Swain's Blog

Swain
四维

There is nothing about me

How to capture packet on a cisco switch

Posted on by Swain

Estimated Reading Time: 7 mins

What is Cisco Embedded Packet Capture (EPC)?

Embedded Packet Capture (EPC) is an embedded system management tool used for tracking and troubleshooting network packets. This tool helps network administrators capture packets entering and leaving Cisco devices.

EPC can be used with Access Control Lists (ACLs) to filter specific packets based on predefined rules. The captured packets are stored in the device's DRAM buffer, meaning they are not permanently saved. If packet data needs to be preserved, it can be exported as a PCAP file for analysis using tools like Wireshark.

Supported Software Versions

Before using EPC, ensure that your device runs a supported software version:

  • Cisco IOS Release 12.4(20)T or later
  • Cisco IOS XE Release 15.2(4)S – 3.7.0 or later

How to Capture Packets with EPC

Pre-capture Preparation

  1. Check available disk space: 
    dir
  2. Monitor CPU load: 
    show process cpu

Packet Capture Configuration Steps

Basic EPC Configuration

Create a packet capture session with filtering rules, buffer size, capture interface, rate limits, and duration: 

monitor capture test access-list capture buffer size 20 interface gi1/0/1 in limit pps 10000 duration 300

Specify the file storage location for captured packets: 

monitor capture test file location flash:test.pcap

Verify the current capture settings: 

show capture monitor test

Start and stop packet capture: 

capture monitor test start
capture monitor test stop

Understanding EPC Parameters

Core Command Structure

monitor capture <capture-name> [parameters] [filters] [limits]

Key Parameters

  1. access-list
    Specifies a predefined ACL for filtering packets. The ACL must be configured beforehand.
    Example: 

    access-list capture

    Recommendation: Create a dedicated ACL for packet capture, specifying protocol types, IP addresses, and port numbers.

  2. buffer size
    Sets the buffer size for captured packets (in MB).
    Example: 

    buffer size 20

    Note:

    • A buffer that is too small may result in packet loss.
    • A large buffer consumes more device memory.

  3. interface
    Specifies the capture interface and traffic direction:

    • interface gi1/0/1 in → Captures incoming traffic
    • out → Captures outgoing traffic
    • both → Captures bidirectional traffic (device-dependent)

  4. limit pps/bps
    Defines capture rate limits:

    • pps 10000 → Limits capture to 10,000 packets per second
    • bps 100M → Limits capture bandwidth to 100 Mbps (supports K/M/G units)

      Note: Prevents excessive resource consumption in high-traffic environments.

  5. duration
    Specifies the capture duration (in seconds).
    Example: 

    duration 300

    Captures packets for 5 minutes and then automatically stops.

  6. file location
    Defines the save location for the captured packets:

    • flash:test.pcap → Saves to device flash memory
    • bootflash: or usbflash: → Saves to an external storage device

      Note: Ensure the destination storage has sufficient free space.

Additional Useful Parameters

  • circular-buffer
    Enables circular buffer mode, overwriting old packets when full.
    Example: 

    buffer circular size 50

  • match
    Defines inline filtering without ACLs.
    Example: 

    match ipv4 protocol tcp any any

  • stop-after
    Stops capturing after a specified number of packets.
    Example: 

    stop-after 1000

    Captures 1,000 packets and then stops automatically.

Best Practices for Configuration

  1. In production environments, use limit and duration to prevent excessive resource usage.
  2. Use external storage (USB) to avoid consuming system flash memory.
  3. For debugging, no-limit can be used with caution to remove rate limits.
  4. Check memory usage with: 
    show memory statistics

    to adjust buffer size accordingly.

How to View Captured Packets

Viewing Directly on the Switch

# Display packet capture summary
show monitor capture test buffer brief
# Display detailed packet analysis (first 50 packets)
show monitor capture test buffer detailed limit 50
# View raw hexadecimal output (for debugging)
show monitor capture test buffer dump

Viewing Capture Statistics

# Check capture session status
show monitor capture test status
# View packet count
show monitor capture test packet-number

Downloading Capture Files for Analysis

File Transfer Methods

1. FTP/TFTP Transfer (Basic Method)

# Upload to an FTP server
copy flash:test.pcap ftp://username:password@10.1.1.100/path/
# TFTP transfer example
copy flash:test.pcap tftp://10.1.1.100/

2. SCP Transfer (Secure Method)

# Requires SSH server configuration
copy flash:test.pcap scp://user@serverip:/path/

3. HTTP Download (Supported on NX-OS)

# Enable HTTP service
feature http
# Access via browser
https://switch-ip/files/test.pcap

References:

Leave a Reply

Your email address will not be published. Required fields are marked *