I needed to perform a packet capture in our Cisco 4K Integrated Services Router (ISR) to troubleshoot a Session Initiation Protocol (SIP) problem. Here's a Cisco link for the monitor capture commands.
ip access-list extended CAP-ACL
permit ip 172.27.17.0 0.0.0.31 10.12.16.0 0.0.0.255
permit ip 10.12.16.0 0.0.0.255 172.27.17.0 0.0.0.31
#monitor capture CAP access-list CAP-ACL
#monitor capture CAP interface GigabitEthernet0/0/0.41 both
#monitor capture CAP start
show monitor capture CAP buffer brief
show monitor capture CAP buffer detailed
#monitor capture CAP export tftp://<TFTP IP ADDRESS>/CAP.pcap
#monitor capture CAP stop
#monitor capture CAP clear
Configure an ACL to narrow down specific TCP/UDP port (or IP) and IP address.
4K#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
4K(config)#ip access-list extended CAP-ACL
4K(config-ext-nacl)#permit ip 172.27.17.0 0.0.0.31 10.12.16.0 0.0.0.255
4K(config-ext-nacl)#permit ip 10.12.16.0 0.0.0.255 172.27.17.0 0.0.0.31
Configure the packet capture arbitrary name, interface, ingress/egress direction and apply the ACL previously configured.
4K#monitor capture CAP access-list CAP-ACL
4K#monitor capture CAP interface GigabitEthernet0/0/0.41 both
Start the packet capture. Issue the show monitor capture <NAME> command to view the summary of the configuration.
4K#monitor capture CAP start
4K#show monitor capture CAP
Status Information for Capture CAP
Target Type:
Interface: GigabitEthernet0/0/0.41, Direction: both
Status : Active
Filter Details:
Access-list: CAP-ACL
Buffer Details:
Buffer Type: LINEAR (default)
Buffer Size (in MB): 10
Limit Details:
Number of Packets to capture: 0 (no limit)
Packet Capture duration: 0 (no limit)
Packet Size to capture: 0 (no limit)
Maximum number of packets to capture per second: 1000
Packet sampling rate: 0 (no sampling)
Use the show monitor capture <NAME> buffer brief command to view traffic.
4K#show monitor capture CAP buffer brief
-------------------------------------------------------------
# size timestamp source destination protocol
-------------------------------------------------------------
0 1046 0.000000 172.27.17.8 -> 10.12.16.5 TCP
1 70 0.569022 172.27.17.8 -> 10.12.16.5 TCP
2 70 0.577018 172.27.17.8 -> 10.12.16.5 TCP
3 1050 4.057996 172.27.17.12 -> 10.12.16.5 TCP
4 70 4.617024 172.27.17.12 -> 10.12.16.5 TCP
5 70 4.623020 172.27.17.12 -> 10.12.16.5 TCP
<OUTPUT TRUNCATED>
You'll need Wireshark in order to view the detailed packet capture from the show monitor capture <NAME> buffer detailed command. You can export the .pcap file to an external TFTP/FTP server using the monitor capture CAP export command.
Make sure the TFTP server IP address is reachable. You can use the ip tftp source-interface <INTERFACE> command if you have multiple sub-interfaces using VRF.
4K(config)#ip tftp source-interface GigabitEthernet0/0/0.41
4K#show monitor capture CAP buffer detailed
-------------------------------------------------------------
# size timestamp source destination protocol
-------------------------------------------------------------
0 1046 0.000000 172.27.17.8 -> 10.12.16.5 TCP
0000: 682C7BD2 9A205061 BF3D7715 81006191 h,{.. Pa.=w...a.
0010: 08004560 0404529F 00004006 AD48AC1B ..E`..R...@..H..
0020: B0080A70 1019C71D 13C4EC3E 0B5E5DFB ...p.......>.^].
0030: 939C8018 0A510F25 00000101 080A0037 .....Q.%.......7
1 70 0.569022 172.27.17.8 -> 10.12.16.5 TCP
0000: 682C7BD2 9A205061 BF3D7715 81006191 h,{.. Pa.=w...a.
0010: 08004560 003452AF 00004006 B108AC1B ..E`.4R...@.....
0020: B0080A70 1019C71D 13C4EC3E 0F2E5DFB ...p.......>..].
0030: 94E58010 0A5185F9 00000101 080A0037 .....Q.........7
2 70 0.577018 172.27.17.8 -> 10.12.16.5 TCP
0000: 682C7BD2 9A205061 BF3D7715 81006191 h,{.. Pa.=w...a.
0010: 08004560 003452B0 00004006 B107AC1B ..E`.4R...@.....
0020: B0080A70 1019C71D 13C4EC3E 0F2E5DFB ...p.......>..].
0030: 977C8010 0A518360 00000101 080A0037 .|...Q.`.......7
4K#monitor capture CAP export tftp://172.27.5.3/CAP.pcap
!
Exported Successfully
Remove the packet capture and ACL once you're finished.
4K#monitor capture CAP clear
4K#monitor capture CAP stop
4K#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
4K(config)#no ip access-list extended CAP-ACL