{"id":530,"date":"2025-03-13T12:02:02","date_gmt":"2025-03-13T12:02:02","guid":{"rendered":"https:\/\/blog.devops955.com\/swain\/?p=530"},"modified":"2025-03-13T06:05:47","modified_gmt":"2025-03-13T06:05:47","slug":"cisco-capture-packet","status":"publish","type":"post","link":"https:\/\/blog.devops955.com\/swain\/2025\/03\/13\/cisco-capture-packet\/","title":{"rendered":"How to capture packet on a cisco switch"},"content":{"rendered":"<blockquote>\n<p>Estimated Reading Time: 7 mins<\/p>\n<\/blockquote>\n<h3><strong>What is Cisco Embedded Packet Capture (EPC)?<\/strong><\/h3>\n<p>Embedded Packet Capture (EPC) is an embedded system management tool used for tracking and troubleshooting network packets. This tool helps network administrators capture packets entering and leaving Cisco devices.  <\/p>\n<p>EPC can be used with Access Control Lists (ACLs) to filter specific packets based on predefined rules. The captured packets are stored in the device's DRAM buffer, meaning they are not permanently saved. If packet data needs to be preserved, it can be exported as a <strong>PCAP file<\/strong> for analysis using tools like <strong>Wireshark<\/strong>.  <\/p>\n<h3><strong>Supported Software Versions<\/strong><\/h3>\n<p>Before using EPC, ensure that your device runs a supported software version:  <\/p>\n<ul>\n<li>Cisco IOS Release <strong>12.4(20)T<\/strong> or later  <\/li>\n<li>Cisco IOS XE Release <strong>15.2(4)S \u2013 3.7.0<\/strong> or later  <\/li>\n<\/ul>\n<h2><strong>How to Capture Packets with EPC<\/strong><\/h2>\n<h3><strong>Pre-capture Preparation<\/strong><\/h3>\n<ol>\n<li>Check available disk space:\n<pre><code class=\"language-bash\">dir<\/code><\/pre>\n<\/li>\n<li>Monitor CPU load:\n<pre><code class=\"language-bash\">show process cpu<\/code><\/pre>\n<\/li>\n<\/ol>\n<h3><strong>Packet Capture Configuration Steps<\/strong><\/h3>\n<h4><strong>Basic EPC Configuration<\/strong><\/h4>\n<p>Create a packet capture session with filtering rules, buffer size, capture interface, rate limits, and duration:  <\/p>\n<pre><code class=\"language-bash\">monitor capture test access-list capture buffer size 20 interface gi1\/0\/1 in limit pps 10000 duration 300<\/code><\/pre>\n<p>Specify the file storage location for captured packets:  <\/p>\n<pre><code class=\"language-bash\">monitor capture test file location flash:test.pcap<\/code><\/pre>\n<p>Verify the current capture settings:  <\/p>\n<pre><code class=\"language-bash\">show capture monitor test<\/code><\/pre>\n<p>Start and stop packet capture:  <\/p>\n<pre><code class=\"language-bash\">capture monitor test start\ncapture monitor test stop<\/code><\/pre>\n<h2><strong>Understanding EPC Parameters<\/strong><\/h2>\n<h3><strong>Core Command Structure<\/strong><\/h3>\n<pre><code class=\"language-bash\">monitor capture &lt;capture-name&gt; [parameters] [filters] [limits]<\/code><\/pre>\n<h3><strong>Key Parameters<\/strong><\/h3>\n<ol>\n<li>\n<p><strong>access-list<\/strong><br \/>\nSpecifies a predefined ACL for filtering packets. The ACL must be configured beforehand.<br \/>\n<em>Example:<\/em>  <\/p>\n<pre><code class=\"language-bash\">access-list capture<\/code><\/pre>\n<blockquote>\n<p><strong>Recommendation:<\/strong> Create a dedicated ACL for packet capture, specifying protocol types, IP addresses, and port numbers.  <\/p>\n<\/blockquote>\n<\/li>\n<li>\n<p><strong>buffer size<\/strong><br \/>\nSets the buffer size for captured packets (in MB).<br \/>\n<em>Example:<\/em>  <\/p>\n<pre><code class=\"language-bash\">buffer size 20<\/code><\/pre>\n<blockquote>\n<p><strong>Note:<\/strong>  <\/p>\n<ul>\n<li>A buffer that is too small may result in packet loss.  <\/li>\n<li>A large buffer consumes more device memory.  <\/li>\n<\/ul>\n<\/blockquote>\n<\/li>\n<li>\n<p><strong>interface<\/strong><br \/>\nSpecifies the capture interface and traffic direction:  <\/p>\n<ul>\n<li><code>interface gi1\/0\/1 in<\/code> \u2192 Captures incoming traffic  <\/li>\n<li><code>out<\/code> \u2192 Captures outgoing traffic  <\/li>\n<li><code>both<\/code> \u2192 Captures bidirectional traffic (device-dependent)  <\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>limit pps\/bps<\/strong><br \/>\nDefines capture rate limits:  <\/p>\n<ul>\n<li><code>pps 10000<\/code> \u2192 Limits capture to <strong>10,000 packets per second<\/strong>  <\/li>\n<li><code>bps 100M<\/code> \u2192 Limits capture bandwidth to <strong>100 Mbps<\/strong> (supports K\/M\/G units)<br \/>\n<blockquote>\n<p><strong>Note:<\/strong> Prevents excessive resource consumption in high-traffic environments.  <\/p>\n<\/blockquote>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>duration<\/strong><br \/>\nSpecifies the capture duration (in seconds).<br \/>\n<em>Example:<\/em>  <\/p>\n<pre><code class=\"language-bash\">duration 300<\/code><\/pre>\n<p>Captures packets for <strong>5 minutes<\/strong> and then automatically stops.  <\/p>\n<\/li>\n<li>\n<p><strong>file location<\/strong><br \/>\nDefines the save location for the captured packets:  <\/p>\n<ul>\n<li><code>flash:test.pcap<\/code> \u2192 Saves to device flash memory  <\/li>\n<li><code>bootflash:<\/code> or <code>usbflash:<\/code> \u2192 Saves to an external storage device<br \/>\n<blockquote>\n<p><strong>Note:<\/strong> Ensure the destination storage has sufficient free space.  <\/p>\n<\/blockquote>\n<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<h3><strong>Additional Useful Parameters<\/strong><\/h3>\n<ul>\n<li>\n<p><strong>circular-buffer<\/strong><br \/>\nEnables circular buffer mode, overwriting old packets when full.<br \/>\n<em>Example:<\/em>  <\/p>\n<pre><code class=\"language-bash\">buffer circular size 50<\/code><\/pre>\n<\/li>\n<li>\n<p><strong>match<\/strong><br \/>\nDefines inline filtering without ACLs.<br \/>\n<em>Example:<\/em>  <\/p>\n<pre><code class=\"language-bash\">match ipv4 protocol tcp any any<\/code><\/pre>\n<\/li>\n<li>\n<p><strong>stop-after<\/strong><br \/>\nStops capturing after a specified number of packets.<br \/>\n<em>Example:<\/em>  <\/p>\n<pre><code class=\"language-bash\">stop-after 1000<\/code><\/pre>\n<p>Captures <strong>1,000 packets<\/strong> and then stops automatically.  <\/p>\n<\/li>\n<\/ul>\n<h3><strong>Best Practices for Configuration<\/strong><\/h3>\n<ol>\n<li>In production environments, use <code>limit<\/code> and <code>duration<\/code> to <strong>prevent excessive resource usage<\/strong>.  <\/li>\n<li>Use <strong>external storage (USB)<\/strong> to avoid consuming system flash memory.  <\/li>\n<li>For debugging, <code>no-limit<\/code> can be used <strong>with caution<\/strong> to remove rate limits.  <\/li>\n<li>Check memory usage with:\n<pre><code class=\"language-bash\">show memory statistics<\/code><\/pre>\n<blockquote>\n<p>to adjust buffer size accordingly.  <\/p>\n<\/blockquote>\n<\/li>\n<\/ol>\n<h2><strong>How to View Captured Packets<\/strong><\/h2>\n<h3><strong>Viewing Directly on the Switch<\/strong><\/h3>\n<pre><code class=\"language-bash\"># Display packet capture summary\nshow monitor capture test buffer brief\n# Display detailed packet analysis (first 50 packets)\nshow monitor capture test buffer detailed limit 50\n# View raw hexadecimal output (for debugging)\nshow monitor capture test buffer dump<\/code><\/pre>\n<h4><strong>Viewing Capture Statistics<\/strong><\/h4>\n<pre><code class=\"language-bash\"># Check capture session status\nshow monitor capture test status\n# View packet count\nshow monitor capture test packet-number<\/code><\/pre>\n<h2><strong>Downloading Capture Files for Analysis<\/strong><\/h2>\n<h3><strong>File Transfer Methods<\/strong><\/h3>\n<h4><strong>1. FTP\/TFTP Transfer (Basic Method)<\/strong><\/h4>\n<pre><code class=\"language-bash\"># Upload to an FTP server\ncopy flash:test.pcap ftp:\/\/username:password@10.1.1.100\/path\/\n# TFTP transfer example\ncopy flash:test.pcap tftp:\/\/10.1.1.100\/<\/code><\/pre>\n<h4><strong>2. SCP Transfer (Secure Method)<\/strong><\/h4>\n<pre><code class=\"language-bash\"># Requires SSH server configuration\ncopy flash:test.pcap scp:\/\/user@serverip:\/path\/<\/code><\/pre>\n<h4><strong>3. HTTP Download (Supported on NX-OS)<\/strong><\/h4>\n<pre><code class=\"language-bash\"># Enable HTTP service\nfeature http\n# Access via browser\nhttps:\/\/switch-ip\/files\/test.pcap<\/code><\/pre>\n<blockquote>\n<p><strong>References:<\/strong>  <\/p>\n<ul>\n<li><a href=\"https:\/\/www.cisco.com\/c\/en\/us\/td\/docs\/ios-xml\/ios\/epc\/configuration\/xe-17\/epc-xe-17-book\/nm-packet-capture-xe.html\">Cisco EPC Configuration Guide (IOS XE)<\/a>  <\/li>\n<li><a href=\"https:\/\/www.cisco.com\/c\/en\/us\/support\/docs\/ios-nx-os-software\/ios-embedded-packet-capture\/116045-productconfig-epc-00.html\">Cisco EPC Product Documentation<\/a>  <\/li>\n<\/ul>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>Cisco Embedded Packet Capture (EPC) is a built-in network troubleshooting tool that allows administrators to capture packets directly on Cisco devices. The article provides step-by-step configuration instructions, key command explanations, best practices, and methods for viewing and transferring captured packets.<\/p>\n","protected":false},"author":3,"featured_media":437,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_jetpack_memberships_contains_paid_content":false},"categories":[3],"tags":[],"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"https:\/\/blog.devops955.com\/swain\/wp-content\/uploads\/sites\/2\/2024\/04\/cisco.png","_links":{"self":[{"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/posts\/530"}],"collection":[{"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/comments?post=530"}],"version-history":[{"count":4,"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/posts\/530\/revisions"}],"predecessor-version":[{"id":571,"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/posts\/530\/revisions\/571"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/media\/437"}],"wp:attachment":[{"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/media?parent=530"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/categories?post=530"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/tags?post=530"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}