in bytes : 9500 bytes or less (default is 68 bytes)

R1#monitor capture buffer BUF size 2048 max-size 1518 ?
  circular  Circular Buffer
  linear    Linear Buffer(Default)
  <cr>

R1#monitor capture buffer BUF size 2048 max-size 1518 linear    // DEFINE A CAPTURE BUFFER
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip access-list extended BUF-ACL      // LIMIT THE CAPTURE USING ACL
R1(config-ext-nacl)#permit icmp any host 8.8.8.8
R1(config-ext-nacl)#permit icmp host 8.8.8.8 any
R1(config-ext-nacl)#end
R1#
*Mar 31 06:20:41.237: %SYS-5-CONFIG_I: Configured from console by console
R1#monitor capture ?
  buffer  Control Capture Buffers
  point   Control Capture Points

R1#monitor capture point ?
  associate     Associate capture point with capture buffer
  disassociate  Dis-associate capture point from capture buffer
  ip            IPv4
  ipv6          IPv6
  start         Enable Capture Point
  stop          Disable Capture Point

R1#monitor capture point associate ?
  WORD  Name of the Capture Point

R1#monitor capture point associate POINT ?
  WORD  Name of the Capture Buffer

R1#monitor capture buffer BUF ?
  circular  Circular Buffer
  clear     Clear contents of capture buffer
  export    Export in Pcap format
  filter    Configure filters
  limit     Limit the packets dumped to the buffer
  linear    Linear Buffer(Default)
  max-size  Maximum size of element in the buffer (in bytes)
  size      Packet Dump buffer size (in Kbytes)
  <cr>

R1#monitor capture buffer BUF filter ?
  access-list  Set access list

R1#monitor capture buffer BUF filter access-list ?     
  <1-199>      IP access list
  <1300-2699>  IP expanded access list
  WORD         Access-list name

R1#monitor capture buffer BUF filter access-list BUF-ACL
Filter Association succeeded

R1#monitor capture point ?
  associate     Associate capture point with capture buffer
  disassociate  Dis-associate capture point from capture buffer
  ip            IPv4
  ipv6          IPv6
  start         Enable Capture Point
  stop          Disable Capture Point

R1#monitor capture point ip ?
  cef               IPv4 CEF
  process-switched  Process switched packets

R1#monitor capture point ip cef ?
  WORD  Name of the Capture Point

R1#monitor capture point ip cef POINT ?
  Async              Async interface
  Auto-Template      Auto-Template interface
  BVI                Bridge-Group Virtual Interface
  CDMA-Ix            CDMA Ix interface
  CTunnel            CTunnel interface
  Dialer             Dialer interface
  FastEthernet       FastEthernet IEEE 802.3
  GMPLS              MPLS interface
  Group-Async        Async Group interface
  LISP               Locator/ID Separation Protocol Virtual Interface
  LongReachEthernet  Long-Reach Ethernet interface
  Loopback           Loopback interface
  MFR                Multilink Frame Relay bundle interface
  Multilink          Multilink-group interface
  Null               Null interface
  Port-channel       Ethernet Channel of interfaces
  Tunnel             Tunnel interface
  Vif                PGM Multicast Host interface
  Virtual-PPP        Virtual PPP interface
  Virtual-Template   Virtual Template interface
  Virtual-TokenRing  Virtual TokenRing
  all                All interfaces
  drop               Drop on any interface
  punt               Punt on any interface
  vmi                Virtual Multipoint Interface

R1#monitor capture point ip cef POINT fastethernet 0/0 ?
  both  capture ingress and egress
  in    capture on ingress
  out   capture on egress

R1#monitor capture point ip cef POINT fastethernet 0/0 both    // DEFINE CAPTURE POINT
R1#
*Mar 31 06:23:04.985: %BUFCAP-6-CREATE: Capture Point POINT created.
R1#monitor capture point ?
  associate     Associate capture point with capture buffer
  disassociate  Dis-associate capture point from capture buffer
  ip            IPv4
  ipv6          IPv6
  start         Enable Capture Point
  stop          Disable Capture Point

R1#monitor capture point associate ?
  WORD  Name of the Capture Point

R1#monitor capture point associate POINT ?
  WORD  Name of the Capture Buffer

R1#monitor capture point associate POINT BUF    // ATTACHED BUFFER CREATED EARLIER
R1#monitor capture point start POINT      // START CAPTURING PACKETS
R1#
*Mar 31 06:23:38.593: %BUFCAP-6-ENABLE: Capture Point POINT enabled.

R1#ping 8.8.8.8       // GENERATE ICMP PACKETS
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/34/68 ms

R1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/19/32 ms

R1#show monitor capture buffer BUF dump      // DISPLAY PACKET CAPTURE
06:23:50.765 UTC Mar 31 2018 : IPv4 CEF Turbo  : Fa0/0 None

6981B2B0:                            CA011AAC              J..,
6981B2C0: 00000200 4C4F4F50 08004500 00644009  ....LOOP..E..d@.
6981B2D0: 00003501 EBD50808 0808C0A8 89020000  ..5.kU....@(....
6981B2E0: EC110014 00000000 00003D30 5CF4ABCD  l.........=0\t+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00    +M+M+M+M+M+M+M.

06:23:50.765 UTC Mar 31 2018 : IPv4 LES CEF    : Fa0/0 None

6981B2B0:                            CA011AAC              J..,
6981B2C0: 00000200 4C4F4F50 08004500 00644009  ....LOOP..E..d@.
6981B2D0: 00003501 EBD50808 0808C0A8 89020000  ..5.kU....@(....
6981B2E0: EC110014 00000000 00003D30 5CF4ABCD  l.........=0\t+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00    +M+M+M+M+M+M+M.

06:23:50.797 UTC Mar 31 2018 : IPv4 CEF Turbo  : Fa0/0 None
         
6981B2B0:                            CA011AAC              J..,
6981B2C0: 00000200 4C4F4F50 08004500 00644011  ....LOOP..E..d@.
6981B2D0: 00003501 EBCD0808 0808C0A8 89020000  ..5.kM....@(....
6981B2E0: EBCC0014 00010000 00003D30 5D38ABCD  kL........=0]8+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00    +M+M+M+M+M+M+M.

06:23:50.797 UTC Mar 31 2018 : IPv4 LES CEF    : Fa0/0 None

6981B2B0:                            CA011AAC              J..,
6981B2C0: 00000200 4C4F4F50 08004500 00644011  ....LOOP..E..d@.
6981B2D0: 00003501 EBCD0808 0808C0A8 89020000  ..5.kM....@(....
6981B2E0: EBCC0014 00010000 00003D30 5D38ABCD  kL........=0]8+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00    +M+M+M+M+M+M+M.

06:23:50.825 UTC Mar 31 2018 : IPv4 CEF Turbo  : Fa0/0 None

6981B2B0:                            CA011AAC              J..,
6981B2C0: 00000200 4C4F4F50 08004500 0064401A  ....LOOP..E..d@.
6981B2D0: 00003501 EBC40808 0808C0A8 89020000  ..5.kD....@(....
6981B2E0: EBAB0014 00020000 00003D30 5D58ABCD  k+........=0]X+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00    +M+M+M+M+M+M+M.

06:23:50.825 UTC Mar 31 2018 : IPv4 LES CEF    : Fa0/0 None

6981B2B0:                            CA011AAC              J..,
6981B2C0: 00000200 4C4F4F50 08004500 0064401A  ....LOOP..E..d@.
6981B2D0: 00003501 EBC40808 0808C0A8 89020000  ..5.kD....@(....
6981B2E0: EBAB0014 00020000 00003D30 5D58ABCD  k+........=0]X+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00    +M+M+M+M+M+M+M.

06:23:50.853 UTC Mar 31 2018 : IPv4 CEF Turbo  : Fa0/0 None

6981B2B0:                            CA011AAC              J..,
6981B2C0: 00000200 4C4F4F50 08004500 0064402B  ....LOOP..E..d@+
6981B2D0: 00003501 EBB30808 0808C0A8 89020000  ..5.k3....@(....
6981B2E0: EB8E0014 00030000 00003D30 5D74ABCD  k.........=0]t+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00    +M+M+M+M+M+M+M.

06:23:50.853 UTC Mar 31 2018 : IPv4 LES CEF    : Fa0/0 None

6981B2B0:                            CA011AAC              J..,
6981B2C0: 00000200 4C4F4F50 08004500 0064402B  ....LOOP..E..d@+
6981B2D0: 00003501 EBB30808 0808C0A8 89020000  ..5.k3....@(....
6981B2E0: EB8E0014 00030000 00003D30 5D74ABCD  k.........=0]t+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00    +M+M+M+M+M+M+M.

06:23:50.869 UTC Mar 31 2018 : IPv4 CEF Turbo  : Fa0/0 None

6981B2B0:                            CA011AAC              J..,
6981B2C0: 00000200 4C4F4F50 08004500 0064403A  ....LOOP..E..d@:
6981B2D0: 00003501 EBA40808 0808C0A8 89020000  ..5.k$....@(....
6981B2E0: EB710014 00040000 00003D30 5D90ABCD  kq........=0].+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00    +M+M+M+M+M+M+M.

06:23:50.869 UTC Mar 31 2018 : IPv4 LES CEF    : Fa0/0 None

6981B2B0:                            CA011AAC              J..,
6981B2C0: 00000200 4C4F4F50 08004500 0064403A  ....LOOP..E..d@:
6981B2D0: 00003501 EBA40808 0808C0A8 89020000  ..5.k$....@(....
6981B2E0: EB710014 00040000 00003D30 5D90ABCD  kq........=0].+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00    +M+M+M+M+M+M+M.

06:23:54.657 UTC Mar 31 2018 : IPv4 CEF Turbo  : Fa0/0 None

6981B2B0:                            CA011AAC              J..,
6981B2C0: 00000200 4C4F4F50 08004500 006446DD  ....LOOP..E..dF]
6981B2D0: 00003501 E5010808 0808C0A8 89020000  ..5.e.....@(....
6981B2E0: DCA80015 00000000 00003D30 6C5CABCD  \(........=0l\+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00    +M+M+M+M+M+M+M.

06:23:54.657 UTC Mar 31 2018 : IPv4 LES CEF    : Fa0/0 None

6981B2B0:                            CA011AAC              J..,
6981B2C0: 00000200 4C4F4F50 08004500 006446DD  ....LOOP..E..dF]
6981B2D0: 00003501 E5010808 0808C0A8 89020000  ..5.e.....@(....
6981B2E0: DCA80015 00000000 00003D30 6C5CABCD  \(........=0l\+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00    +M+M+M+M+M+M+M.

06:23:54.669 UTC Mar 31 2018 : IPv4 CEF Turbo  : Fa0/0 None

6981B2B0:                            CA011AAC              J..,
6981B2C0: 00000200 4C4F4F50 08004500 006446E8  ....LOOP..E..dFh
6981B2D0: 00003501 E4F60808 0808C0A8 89020000  ..5.dv....@(....
6981B2E0: DC970015 00010000 00003D30 6C6CABCD  \.........=0ll+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00    +M+M+M+M+M+M+M.

06:23:54.669 UTC Mar 31 2018 : IPv4 LES CEF    : Fa0/0 None

6981B2B0:                            CA011AAC              J..,
6981B2C0: 00000200 4C4F4F50 08004500 006446E8  ....LOOP..E..dFh
6981B2D0: 00003501 E4F60808 0808C0A8 89020000  ..5.dv....@(....
6981B2E0: DC970015 00010000 00003D30 6C6CABCD  \.........=0ll+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00    +M+M+M+M+M+M+M.

06:23:54.689 UTC Mar 31 2018 : IPv4 CEF Turbo  : Fa0/0 None

6981B2B0:                            CA011AAC              J..,
6981B2C0: 00000200 4C4F4F50 08004500 006446F7  ....LOOP..E..dFw
6981B2D0: 00003501 E4E70808 0808C0A8 89020000  ..5.dg....@(....
6981B2E0: DC8A0015 00020000 00003D30 6C78ABCD  \.........=0lx+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00    +M+M+M+M+M+M+M.

06:23:54.689 UTC Mar 31 2018 : IPv4 LES CEF    : Fa0/0 None

6981B2B0:                            CA011AAC              J..,
6981B2C0: 00000200 4C4F4F50 08004500 006446F7  ....LOOP..E..dFw
6981B2D0: 00003501 E4E70808 0808C0A8 89020000  ..5.dg....@(....
6981B2E0: DC8A0015 00020000 00003D30 6C78ABCD  \.........=0lx+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00    +M+M+M+M+M+M+M.

06:23:54.721 UTC Mar 31 2018 : IPv4 CEF Turbo  : Fa0/0 None

6981B2B0:                            CA011AAC              J..,
6981B2C0: 00000200 4C4F4F50 08004500 0064470E  ....LOOP..E..dG.
6981B2D0: 00003501 E4D00808 0808C0A8 89020000  ..5.dP....@(....
6981B2E0: DC750015 00030000 00003D30 6C8CABCD  \u........=0l.+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00    +M+M+M+M+M+M+M.

06:23:54.721 UTC Mar 31 2018 : IPv4 LES CEF    : Fa0/0 None

6981B2B0:                            CA011AAC              J..,
6981B2C0: 00000200 4C4F4F50 08004500 0064470E  ....LOOP..E..dG.
6981B2D0: 00003501 E4D00808 0808C0A8 89020000  ..5.dP....@(....
6981B2E0: DC750015 00030000 00003D30 6C8CABCD  \u........=0l.+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00    +M+M+M+M+M+M+M.

06:23:54.741 UTC Mar 31 2018 : IPv4 CEF Turbo  : Fa0/0 None

6981B2B0:                            CA011AAC              J..,
6981B2C0: 00000200 4C4F4F50 08004500 00644714  ....LOOP..E..dG.
6981B2D0: 00003501 E4CA0808 0808C0A8 89020000  ..5.dJ....@(....
6981B2E0: DC500015 00040000 00003D30 6CB0ABCD  \P........=0l0+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00    +M+M+M+M+M+M+M.

06:23:54.741 UTC Mar 31 2018 : IPv4 LES CEF    : Fa0/0 None

6981B2B0:                            CA011AAC              J..,
6981B2C0: 00000200 4C4F4F50 08004500 00644714  ....LOOP..E..dG.
6981B2D0: 00003501 E4CA0808 0808C0A8 89020000  ..5.dJ....@(....
6981B2E0: DC500015 00040000 00003D30 6CB0ABCD  \P........=0l0+M
6981B2F0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B300: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B310: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
6981B320: ABCDABCD ABCDABCD ABCDABCD ABCD00    +M+M+M+M+M+M+M.


R1#monitor capture point stop POINT      // STOP PACKET CAPTURE AND CLEAN UP CONFIG
R1#
*Mar 31 06:24:30.309: %BUFCAP-6-DISABLE: Capture Point POINT disabled.
R1#no monitor capture point ip cef POINT fastethernet 0/0 both
R1#
*Mar 31 06:24:57.709: %BUFCAP-6-DELETE: Capture Point POINT deleted.
R1#no monitor capture buffer BUF
Capture Buffer deleted

R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#no ip access-list extended BUF-ACL


The packet capture output on a router doesn't make sense, you'll need to export this to an external TFTP server in .pcap file format. For this scenario, I just want to quickly view packet capture. I copied and pasted the buffer output, removed the timestamp and split the data into columns using MS Excel.

To split the data into columns, select the data > click Text to Columns > choose Fixed Width > click Next > double-click to put column lines > click Next.





You can use a free online HEX to pcap converter tool to view the packet capture. Copy the middle column HEX data, paste the data in the tool (box on the left hand side) and click Decode this packet.



This was a packet capture I performed on a Cisco ASR1K router to troubleshoot a TCP handshake issue. I exported and analyzed the output using Wireshark.

ASR#monitor ?
  call         Monitor call
  capture      Packet Capture
  elog         Event-logging control commands
  event-trace  Control event tracing
  platform     Monitor platform information
  processes    Monitor processes

ASR#monitor capture ?
  WORD  Name of the Capture

ASR#monitor capture CAP ?
  access-list    access-list to be attached
  buffer         Buffer options
  class-map      class name to attached
  clear          Clear Buffer
  control-plane  Control Plane
  export         Export Buffer
  interface      Interface
  limit          Limit Packets Captured
  match          Describe filters inline
  start          Enable Capture
  stop           Disable Capture

ASR#monitor capture CAP interface ?
  GigabitEthernet     GigabitEthernet IEEE 802.3z
  Multilink           Multilink-group interface
  Port-channel        Ethernet Channel of interfaces
  TenGigabitEthernet  Ten Gigabit Ethernet
  Tunnel              Tunnel interface
  range               interface range command

ASR#monitor capture CAP interface GigabitEthernet0/0/1 ?
  both  Inbound and outbound packets
  in    Inbound packets
  out   Outbound packets

ASR#monitor capture CAP interface GigabitEthernet0/0/1 both

ASR#monitor capture CAP match ?                           
  any   all packets
  ipv4  IPv4 packets only
  ipv6  IPv6 packets only
  mac   MAC filter configuration

ASR#monitor capture CAP match ipv4 ?
  A.B.C.D/nn  IPv4 source Prefix <network>/<length>, e.g., 192.168.0.0/16
  any         Any source prefix
  host        A single source host
  protocol    Protocols

ASR#monitor capture CAP match ipv4 protocol ?
  tcp  Filter by TCP protocol
  udp  Filter by UDP protocol

ASR#monitor capture CAP match ipv4 protocol tcp ?
  A.B.C.D/nn  IPv4 source Prefix <network>/<length>, e.g., 192.168.0.0/16
  any         Any source prefix
  host        A single source host

ASR#monitor capture CAP match ipv4 protocol tcp any ? 
  A.B.C.D/nn  IPv4 destination Prefix <network>/<length>, e.g., 192.168.0.0/16
  any         Any destination prefix
  eq          Match only packets on a given port number
  gt          Match only packets with a greater port number
  host        A single destination host
  lt          Match only packets with a lower port number
  neq         Match only packets not on a given port number
  range       Match only packets in the range of port numbers

ASR#monitor capture CAP match ipv4 protocol tcp any any

ASR#monitor capture CAP start

ASR#show monitor capture CAP buffer brief
 -------------------------------------------------------------
 #   size   timestamp     source         destination   protocol
 -------------------------------------------------------------
   0 1514    0.000000   10.6.0.2      ->  10.6.101.9    TCP
   1  118    0.000000   10.6.0.2      ->  10.6.101.9    TCP
   2   54    0.000000   10.6.101.9    ->  10.6.0.2      TCP
   3 1514    0.001007   10.6.0.2      ->  10.6.101.9    TCP

<OUTPUT TRUNCATED>


ASR#show monitor capture CAP buffer brief detailed
 -------------------------------------------------------------
 #   size   timestamp     source         destination   protocol
 -------------------------------------------------------------
   0 1514    0.000000   10.6.0.2      ->  10.6.101.9    TCP
  0000:  A08CFDA2 FD3100BE 7539A703 08004500   .....1..u9....E.
  0010:  05DCD97B 40003E06 E3670A74 000C0A74   ...{@.>..g.t...t
  0020:  65450B2D C9F50AC7 56D64CEB 2DC35010   eE.-....V.L.-.P.
  0030:  003F3DA8 00000000 05F00000 C3C05AC4   .?=...........Z.

<OUTPUT TRUNCATED>


For some reason the TFTP export failed so I tried FTP instead.

ASR#monitor capture CAP export tftp://172.27.5.6/CAP.pcap
.....Failed to Export: Failed to create export file

ASR#ping 172.27.5.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.27.5.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/6 ms

ASR#monitor capture CAP export tftp://172.27.5.6/CAP.pcap
Writing CAP.pcap
Exported Successfully


Disable and remove the packet capture feature once it's finished.

ASR#monitor capture CAP stop
ASR#no monitor capture CAP
 

No comments:

Post a Comment