Saturday, July 1, 2023

Packet Capture in a Cisco 4000 ISR

I needed to perform a packet capture in our Cisco 4K Integrated Services Router (ISR) to troubleshoot a Session Initiation Protocol (SIP) problem. Here's a Cisco link for the monitor capture commands.

Below is a summary of the CLI commands applied. Majority of these commands are applied in the privileged EXEC mode (Router#).

ip access-list extended CAP-ACL
 permit ip 172.27.17.0 0.0.0.31 10.12.16.0 0.0.0.255
 permit ip 10.12.16.0 0.0.0.255 172.27.17.0 0.0.0.31

#monitor capture CAP access-list CAP-ACL
 

#monitor capture CAP interface GigabitEthernet0/0/0.41 both

#monitor capture CAP start

show monitor capture CAP buffer brief

show monitor capture CAP buffer detailed

#monitor capture CAP export tftp://<TFTP IP ADDRESS>/CAP.pcap

#monitor capture CAP stop

#monitor capture CAP clear

 

Configure an ACL to narrow down specific TCP/UDP port (or IP) and IP address.

4K#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
4K(config)#ip access-list extended CAP-ACL
4K(config-ext-nacl)#permit ip 172.27.17.0 0.0.0.31 10.12.16.0 0.0.0.255
4K(config-ext-nacl)#permit ip 10.12.16.0 0.0.0.255 172.27.17.0 0.0.0.31

Configure the packet capture arbitrary name, interface, ingress/egress direction and apply the ACL previously configured.

4K#monitor capture CAP access-list CAP-ACL
 

4K#monitor capture CAP interface GigabitEthernet0/0/0.41 both 

 

Start the packet capture. Issue the show monitor capture <NAME> command to view the summary of the configuration.

4K#monitor capture CAP start

4K#show monitor capture CAP

Status Information for Capture CAP
  Target Type:
   Interface: GigabitEthernet0/0/0.41, Direction: both
   Status : Active
  Filter Details:
   Access-list: CAP-ACL
  Buffer Details:
   Buffer Type: LINEAR (default)
   Buffer Size (in MB): 10
  Limit Details:
   Number of Packets to capture: 0 (no limit)
   Packet Capture duration: 0 (no limit)
   Packet Size to capture: 0 (no limit)
   Maximum number of packets to capture per second: 1000
   Packet sampling rate: 0 (no sampling)

 

Use the show monitor capture <NAME> buffer brief command to view traffic.

4K#show monitor capture CAP buffer brief
 -------------------------------------------------------------
 #   size   timestamp     source             destination   protocol
 -------------------------------------------------------------
   0 1046    0.000000   172.27.17.8     ->  10.12.16.5     TCP
   1   70    0.569022   172.27.17.8     ->  10.12.16.5     TCP
   2   70    0.577018   172.27.17.8     ->  10.12.16.5     TCP
   3 1050    4.057996   172.27.17.12    ->  10.12.16.5     TCP
   4   70    4.617024   172.27.17.12    ->  10.12.16.5     TCP
   5   70    4.623020   172.27.17.12    ->  10.12.16.5     TCP

<OUTPUT TRUNCATED>


You'll need Wireshark in order to view the detailed packet capture from the show monitor capture <NAME> buffer detailed command. You can export the .pcap file to an external TFTP/FTP server using the monitor capture CAP export command.

Make sure the TFTP server IP address is reachable. You can use the ip tftp source-interface <INTERFACE> command if you have multiple sub-interfaces using VRF.

4K(config)#ip tftp source-interface GigabitEthernet0/0/0.41

4K#show monitor capture CAP buffer detailed
 -------------------------------------------------------------
 #   size   timestamp     source             destination   protocol
 -------------------------------------------------------------
   0 1046    0.000000   172.27.17.8     ->  10.12.16.5     TCP
  0000:  682C7BD2 9A205061 BF3D7715 81006191   h,{.. Pa.=w...a.
  0010:  08004560 0404529F 00004006 AD48AC1B   ..E`..R...@..H..
  0020:  B0080A70 1019C71D 13C4EC3E 0B5E5DFB   ...p.......>.^].
  0030:  939C8018 0A510F25 00000101 080A0037   .....Q.%.......7

   1   70    0.569022   172.27.17.8     ->  10.12.16.5     TCP
  0000:  682C7BD2 9A205061 BF3D7715 81006191   h,{.. Pa.=w...a.
  0010:  08004560 003452AF 00004006 B108AC1B   ..E`.4R...@.....
  0020:  B0080A70 1019C71D 13C4EC3E 0F2E5DFB   ...p.......>..].
  0030:  94E58010 0A5185F9 00000101 080A0037   .....Q.........7

   2   70    0.577018   172.27.17.8     ->  10.12.16.5     TCP
  0000:  682C7BD2 9A205061 BF3D7715 81006191   h,{.. Pa.=w...a.
  0010:  08004560 003452B0 00004006 B107AC1B   ..E`.4R...@.....
  0020:  B0080A70 1019C71D 13C4EC3E 0F2E5DFB   ...p.......>..].
  0030:  977C8010 0A518360 00000101 080A0037   .|...Q.`.......7

4K#monitor capture CAP export tftp://172.27.5.3/CAP.pcap
!
Exported Successfully


Remove the packet capture and ACL once you're finished.

4K#monitor capture CAP clear

4K#monitor capture CAP stop
 

4K#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
4K(config)#no ip access-list extended CAP-ACL