1.3.c [ii] Using IOS embedded packet capture
When IOS EPC is enabled, the router captures the packets sent and received. The packets are stored within a buffer in DRAM and are thus not persistent through a reload or reboot. Once the data is captured, it can be examined in a summary or detailed view on the router. In addition, the data can be exported as a packet capture (PCAP) file to allow for further examination.
Basic EPC Configuration:
Define a ‘capture buffer’, which is a temporary buffer that the captured packets are stored within. There are various options that can be selected when the buffer is defined; such as size, maximum packet size, and circular/ linear:
monitor capture buffer BUF size 2048 max-size 1518 linear
A filter can also be applied to limit the capture to desired traffic. Define an Access Control List (ACL) within config mode and apply the filter to the buffer:
ip access-list extended BUF-FILTER
permit ip host 192.168.1.1 host 172.16.1.1
permit ip host 172.16.1.1 host 192.168.1.1
monitor capture buffer BUF filter access-list BUF-FILTER
Define a ‘capture point’, which defines the location where the capture occurs. The capture point also defines whether the capture occurs for IPv4 or IPv6 and in which switching path (process versus cef):
monitor capture point ip cef POINT fastEthernet 0 both
Attach the buffer to the capture point:
monitor capture point associate POINT BUF
Start the capture:
monitor capture point start POINT
The capture is now active and would allow collection of the necessary data as per configuration.
Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 1431-1432). . Kindle Edition.