How to capture traffic on Cisco ISR 4000 ?
In this article we will see how we can capture and export network traffic on a Cisco ISR 4331. The provided instructions are applicable to any Cisco ISR 4000 series router. The exported traffic has a pcap file format and therefore can be easily opened and analyzed in Wireshark.
The ISR 4331 used in this lab is running IOS XE 16.6.4.
Step 1. Create a capture buffer
The capture buffer is an area of memory that will store the captured traffic. This is the first thing we have to create. There are two types of buffers:
- circular – overwrites the old data as soon as it gets full
- linear – stops capturing traffic as soon as it gets full
The capture buffer in my demo is called MYCAP, which is a circular buffer and has a size of 10 KBytes:
R1#monitor capture MYCAP buffer circular size 10
Step 2 (optional). Define the traffic to be captured
We can use ACLs to define which packets exactly we would like to capture. We create an ACL and attach it to our capture buffer. The packets permitted by ACL will be captured. This step is optional, therefore you might want not to use any ACLs, which will make the monitor capture all the packets.
I have created the access list called MYCAP-ACL to match all SIP (port UDP 5060) traffic.
ip access-list extended MYCAP-ACL permit udp any any eq 5060
Now let’s associate the ACL with the capture buffer:
R1#monitor capture MYCAP access-list MYCAP-ACL
Step 3. Specify the interface for traffic capture
Let’s define on which interface we would like to capture the traffic. We can also define the traffic direction on that interface : in , out or both. I’m going to capture both incoming and outgoing traffic on interface GE 0/0/0:
R1#monitor capture MYCAP interface GigabitEthernet 0/0/0.3338 both
Step 4. Verify the capture buffer
It’s important to note that the capture buffer configuration is not stored in the running-config, therefore we need to use the special show commands to verify the configuration.
Let’s have a look at our capture buffer configuration. The command is:
R1#show monitor capture MYCAP
Step 5. Start and Stop capture
Now, that the capture buffer is configured, we can start and stop the capture process. Below are the commands:
R1#monitor capture MYCAP start R1#monitor capture MYCAP stop
Run the first(start) command, then wait for the traffic to get captured and then run the second (stop) command. All captured packets are stored in RAM of the router.
Step 6. View the captured data
Now it’s time to view the captured data. One of the possible commands to view the captured data is:
R1#show monitor capture MYCAP buffer brief
This command gives you an overview of the captured packets:
Another option is to use dump keyword instead of brief, which prints the packet contents.
Step 7. Export the captured data
It is possible to export the captured data to a local file on a router or a remote location via TFTP protocol. Exporting the captured traffic to a remote location will allow you to use Wireshark to analyze the files.
If you don’t have one, you can download a tiny and easy to use TFTP server here.
Make sure you have a TFTP server running on your computer and run the export command:
R1#monitor capture MYCAP export tftp://172.16.121.53/MYCAP.pcap
Make sure you use the correct IP address of your computer on which you run TFTP server(in my case it’s 172.16.121.53).
Step 8. Clear the buffer
As I have mentioned, all captured packets are stored in RAM of the router. The following command will clear the buffer:
R1#monitor capture MYCAP clear
As you can see, the buffer is empty after the clear command.
Now you should be able to configure capture buffers to filter and export any traffic you need. Thank you for reading.