28 August, 2014

Interpret Packet Captures

When troubleshooting packet loss at a remote location where a sniffer trace isn't available, it's hard to isolate it to the LAN or WAN. In the new Cisco IOS 12.4(20)T there is a packet capture feature. The filters can be set based on interface name, direction, ACL, and even if it's to be punted to process level.

 ! Create Buffer 
R1#monitor capture buffer MYBUFFER circular 

 ! Configure Interface for Capture
R1#monitor capture point ip cef MYCAP fastEthernet 0/0 both 
*Aug 28 22:49:13.135: %BUFCAP-6-CREATE: Capture Point MYCAP created.

 ! Configure Associate 
R1#monitor capture point associate MYCAP MYBUFFER

 ! Start Capture 
R1#monitor capture point start MYCAP 
*Aug 28 22:50:19.767: %BUFCAP-6-ENABLE: Capture Point MYCAP enabled.

 ! Stop Capture 
R1#monitor capture point stop MYCAP 
*Aug 28 22:52:03.479: %BUFCAP-6-DISABLE: Capture Point MYCAP disabled.

 ! Check Configuration 

 R1#ping 10.10.10.2 repeat 10

 ! Verify Captured Packets
R1#show monitor capture buffer all parameters 
Capture buffer MYBUFFER (circular buffer)
Buffer Size : 1048576 bytes, Max Element Size : 68 bytes, Packets : 20           (10 in, 10 out ICMP Packets)
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : MYCAP, Status : Inactive
Configuration:
monitor capture buffer MYBUFFER circular 
monitor capture point associate MYCAP MYBUFFER

 R1#show monitor capture buffer MYBUFFER dump 
22:52:24.743 UTC Aug 28 2014 : IPv4 CEF Turbo  : Fa0/0 None
66910D80:          CA030A54 0008CA04 0A540008      J..T..J..T..
66910D90: 08004500 00640000 0000FE01 94820A0A  ..E..d....~.....
66910DA0: 0A020A0A 0A010000 B9CA0000 00000000  ........9J......
66910DB0: 00000007 CC78ABCD ABCDABCD ABCDABCD  ....Lx+M+M+M+M+M
66910DC0: ABCDABCD ABCDABCD 00                 +M+M+M+M.       

 ! How to export CAP file.
R1#monitor capture buffer MYBUFFER export tftp://192.168.1.132/buffer.cap

 ! Note: Then you can open it with Wireshark.

 ! You Can Filter With Access-List

R1(config)#access-list 100 permit icmp host 2.2.2.2 any
R1#monitor capture buffer MYBUFFER filter access-list 100

 R1#show monitor capture buffer MYBUFFER parameters
Capture buffer MYBUFFER (circular buffer)
Buffer Size : 1048576 bytes, Max Element Size : 68 bytes, Packets : 4
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : MYCAP, Status : Active
Configuration:
monitor capture buffer MYBUFFER circular
monitor capture point associate MYCAP MYBUFFER

monitor capture buffer MYBUFFER filter access-list 100

At
Tags:: , , ,