{"id":2997,"date":"2021-02-10T15:53:34","date_gmt":"2021-02-10T23:53:34","guid":{"rendered":"https:\/\/SUMMALAI.COM\/?p=2997"},"modified":"2021-02-10T15:54:09","modified_gmt":"2021-02-10T23:54:09","slug":"how-to-configure-embedded-packet-capture-epc-for-cisco-ios","status":"publish","type":"post","link":"https:\/\/SUMMALAI.COM\/?p=2997","title":{"rendered":"How to Configure Embedded Packet Capture (EPC) for Cisco IOS"},"content":{"rendered":"\n<p>When enabled, the router captures the packets sent and received. The packets are stored within a buffer in DRAM and are thus not persistent through a reload. Once the data is captured, it can be examined in a summary or detailed view on the router. In addition, the data can be exported as a packet capture (PCAP) file to allow for further examination. The tool is configured in exec mode and is considered a temporary assistance tool. As a result, the tool configuration is not stored within the router configuration and will not remain in place after a system reload.<\/p>\n\n\n\n<p>The&nbsp;<a href=\"https:\/\/cway.cisco.com\/tools\/CaptureGenAndAnalyse\/\">Packet Capture Config Generator and Analyzer<\/a>&nbsp;tool is available for Cisco Customers&nbsp;to aid in the configuration, capture, and extraction of packet captures.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Cisco IOS Configuration Example<\/h3>\n\n\n\n<h3 class=\"wp-block-heading\">Basic EPC Configuration<\/h3>\n\n\n\n<ol class=\"wp-block-list\"><li>Define a &#8216;capture buffer&#8217;, which is a temporary buffer that the captured packets are stored within. There are various options that can be selected when the buffer is defined; such as size, maxium packet size, and circular\/linear:<br><br><strong>monitor capture buffer BUF size 2048 max-size 1518 linear<\/strong><\/li><li>A filter can also be applied to limit the capture to desired traffic. Define an Access Control List (ACL) within config mode and apply the filter to the buffer:<br><br><strong>ip access-list extended BUF-FILTER<br>permit ip host 192.168.1.1 host 172.16.1.1<br>permit ip host 172.16.1.1 host 192.168.1.1monitor capture buffer BUF filter access-list BUF-FILTER<\/strong><\/li><li>Define a &#8216;capture point&#8217;, which defines the location where the capture occurs. The capture point also defines whether the capture occurs for IPv4 or IPv6 and in which switching path (process versus cef):<br><br><strong>monitor capture point ip cef POINT fastEthernet 0 both<\/strong><\/li><li>Attach the buffer to the capture point:<br><br><strong>monitor capture point associate POINT BUF<\/strong><\/li><li>Start the capture:<br><br><strong>monitor capture point start POINT<\/strong><\/li><li>The capture is now active. Allow collection of the necessary data.<br><\/li><li>Stop the capture:<br><br><strong>monitor capture point stop POINT<\/strong><\/li><li>Examine the buffer on the unit:<br><br><strong>show monitor capture buffer BUF dumpNote<\/strong>: This output only shows the hex dump of the packets captures. In order to see them in human readable there are two ways.<ol><li>Export the buffer from the router for further analysis:<br><br><strong>monitor capture buffer BUF export tftp:\/\/10.1.1.1\/BUF.pcapTip<\/strong>: Enhancement request&nbsp;<a href=\"https:\/\/tools.cisco.com\/bugsearch\/bug\/CSCuw77601\" target=\"_blank\" rel=\"noreferrer noopener\">CSCuw77601<\/a>&nbsp;has been filed in order to add a mail-to option under export so you can email the buffer diretly to an email-id.<\/li><li>However the previous method is not always practical as it required T\/FTP access to the router. In such situations, you can take a copy of the hex dump and use any online hex-pcap convertor in order to view the files.<\/li><\/ol><\/li><li>Once the necessary data has been collected, delete the &#8216;capture point&#8217; and &#8216;capture buffer&#8217;:    <strong><br><\/strong><\/li><\/ol>\n\n\n\n<p><strong>no monitor capture point ip cef POINT fastEthernet 0 both<\/strong><\/p>\n\n\n\n<p><strong>no monitor capture buffer BUF<\/strong><\/p>\n\n\n\n<p>Ref: https:\/\/www.cisco.com\/c\/en\/us\/support\/docs\/ios-nx-os-software\/ios-embedded-packet-capture\/116045-productconfig-epc-00.html<\/p>\n","protected":false},"excerpt":{"rendered":"<p>When enabled, the router captures the packets sent and received. The packets are stored within a buffer in DRAM and are thus not persistent through a reload. Once the data is captured, it can be examined in a summary or detailed view on the router. In addition, the data can be exported as a packet <a class=\"read-more\" href=\"https:\/\/SUMMALAI.COM\/?p=2997\">Read More<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[400,4,9,19],"tags":[582,581],"class_list":["post-2997","post","type-post","status-publish","format-standard","hentry","category-ccnp","category-cert","category-networks","category-router-switch","tag-cisco-epc","tag-embedded-packet-capture"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/2997","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2997"}],"version-history":[{"count":2,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/2997\/revisions"}],"predecessor-version":[{"id":2999,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/2997\/revisions\/2999"}],"wp:attachment":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2997"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2997"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2997"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}