How to Configure Embedded Packet Capture (EPC) for Cisco IOS

Posted on by Summa Lai

When enabled, the router captures the packets sent and received. The packets are stored within a buffer in DRAM and are thus not persistent through a reload. Once the data is captured, it can be examined in a summary or detailed view on the router. In addition, the data can be exported as a packet capture (PCAP) file to allow for further examination. The tool is configured in exec mode and is considered a temporary assistance tool. As a result, the tool configuration is not stored within the router configuration and will not remain in place after a system reload.

The Packet Capture Config Generator and Analyzer tool is available for Cisco Customers to aid in the configuration, capture, and extraction of packet captures.

Cisco IOS Configuration Example

Basic EPC Configuration

  1. Define a ‘capture buffer’, which is a temporary buffer that the captured packets are stored within. There are various options that can be selected when the buffer is defined; such as size, maxium packet size, and circular/linear:

    monitor capture buffer BUF size 2048 max-size 1518 linear
  2. A filter can also be applied to limit the capture to desired traffic. Define an Access Control List (ACL) within config mode and apply the filter to the buffer:

    ip access-list extended BUF-FILTER
    permit ip host 192.168.1.1 host 172.16.1.1
    permit ip host 172.16.1.1 host 192.168.1.1monitor capture buffer BUF filter access-list BUF-FILTER
  3. Define a ‘capture point’, which defines the location where the capture occurs. The capture point also defines whether the capture occurs for IPv4 or IPv6 and in which switching path (process versus cef):

    monitor capture point ip cef POINT fastEthernet 0 both
  4. Attach the buffer to the capture point:

    monitor capture point associate POINT BUF
  5. Start the capture:

    monitor capture point start POINT
  6. The capture is now active. Allow collection of the necessary data.
  7. Stop the capture:

    monitor capture point stop POINT
  8. Examine the buffer on the unit:

    show monitor capture buffer BUF dumpNote: This output only shows the hex dump of the packets captures. In order to see them in human readable there are two ways.
    1. Export the buffer from the router for further analysis:

      monitor capture buffer BUF export tftp://10.1.1.1/BUF.pcapTip: Enhancement request CSCuw77601 has been filed in order to add a mail-to option under export so you can email the buffer diretly to an email-id.
    2. However the previous method is not always practical as it required T/FTP access to the router. In such situations, you can take a copy of the hex dump and use any online hex-pcap convertor in order to view the files.
  9. Once the necessary data has been collected, delete the ‘capture point’ and ‘capture buffer’:

no monitor capture point ip cef POINT fastEthernet 0 both

no monitor capture buffer BUF

Ref: https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html