How to capture traffic on Cisco ISR 4000 ?

Introduction

In this article we will see how we can capture and export network traffic on a Cisco ISR 4331. The provided instructions are applicable to any Cisco ISR 4000 series router. The exported traffic has a pcap file format and therefore can be easily opened and analyzed in Wireshark.

The ISR 4331 used in this lab is running IOS XE 16.6.4.

Configuration

Step 1. Create a capture buffer

The capture buffer is an area of memory that will store the captured traffic. This is the first thing we have to create. There are two types of buffers:

• circular – overwrites the old data as soon as it gets full
• linear – stops capturing traffic as soon as it gets full

The capture buffer in my demo is called MYCAP, which is a circular buffer and has a size of 10 KBytes:

R1#monitor capture MYCAP buffer circular size 10

Step 2 (optional). Define the traffic to be captured

We can use ACLs to define which packets exactly we would like to capture. We create an ACL and attach it to our capture buffer. The packets permitted by ACL will be captured. This step is optional, therefore you might want not to use any ACLs, which will make the monitor capture all the packets.

I have created the access list called MYCAP-ACL to match all SIP (port UDP 5060) traffic.

ip access-list extended MYCAP-ACL
permit udp any any eq 5060

Now let’s associate the ACL with the capture buffer:

R1#monitor capture MYCAP access-list MYCAP-ACL

Step 3. Specify the interface for traffic capture

Let’s define on which interface we would like to capture the traffic. We can also define the traffic direction on that interface : in , out or both. I’m going to capture both incoming and outgoing traffic on interface GE 0/0/0:

R1#monitor capture MYCAP interface GigabitEthernet 0/0/0.3338 both

Step 4. Verify the capture buffer

It’s important to note that the capture buffer configuration is not stored in the running-config, therefore we need to use the special show commands to verify the configuration.

Let’s have a look at our capture buffer configuration. The command is:

R1#show monitor capture MYCAP

Step 5. Start and Stop capture

Now, that the capture buffer is configured, we can start and stop the capture process. Below are the commands:

R1#monitor capture MYCAP start
R1#monitor capture MYCAP stop

Run the first(start) command, then wait for the traffic to get captured and then run the second (stop) command. All captured packets are stored in RAM of the router.

Step 6. View the captured data

Now it’s time to view the captured data. One of the possible commands to view the captured data is:

R1#show monitor capture MYCAP buffer brief

This command gives you an overview of the captured packets:

Another option is to use dump keyword instead of brief, which prints the packet contents.

Step 7. Export the captured data

It is possible to export the captured data to a local file on a router or a remote location via TFTP protocol. Exporting the captured traffic to a remote location will allow you to use Wireshark to analyze the files.

If you don’t have one, you can download a tiny and easy to use TFTP server here.

Make sure you have a TFTP server running on your computer and run the export command:

R1#monitor capture MYCAP export tftp://172.16.121.53/MYCAP.pcap

Make sure you use the correct IP address of your computer on which you run TFTP server(in my case it’s 172.16.121.53).

Step 8. Clear the buffer

As I have mentioned, all captured packets are stored in RAM of the router. The following command will clear the buffer:

R1#monitor capture MYCAP clear

As you can see, the buffer is empty after the clear command.

Conclusion

Now you should be able to configure capture buffers to filter and export any traffic you need. Thank you for reading.