Cisco Embedded Packet Capture Feature
- Deniz Kaya – CCSI, CCNP, CCSP, CPTS, MCT.
One of the most powerful tools of Network Administrators is packet capturing programs. Although there is a long list of tools which can be chosen from, the most popular one without a doubt is Wireshark. Starting from the Ethereal years many IT professionals have become fans of Wireshark and keep using it for everyday for many reasons.
What I see as an issue in packet capturing is how to collect captured data from a network. If you are using Wireshark directly connected to the network everything is fine. You just start capturing even by using some filtering to get rid of unnecessary information and start digging into the low level packet analysis world. But if you are not directly connected, it is not always so easy to tap in between the data traffic.
You can still use port mirroring functionality comes with switches if you have one which supports this feature. That’s why vendors are now coming with embedded packet capturing features, so you can start capturing and save the collection as a pcap file for further analysis in Wireshark. Cisco ASA Firewalls, IPS Appliances already have this feature. Cisco routers, in some platforms, are also supporting a feature called IP Traffic Export which was not so comfortable to use.
After IOS Version 12.4(20)T, there is a new feature called Embedded Packet Capture which lets you capture data from any WAN or LAN ports you choose and transfer them as a pcap file over the network.
I will now share the commands necessary to configure this on box sniffer feature in five steps:
1. Create a named capture buffer in router memory
NHBG-Router1#monitor capture buffer CAPTURE1
2. Create a named capture point
NHBG-Router1#monitor capture point ip cef POINT1 GigabitEthernet0/1 both
3. Associate capture buffers with capture points
NHBG-Router1#monitor capture point associate POINT1 CAPTURE1
4. Start/stop capture
NHBG-Router1#monitor capture point start POINT1
NHBG-Router1#monitor capture point stop POINT1
5. Export captured packets as PCAP file elsewhere or see it in raw format on the router
NHBG-Router1#monitor capture buffer CAPTURE1 export tftp://192.168.1.10/trc1.pcap
Now you can see the capture with Wireshark…
____________________________________________________
Deniz Kaya is a senior security instructor at New Horizons Bulgaria
Deniz has planned, directed, and coordinated multiple projects simultaneously, ensuring goals and objectives were accomplished within time limitations and funding conditions. His core competency lies in areas of penetration testing, security assessments, enterprise network design, capacity planning and vendor evaluation. Equipped with Industry recognized certification under his belt, Deniz has demonstrated his determination to continuously self-improve and make his presence felt.
Deniz currently holds the prestigious industry certifications Microsoft Certified Systems Engineer (MCSE), Certified Cisco Systems Instructor (CCSI #31650), CCIE Security Written, Cisco Certified Network Professional (CCNP), Cisco Certified Security Professional (CCSP), Cisco Ironport Certified Security Instructor (ICSI), Cisco Ironport Certified Security Professional (ICSP), Certified Penetration Testing Specialist (CPTS), Microsoft Certified Trainer (MCT).
♦ Contact us for information on Cisco courses.