Cisco IOS XE - Embedded Packet Capture Tutorial

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hello everyone my name is rafael and welcome to network engineer pro in today's video i want to show you a useful feature for cisco ios and ios xe called the embedded packet capture we all know that packet captures are really helpful right we want that packet level visibility to not just troubleshoot and prove it's not the network but to really learn how the different protocols work if you've watched any of my videos you know that i love configuring technologies for you guys and showing you what they look like in a packet capture using wireshark now with the embedded packet capture feature for cisco ios and ios xe the router is going to collect or capture packets that are sent and received on an interface once you configure it and you capture the data you want you can go ahead and export it as a pcap file to a tftp server or just install a free tftp program on your laptop and send it there and open it with wireshark now something to keep in mind is that the packets that you capture are actually stored in a buffer on the router in dram that does mean that if the router reboots the packet captures are gone now with this feature you can capture everything or get pretty granular that's right you can capture all packets that enter or leave a particular interface or even in both directions which is basically everything but in some cases that might be too much data so if you only wanted to see maybe ospf packets going across a link you can do that too by configuring the capture with an acl i'll show you how to do both so don't worry alright enough of me talking about how cool it is let's get it configured all right so we're finally ready for the configuration portion of the video and if you look at the upper right hand corner we have a very simple simple topology so we have router 1 and router 2 connected over gig 1.100 that's a sub interface and we have a tftp server on the left so what we're going to do is we're going to configure router 1 for an embedded packet capture and we're going to capture everything inbound and outbound on that gig 1.100 interface once we have our capture we're going to go ahead and export it to the tftp server and look at it in wireshark so let's get started so when you're working with the embedded packet capture feature this is not something that you're going to go to config t and then configure right you're going to do this straight from privileged exec mode so let's get started so you're going to do monitor capture and let's give it a name we're going to say test and you're going to specify an interface right what's our capture point what what interface do we want to capture on and we're going to say gig 1.100 and if you hit question mark you have some options here you have both which is going to capture inbound and outbound packets you have in so if you only wanted to capture inbound packets on the interface you'd say in and the same thing without is to only capture outbound packets now when you're working with this feature you can configure this packet capture on sub-interfaces physical interfaces or tunnel interfaces so we're going to go ahead and say we're going to capture both directions on interface gig 1.100. so now we told it what interface to capture on we need to tell it what to capture so in our case we want to capture everything so we're going to say monitor capture test match anything now that's going to capture ipv4 ipv6 whatever so now that we have said what interface we want to capture what type of traffic do we want to capture we need to start the capture so we're going to say monitor capture and put the name which is test and we're going to say start great the capture has been started so let me show you this show command really quick we're going to do show monitor capture and then put the name test so you can see that the capture right which is named test we are capturing on interface gig 1.100 and we are capturing in both directions you can also see that the status of the capture is active so if you forgot to start the capture up here you would see inactive here on the status and then our filter details we are capturing all packets and then if you look down here in the buffer details right we have linear and this is what this is telling us that it's the default now with the buffer type you have two options you have linear and circular linear means that when the capture buffer is full it's going to stop capturing data that's it and you can see that the buffer size is 10 megabytes when the buffer size hits 10 megabytes it's going to stop if you were to change this to circular when the capture buffer is full it's going to continue capturing data and it's just going to overwrite the old stuff so it's going to keep going all right so now that we have our capture configured let's go ahead and generate some traffic right let's ping the other side on router 2 that gig 1.100 on the other side so i'm going to go ping 10. oops 10.1.1.101 great i have reachability so i should have some pings uh in my capture let's configure ospf on that link so config t interface gig.1.100 ipospf1 area 0. and let's also do eigrp so router oops router eigrp 1 network 10.1.1.0 with a wildcard of 255. and let's do the same thing on the other side interface gig 1.100 ipospf1 area 0 router eigrp one let's put our network statement 10.1.1. oops dot zero zero zero zero two five five so let's give it a couple seconds for these adjacencies to come up so you can see eigrp is pretty quick eogrp is already up let's wait for ospf all right perfect so you can see here our ospf adjacency is up we are full and the loading is done so we've done some pings we've configured eigrp those neighbors came up we configured ospf and those neighbors come up so we should have some some some traffic in our filter so let's go ahead and check that out so i want to show you this command show monitor oops show monitor capture test buffer you can see here that there's 97 packets in the buffer and if you want to see a a brief detail on what's inside the buffer you can say show buffer brief so you can see here we have timestamps and we have source and destination and we have the protocol so you can see that inside of this buffer that we configured we have icmp which is our pings and we have some ospf and eigrp packets as well so we know our capture is working let's go ahead and export it to our wireshark machine and look at the capture so to export this capture what you're going to do is you're going to say monitor capture and you're going to put the name test export tftp and you're going to put the ip of the tftp server or whatever pc or laptop you have running a tftp program so for my example it's 192 168 1.70 and then you're going to give the capture a name right so you're going to say whatever you want i'm just going to put router 1 router 2 any and then put dot pcap awesome so you can see that the capture has been exported successfully let me go ahead and open it up and show you guys all right so you can see here that on that gig 1.100 interface we received everything right we received the pings here's our icmps and we have our ospf and eigrp these are our hellos and then once each side saw each other's hello they started going through that negotiation process and becoming neighbors in in the adjacency so you're going to see all those packets here ospf and eigrp so that's really cool but there's some cases where the interface that you want to capture on might be a very very busy interface and this might be too much information so what we're going to do next is we're going to configure the capture on router 1 to not say capture anything we're going to tell it only send me ospf packets so we're not going to see pings we're not going to see eigrp we're only going to see ospf packets so let's go ahead and do that so the first thing i want to do is i want to stop the capture so i'm going to say monitor capture test stop right i'm stopping the capture and i'm gonna clear the capture so i'm gonna say monitor capture test clear all the captured data is gone and we can verify this by doing show monitor capture put name buffer zero packets and buffer are zero so the capture's off and it's empty let's go ahead and configure an access list to only match on ospf traffic so i'm going to create an extended access list so i'm going to say ip access list extended and i'll just name it whatever only ospf and we're going to permit ospf any any all right now that that acl has been configured we're going to say monitor capture and we're going to put our our name test and let me show you a question mark really quick so you can have the you can put the name of the capture or you can specify an acl and that's what we're going to do so we're going to say access list and the name of our access list was only dash ospf and we're going to say interface gig one dot 100. so we're going to capture our interface gig 1.100 but it's only going to be traffic that's referenced in this access list which is ospf packets oops both all right so a filter is already attached to the capture replace with the new access list yes we want to do that now let's go ahead and start the capture monitor capture test start all right so let's go ahead and get some pings 10.1.1 let's ping the other side on router 2. all right so we have our pings and let's give it a few seconds for ospf and ehrp hellos to go across the link right we should have a little bit of uh protocol messages going across so let's go ahead and export our capture so we're gonna say monitor capture test export tftp slash put the ip 192.168.1.70 and we're gonna give it a name let's just say uh r one o s p f dot p cap all right so you can see our capture has been exported successfully you always wanna see this let me go ahead and open it up all right look at that we had pings going across we have eigrp packets going across and we have ospf by combining the access list with our our capture right we are able to only capture what we want only what we're interested in and this is going to really help you get organized with your with your captures and make sure that you're only seeing the data that you want to see and if you open it up you can see all the cool uh details all the little hello packet parameters that need to match and things like that so awesome so let's say that you're done with your capture you don't need to you don't need any more information so what you can do is you can save monitor capture put the name let's stop it and then just delete it no monitor capture test all right so we covered how to set up an embedded packet capture in cisco ios xe we did some show commands to verify some of the details on our capture i then exported two captures one matching all traffic in and out of an interface and then i got specific and i said you know what only show me ospf packets exiting and entering that same interface lastly we took a quick peek at the captures in wireshark to verify our work i really hope you all enjoyed the video and learned something if you did don't forget to hit the subscribe button below and you can also follow me on my facebook page network engineer pro all links and the config i used on router 1 to get this capture set up is in the description of the video so don't forget to take a look especially if you want to test it out in your own lab and get familiar with how it works lastly i'm going to go ahead and post a link to the cisco configuration guide for this feature i really recommend taking a look here because this is where you're going to see not just how to configure it but if there's any kind of limitations or maybe image requirements to be able to do this you're going to find it there and with that being said if you guys have any questions or comments please let me know thanks everyone and have a great day
Info
Channel: Network Engineer Pro
Views: 1,868
Rating: undefined out of 5
Keywords: cisco, packet capture, wireshark, router, embedded packet capture, embedded packet capture cisco, wirehshark, ccna, ccnp, ccie, cisco packet capture, tftp, ios xe, ios, ios xr, csr, csr1000v, epc, cisco embedded packet capture, cisco ccna certification, cisco systems, cisco ccna, embedded packet capture csr1000v, embedded packet capture ios xe, embedded packet capture cisco ios, embedded packet capture cisco ios xe
Id: 5ppEIzilUsc
Channel Id: undefined
Length: 11min 57sec (717 seconds)
Published: Sun Jan 31 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.