Jun
22
2011

EPC: an Embedded Packet Capture

Started with IOS 12.4(20)T version, EPC or Embedded Packet Capture, is a powerful feature to capture data packets flowing through, to, and from, a Cisco router. In contrast with SPAN feature, EPC permits to save the dump directly on the NVRAM and for this reason, Embedded Packet Capture is useful whenever a network protocol analyzer might be useful in debugging a problem, but when it’s not practical to install such a device.

The features are:

  • The ability to capture IPv4 and IPv6 packets in the Cisco Express Forwarding path
  • A flexible method for specifying the capture buffer size and type
  • EXEC-level commands to start and stop the capture
  • Show commands to display packet contents on the device
  • Facility to export the packet capture in PCAP format, suitable for analysis using an external tool such as Wireshark
  • Extensible infrastructure for enabling packet capture points

The Cisco IOS Embedded Packet Capture is a software feature consisting of infrastructure to allow for packet data to be captured at various points in the packet-processing path. The network administrator may define the capture buffer size and type (circular, or linear) and the maximum number of bytes of each packet to capture. The packet capture rate can be throttled using further administrative controls. For example, options allow for filtering the packets to be captured using an Access Control List (ACL) and, optionally, further defined by specifying a maximum packet capture rate or by specifying a sampling interval.

Packet data may be displayed in hex and ASCII on the CLI, or may be exported using typical file transfer methods such as a PCAP-formatted file that may be further analyzed using the open-source tool Wireshark.

Basic steps:

  1. Define a capture buffer
  2. Define a capture point
  3. Associate the buffer with the capture point
  4. Export the dump in .pcap format or analyze the raw packets on the router

 

Example

In this example, I display the raw packets using the “show monitor buffer”, then I save a .pcap dump file of 100Kb via a tftp server and check it with wireshark software:

1. Define a capture buffer (in this case, the max file size: 100Kb):

Ciscozine#monitor capture buffer buffer-test size 100

2. Define a capture point (in this example all interfaces will be analyzed in each directions)

Ciscozine#monitor capture point ip cef capture-test all both
Ciscozine#
Ciscozine#
Ciscozine#
Ciscozine#
*Jun 21 17:58:17.147: %BUFCAP-6-CREATE: Capture Point capture-test created.
Ciscozine#

3. Associate the buffer with the capture point

Ciscozine#monitor capture point associate capture-test buffer-test

4. Start the capture

Ciscozine#monitor capture point start capture-test Ciscozine#
Ciscozine#
*Jun 21 17:59:21.423: %BUFCAP-6-ENABLE: Capture Point capture-test enabled.
Ciscozine#

5. Testing the capture feature with ping and telnet connection

6. Stop the capture

Ciscozine#monitor capture point stop capture-test
Ciscozine#
Ciscozine#
Ciscozine#
*Jun 21 18:00:48.507: %BUFCAP-6-DISABLE: Capture Point capture-test disabled.
Ciscozine#

7. Show the dump with the CLI

Ciscozine#show monitor capture buffer buffer-test dump
17:59:50.271 UTC Jun 21 2011 : IPv4 CEF Turbo  : Fa1/0 None

66BC0070:                   CA0012C8 001C0050          J..H...P
66BC0080: 56EEFA3A 08004510 01480000 00000F11  Vnz:..E..H......
66BC0090: D7C1C0A8 28FEC0A8 28850043 00440134  WA@((~@((..C.D.4
66BC00A0: F86B0201 06000000 1DBE0000 0000C0A8  xk.......>....@(
66BC00B0: 2885C0A8 2885C0A8 28FE0000 FD        (.@((.@((~..}

17:59:50.271 UTC Jun 21 2011 : IPv4 LES CEF    : Fa1/0 None

66BC0070:                   CA0012C8 001C0050          J..H...P
66BC0080: 56EEFA3A 08004510 01480000 00000F11  Vnz:..E..H......
66BC0090: D7C1C0A8 28FEC0A8 28850043 00440134  WA@((~@((..C.D.4
66BC00A0: F86B0201 06000000 1DBE0000 0000C0A8  xk.......>....@(
66BC00B0: 2885C0A8 2885C0A8 28FE0000 FD        (.@((.@((~..}

18:00:10.667 UTC Jun 21 2011 : IPv4 CEF Turbo  : Fa1/0 None

66BC0070:                   FFFFFFFF FFFF0050          .......P
66BC0080: 56C00008 08004500 00EB051C 00007F11  V@....E..k......
66BC0090: 6395C0A8 2801C0A8 28FF008A 008A00D7  c.@((.@((......W
66BC00A0: EC041102 CD21C0A8 2801008A 00C10000  l...M!@((....A..
66BC00B0: 20454D45 42464146 45455046 FD         EMEBFAFEEPF}

18:00:10.667 UTC Jun 21 2011 : IPv4 LES CEF    : Fa1/0 None

66BC0070:                   FFFFFFFF FFFF0050          .......P
66BC0080: 56C00008 08004500 00EB051C 00007F11  V@....E..k......
66BC0090: 6395C0A8 2801C0A8 28FF008A 008A00D7  c.@((.@((......W
66BC00A0: EC041102 CD21C0A8 2801008A 00C10000  l...M!@((....A..
66BC00B0: 20454D45 42464146 45455046 FD         EMEBFAFEEPF}

18:00:10.903 UTC Jun 21 2011 : IPv4 CEF Turbo  : Fa1/0 None

66BC0070:                   CA0012C8 001C0050          J..H...P
66BC0080: 56C00008 08004500 05DC051D 20007F01  V@....E..\.. ...
66BC0090: 3F2DC0A8 2801C0A8 28850800 7B720001  ?-@((.@((...{r..
66BC00A0: 00056162 63646566 6768696A 6B6C6D6E  ..abcdefghijklmn
66BC00B0: 6F707172 73747576 77616263 FD        opqrstuvwabc}

18:00:10.903 UTC Jun 21 2011 : IPv4 LES CEF    : Fa1/0 None

66BC0070:                   CA0012C8 001C0050          J..H...P
66BC0080: 56C00008 08004500 05DC051D 20007F01  V@....E..\.. ...
66BC0090: 3F2DC0A8 2801C0A8 28850800 7B720001  ?-@((.@((...{r..
66BC00A0: 00056162 63646566 6768696A 6B6C6D6E  ..abcdefghijklmn
66BC00B0: 6F707172 73747576 77616263 FD        opqrstuvwabc}

18:00:10.903 UTC Jun 21 2011 : IPv4 CEF Turbo  : Fa1/0 None

66BC0070:                   CA0012C8 001C0050          J..H...P
66BC0080: 56C00008 08004500 0224051D 00B97F01  V@....E..$...9..
66BC0090: 622CC0A8 2801C0A8 28856162 63646566  b,@((.@((.abcdef
66BC00A0: 6768696A 6B6C6D6E 6F707172 73747576  ghijklmnopqrstuv
66BC00B0: 77616263 64656667 68696A6B FD        wabcdefghijk}

18:00:10.903 UTC Jun 21 2011 : IPv4 LES CEF    : Fa1/0 None

66BC0070:                   CA0012C8 001C0050          J..H...P
66BC0080: 56C00008 08004500 0224051D 00B97F01  V@....E..$...9..
66BC0090: 622CC0A8 2801C0A8 28856162 63646566  b,@((.@((.abcdef
66BC00A0: 6768696A 6B6C6D6E 6F707172 73747576  ghijklmnopqrstuv
66BC00B0: 77616263 64656667 68696A6B FD        wabcdefghijk}

18:00:11.891 UTC Jun 21 2011 : IPv4 CEF Turbo  : Fa1/0 None

66BC0070:                   CA0012C8 001C0050          J..H...P
66BC0080: 56C00008 08004500 05DC051E 20007F01  V@....E..\.. ...
66BC0090: 3F2CC0A8 2801C0A8 28850800 7B710001  ?,@((.@((...{q..
66BC00A0: 00066162 63646566 6768696A 6B6C6D6E  ..abcdefghijklmn
66BC00B0: 6F707172 73747576 77616263 FD        opqrstuvwabc}

18:00:11.891 UTC Jun 21 2011 : IPv4 LES CEF    : Fa1/0 None

66BC0070:                   CA0012C8 001C0050          J..H...P
66BC0080: 56C00008 08004500 05DC051E 20007F01  V@....E..\.. ...
66BC0090: 3F2CC0A8 2801C0A8 28850800 7B710001  ?,@((.@((...{q..
66BC00A0: 00066162 63646566 6768696A 6B6C6D6E  ..abcdefghijklmn
66BC00B0: 6F707172 73747576 77616263 FD        opqrstuvwabc}

18:00:11.891 UTC Jun 21 2011 : IPv4 CEF Turbo  : Fa1/0 None

66BC0070:                   CA0012C8 001C0050          J..H...P
66BC0080: 56C00008 08004500 0224051E 00B97F01  V@....E..$...9..
66BC0090: 622BC0A8 2801C0A8 28856162 63646566  b+@((.@((.abcdef
66BC00A0: 6768696A 6B6C6D6E 6F707172 73747576  ghijklmnopqrstuv
66BC00B0: 77616263 64656667 68696A6B FD        wabcdefghijk}

18:00:11.891 UTC Jun 21 2011 : IPv4 LES CEF    : Fa1/0 None

66BC0070:                   CA0012C8 001C0050          J..H...P
66BC0080: 56C00008 08004500 0224051E 00B97F01  V@....E..$...9..
66BC0090: 622BC0A8 2801C0A8 28856162 63646566  b+@((.@((.abcdef
66BC00A0: 6768696A 6B6C6D6E 6F707172 73747576  ghijklmnopqrstuv
66BC00B0: 77616263 64656667 68696A6B FD        wabcdefghijk}

18:00:12.891 UTC Jun 21 2011 : IPv4 CEF Turbo  : Fa1/0 None

66BC0070:                   CA0012C8 001C0050          J..H...P
66BC0080: 56C00008 08004500 05DC051F 20007F01  V@....E..\.. ...
66BC0090: 3F2BC0A8 2801C0A8 28850800 7B700001  ?+@((.@((...{p..
66BC00A0: 00076162 63646566 6768696A 6B6C6D6E  ..abcdefghijklmn
66BC00B0: 6F707172 73747576 77616263 FD        opqrstuvwabc}

18:00:12.891 UTC Jun 21 2011 : IPv4 LES CEF    : Fa1/0 None

66BC0070:                   CA0012C8 001C0050          J..H...P
66BC0080: 56C00008 08004500 05DC051F 20007F01  V@....E..\.. ...
66BC0090: 3F2BC0A8 2801C0A8 28850800 7B700001  ?+@((.@((...{p..
66BC00A0: 00076162 63646566 6768696A 6B6C6D6E  ..abcdefghijklmn
66BC00B0: 6F707172 73747576 77616263 FD        opqrstuvwabc}

18:00:12.891 UTC Jun 21 2011 : IPv4 CEF Turbo  : Fa1/0 None

66BC0070:                   CA0012C8 001C0050          J..H...P
66BC0080: 56C00008 08004500 0224051F 00B97F01  V@....E..$...9..
66BC0090: 622AC0A8 2801C0A8 28856162 63646566  b*@((.@((.abcdef
66BC00A0: 6768696A 6B6C6D6E 6F707172 73747576  ghijklmnopqrstuv
66BC00B0: 77616263 64656667 68696A6B FD        wabcdefghijk}

18:00:12.891 UTC Jun 21 2011 : IPv4 LES CEF    : Fa1/0 None

66BC0070:                   CA0012C8 001C0050          J..H...P
66BC0080: 56C00008 08004500 0224051F 00B97F01  V@....E..$...9..
66BC0090: 622AC0A8 2801C0A8 28856162 63646566  b*@((.@((.abcdef
66BC00A0: 6768696A 6B6C6D6E 6F707172 73747576  ghijklmnopqrstuv
66BC00B0: 77616263 64656667 68696A6B FD        wabcdefghijk}

18:00:13.891 UTC Jun 21 2011 : IPv4 CEF Turbo  : Fa1/0 None

66BC0070:                   CA0012C8 001C0050          J..H...P
66BC0080: 56C00008 08004500 05DC0520 20007F01  V@....E..\.  ...
66BC0090: 3F2AC0A8 2801C0A8 28850800 7B6F0001  ?*@((.@((...{o..
66BC00A0: 00086162 63646566 6768696A 6B6C6D6E  ..abcdefghijklmn
66BC00B0: 6F707172 73747576 77616263 FD        opqrstuvwabc}

18:00:13.891 UTC Jun 21 2011 : IPv4 LES CEF    : Fa1/0 None

66BC0070:                   CA0012C8 001C0050          J..H...P
66BC0080: 56C00008 08004500 05DC0520 20007F01  V@....E..\.  ...
66BC0090: 3F2AC0A8 2801C0A8 28850800 7B6F0001  ?*@((.@((...{o..
66BC00A0: 00086162 63646566 6768696A 6B6C6D6E  ..abcdefghijklmn
66BC00B0: 6F707172 73747576 77616263 FD        opqrstuvwabc}

18:00:13.891 UTC Jun 21 2011 : IPv4 CEF Turbo  : Fa1/0 None

66BC0070:                   CA0012C8 001C0050          J..H...P
66BC0080: 56C00008 08004500 02240520 00B97F01  V@....E..$. .9..
66BC0090: 6229C0A8 2801C0A8 28856162 63646566  b)@((.@((.abcdef
66BC00A0: 6768696A 6B6C6D6E 6F707172 73747576  ghijklmnopqrstuv
66BC00B0: 77616263 64656667 68696A6B FD        wabcdefghijk}

18:00:13.891 UTC Jun 21 2011 : IPv4 LES CEF    : Fa1/0 None

66BC0070:                   CA0012C8 001C0050          J..H...P
66BC0080: 56C00008 08004500 02240520 00B97F01  V@....E..$. .9..
66BC0090: 6229C0A8 2801C0A8 28856162 63646566  b)@((.@((.abcdef
66BC00A0: 6768696A 6B6C6D6E 6F707172 73747576  ghijklmnopqrstuv
66BC00B0: 77616263 64656667 68696A6B FD        wabcdefghijk}

18:00:20.851 UTC Jun 21 2011 : IPv4 CEF Turbo  : Fa1/0 None

66BC0070:                   CA0012C8 001C0050          J..H...P
66BC0080: 56C00008 08004500 00340523 40007F06  V@....E..4.#@...
66BC0090: 24CAC0A8 2801C0A8 2885416D 0017A9FD  $J@((.@((.Am..)}
66BC00A0: 101D0000 00008002 2000819A 00000204  ........ .......
66BC00B0: 05B40103 03080101 04026A             .4........j

18:00:20.851 UTC Jun 21 2011 : IPv4 LES CEF    : Fa1/0 None

66BC0070:                   CA0012C8 001C0050          J..H...P
66BC0080: 56C00008 08004500 00340523 40007F06  V@....E..4.#@...
66BC0090: 24CAC0A8 2801C0A8 2885416D 0017A9FD  $J@((.@((.Am..)}
66BC00A0: 101D0000 00008002 2000819A 00000204  ........ .......
66BC00B0: 05B40103 03080101 04026A             .4........j

18:00:20.895 UTC Jun 21 2011 : IPv4 CEF Turbo  : Fa1/0 None

66BC0070:                   CA0012C8 001C0050          J..H...P
66BC0080: 56C00008 08004500 00280524 40007F06  V@....E..(.$@...
66BC0090: 24D5C0A8 2801C0A8 2885416D 0017A9FD  $U@((.@((.Am..)}
66BC00A0: 101E1D48 E7245010 FAF0E2FF 000002    ...Hg$P.zpb....

18:00:20.895 UTC Jun 21 2011 : IPv4 LES CEF    : Fa1/0 None

66BC0070:                   CA0012C8 001C0050          J..H...P
66BC0080: 56C00008 08004500 00280524 40007F06  V@....E..(.$@...
66BC0090: 24D5C0A8 2801C0A8 2885416D 0017A9FD  $U@((.@((.Am..)}
66BC00A0: 101E1D48 E7245010 FAF0E2FF 000002    ...Hg$P.zpb....

18:00:20.923 UTC Jun 21 2011 : IPv4 CEF Turbo  : Fa1/0 None

66BC0070:                   CA0012C8 001C0050          J..H...P
66BC0080: 56C00008 08004500 002B0525 40007F06  V@....E..+.%@...
66BC0090: 24D1C0A8 2801C0A8 2885416D 0017A9FD  $Q@((.@((.Am..)}
66BC00A0: 101E1D48 E7305018 FAE4E1F6 0000FFFD  ...Hg0P.zdav...}
66BC00B0: 01B4                                 .4

18:00:20.923 UTC Jun 21 2011 : IPv4 LES CEF    : Fa1/0 None

66BC0070:                   CA0012C8 001C0050          J..H...P
66BC0080: 56C00008 08004500 002B0525 40007F06  V@....E..+.%@...
66BC0090: 24D1C0A8 2801C0A8 2885416D 0017A9FD  $Q@((.@((.Am..)}
66BC00A0: 101E1D48 E7305018 FAE4E1F6 0000FFFD  ...Hg0P.zdav...}
66BC00B0: 01B4                                 .4

18:00:20.947 UTC Jun 21 2011 : IPv4 CEF Turbo  : Fa1/0 None

66BC0070:                   CA0012C8 001C0050          J..H...P
66BC0080: 56C00008 08004500 003A0526 40007F06  V@....E..:.&@...
66BC0090: 24C1C0A8 2801C0A8 2885416D 0017A9FD  $A@((.@((.Am..)}
66BC00A0: 10211D48 E7555018 FABFC957 0000FFFD  .!.HgUP.z?IW...}
66BC00B0: 03FFFB18 FFFB1FFF FA1F0050 FD        ..{..{..z..P}

18:00:20.947 UTC Jun 21 2011 : IPv4 LES CEF    : Fa1/0 None

66BC0070:                   CA0012C8 001C0050          J..H...P
66BC0080: 56C00008 08004500 003A0526 40007F06  V@....E..:.&@...
66BC0090: 24C1C0A8 2801C0A8 2885416D 0017A9FD  $A@((.@((.Am..)}
66BC00A0: 10211D48 E7555018 FABFC957 0000FFFD  .!.HgUP.z?IW...}
66BC00B0: 03FFFB18 FFFB1FFF FA1F0050 FD        ..{..{..z..P}

18:00:23.059 UTC Jun 21 2011 : IPv4 CEF Turbo  : Fa1/0 None

66BC0070:                   CA0012C8 001C0050          J..H...P
66BC0080: 56C00008 08004500 00280528 40007F06  V@....E..(.(@...
66BC0090: 24D1C0A8 2801C0A8 2885416D 0017A9FD  $Q@((.@((.Am..)}
66BC00A0: 10331D48 E7565010 FABFE2E9 0000FF    .3.HgVP.z?bi...

18:00:23.059 UTC Jun 21 2011 : IPv4 LES CEF    : Fa1/0 None

66BC0070:                   CA0012C8 001C0050          J..H...P
66BC0080: 56C00008 08004500 00280528 40007F06  V@....E..(.(@...
66BC0090: 24D1C0A8 2801C0A8 2885416D 0017A9FD  $Q@((.@((.Am..)}
66BC00A0: 10331D48 E7565010 FABFE2E9 0000FF    .3.HgVP.z?bi...

18:00:23.059 UTC Jun 21 2011 : IPv4 CEF Turbo  : Fa1/0 None

66BC0070:                   CA0012C8 001C0050          J..H...P
66BC0080: 56C00008 08004500 00280529 40007F06  V@....E..(.)@...
66BC0090: 24D0C0A8 2801C0A8 2885416D 0017A9FD  $P@((.@((.Am..)}
66BC00A0: 10331D48 E7565011 FABFE2E8 0000FF    .3.HgVP.z?bh...

18:00:23.063 UTC Jun 21 2011 : IPv4 LES CEF    : Fa1/0 None

66BC0070:                   CA0012C8 001C0050          J..H...P
66BC0080: 56C00008 08004500 00280529 40007F06  V@....E..(.)@...
66BC0090: 24D0C0A8 2801C0A8 2885416D 0017A9FD  $P@((.@((.Am..)}
66BC00A0: 10331D48 E7565011 FABFE2E8 0000FF    .3.HgVP.z?bh...

Ciscozine#

8. Export the raw packet into the .pcap file and see it with wireshark

Ciscozine#monitor capture buffer buffer-test export tftp://192.168.40.1/ciscozine.pcap
!
Ciscozine#

 

Below the video with the example

 

Remember:

To see the buffer parameters use the command “show monitor capture buffer [buffer-name] parameters”

Ciscozine#show monitor capture buffer buffer-test parameters
Capture buffer buffer-test (linear buffer)
Buffer Size : 102400 bytes, Max Element Size : 68 bytes, Packets : 32
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : capture-test, Status : Inactive
Configuration:
monitor capture buffer buffer-test size 100
monitor capture point associate capture-test buffer-test
Ciscozine#

To check the capture parameters, use the command “show monitor capture point [capture-name]”

Ciscozine#show monitor capture point capture-test
Status Information for Capture Point capture-test
IPv4 CEF
Switch Path: IPv4 CEF            , Capture Buffer: buffer-test
Status : Inactive

Configuration:
monitor capture point ip cef capture-test all both

Ciscozine#

References:

Summary
EPC: an Embedded Packet Capture
Article Name
EPC: an Embedded Packet Capture
Description
Started with IOS 12.4(20)T version, EPC or Embedded Packet Capture, is a powerful feature to capture data packets flowing through, to, and from, a Cisco router.
Author