1.3.c Interpret packet capture

1.3.c [ii] Using IOS embedded packet capture

When IOS EPC is enabled, the router captures the packets sent and received. The packets are stored within a buffer in DRAM and are thus not persistent through a reload or reboot. Once the data is captured, it can be examined in a summary or detailed view on the router. In addition, the data can be exported as a packet capture (PCAP) file to allow for further examination.

Basic EPC Configuration:

Define a ‘capture buffer’, which is a temporary buffer that the captured packets are stored within. There are various options that can be selected when the buffer is defined; such as size, maximum packet size, and circular/ linear:

monitor capture buffer BUF size 2048 max-size 1518 linear

A filter can also be applied to limit the capture to desired traffic. Define an Access Control List (ACL) within config mode and apply the filter to the buffer:

ip access-list extended BUF-FILTER

permit ip host 192.168.1.1 host 172.16.1.1

permit ip host 172.16.1.1 host 192.168.1.1

monitor capture buffer BUF filter access-list BUF-FILTER

Define a ‘capture point’, which defines the location where the capture occurs. The capture point also defines whether the capture occurs for IPv4 or IPv6 and in which switching path (process versus cef):

monitor capture point ip cef POINT fastEthernet 0 both

Attach the buffer to the capture point:

monitor capture point associate POINT BUF

Start the capture:

monitor capture point start POINT

The capture is now active and would allow collection of the necessary data as per configuration.

Further Reading http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 1431-1432).  . Kindle Edition.