Tag Archives: 1.3c

1.3.c Interpret packet capture

1.3.c [ii] Using IOS embedded packet capture

When IOS EPC is enabled, the router captures the packets sent and received. The packets are stored within a buffer in DRAM and are thus not persistent through a reload or reboot. Once the data is captured, it can be examined in a summary or detailed view on the router. In addition, the data can be exported as a packet capture (PCAP) file to allow for further examination.

Basic EPC Configuration:

Define a ‘capture buffer’, which is a temporary buffer that the captured packets are stored within. There are various options that can be selected when the buffer is defined; such as size, maximum packet size, and circular/ linear:

monitor capture buffer BUF size 2048 max-size 1518 linear

A filter can also be applied to limit the capture to desired traffic. Define an Access Control List (ACL) within config mode and apply the filter to the buffer:

ip access-list extended BUF-FILTER

permit ip host 192.168.1.1 host 172.16.1.1

permit ip host 172.16.1.1 host 192.168.1.1

monitor capture buffer BUF filter access-list BUF-FILTER

Define a ‘capture point’, which defines the location where the capture occurs. The capture point also defines whether the capture occurs for IPv4 or IPv6 and in which switching path (process versus cef):

monitor capture point ip cef POINT fastEthernet 0 both

Attach the buffer to the capture point:

monitor capture point associate POINT BUF

Start the capture:

monitor capture point start POINT

The capture is now active and would allow collection of the necessary data as per configuration.

Further Reading http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 1431-1432).  . Kindle Edition.

1.3.c Interpret packet capture

1.3.c [i] Using Wireshark trace analyzer

Beginning with Cisco IOS Release XE 3.3.0SG , the Catalyst 4500 series switch supports Wireshark, a packet analyzer program, also known as Ethereal, which supports multiple protocols and presents
information in a text-based user interface. The key concepts around IOS XE based wireshark are:

● Capture points (a capture point is the central policy definition of the Wireshark feature)

● Attachment points (it refers to Interfaces and traffic directions)

● Filters (filters are attributes of a capture point that identify and limit the subset of traffic traveling through the attachment point of a capture point, which is copied and passed to Wireshark)

● Actions

● Storing captured packets to memory buffers

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/15-1/XE_330SG/configuration/guide/config/wireshrk.html

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 1395-1407).  . Kindle Edition.

1.1.d IPv4 and IPv6 fragmentation, plus wireshark

1.3.c [i] Using Wireshark trace analyzer

with the df-bit set, sending packets at a higher mtu will be dropped by the receiver…

(using extended ping commands, without walking through the prompts)

R2#ping 172.16.1.1 df-bit

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
Packet sent with the DF bit set
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/37/64 ms

of course the packets get through…

R2#ping 172.16.1.1 size 1501 df-bit

Type escape sequence to abort.
Sending 5, 1501-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
Packet sent with the DF bit set
…..
Success rate is 0 percent (0/5)

that ping failed because the df-bit was set, negating fragmentation of the out of mtu packet

if we don’t set the df-bit and ship packets at a higher mtu:

R2#ping 172.16.1.1 siz 1600

Type escape sequence to abort.
Sending 5, 1600-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/55/92 ms

we have success but we automatically set the mf-bit, as below

mfcap

a note about display filters… look closely at the filter… it’s hierarchical… if you understand the protocol you’re examining it makes perfect sense.

ip.flags.mf==1

the mf bit of the flags field in the ip header is equal to 1…

even easier is to simply right click on the section your interested in  and apply as a filter… it populates the filter field, and just make adjustments as needed…

 

1.3.c Interpret packet capture

1.3.c [i] Using Wireshark trace analyzer

turn on wireshark and set up a packet capture to filter telnet traffic from one device to another…

note frame 23 was the password request from r2…

telnetcap01

the password is plain text to illustrate the next point…

note frame 31 below, it begins the payload transfer of the password cisco with a c:

telnetcap02

frame 33 has the i, and so on…

telnetcap03

another way of accomplishing this is to follow the stream

using analyze–follow TCP stream, in the drop down…

telnetcap04

looking back at the capture window we note the new filter that includes the entire stream, with the tcp ack’s…

telnetcap05