EPC (Embedded Packet Capture) is another useful troubleshooting tool to occasionally capture traffic to be analyzed locally or exported to remote device. Occasionally, in contrast with RITE (Router IP Traffic Export) or SPAN on switches which are meant to have permanent flow of copied traffic directed to a traffic analyzer or IDS (Intrusion Detection System).
The configuration workflow is straightforward, but I would like to make a conceptual graphical analogy to illustrate it.
Let’s imagine traffic flowing through a router interface like the following:
Image may be NSFW.
Clik here to view.
1- Capture point:
Specify the protocol to capture, the interface and the direction, this is the Here you indicate which IP protocol you need to capture.
| monitor capture point ip cef CAPTURE_POINT fastEthernet 0/0 both |
| monitor capture point ipv6 cef CAPTURE_POINT fastEthernet 0/0 both |
Image may be NSFW.
Clik here to view.
2- Packet buffer:
Memory area where the frames are stored once captured.
| monitor capture buffer CAPTURE_BUFFER |
Image may be NSFW.
Clik here to view.
3- ACL:
If needed you can filter a specific type of traffic, available only for IPv4.
| (config)#access-list 100 permit icmp host 192.168.0.1 host 172.16.1.1#monitor capture buffer CAPTURE_BUFFER filter access-list 100
|
Except the optional IPv4 ACL, configured at the global configuration mode, everything else is configured at the privileged EXEC mode.
Image may be NSFW.
Clik here to view.
4- Associate capture point with capture buffer
| monitor capture point associate CAPTURE_POINT CAPTURE_BUFFER |
You can associate multiple capture points (on the same or multiple interfaces) to the same buffer.
Image may be NSFW.
Clik here to view.
5- Start and stop capture process
| monitor capture point start CAPTURE_POINTmonitor capture point stop CAPTURE_POINT |
If you are familiar with wireshark, it will be easier to remember the steps needed to capture traffic.
Wireshark analogy
Image may be NSFW.
Clik here to view.
Deployment 1
Two capture points are created to capture IPv4 and IPv6 traffic into separate capture buffers.
| monitor capture point ipv6 cef CAPTURE_POINT6 fa0/0 bothmonitor capture buffer CAPTURE_BUFFER6
monitor capture point associate CAPTURE_POINT6 CAPTURE_BUFFER6 ! monitor capture point ip cef CAPTURE_POINT4 fa0/0 both monitor capture buffer CAPTURE_BUFFER4 monitor capture point associate CAPTURE_POINT4 CAPTURE_BUFFER4 |
Following is the result on the router
Deployment 2
Two capture points are created to capture IPv4 and IPv6 traffic into single capture buffer.
| monitor capture point ipv6 cef CAPTURE_POINT6 fa0/0 bothmonitor capture point ip cef CAPTURE_POINT4 fa0/0 both!
monitor capture buffer CAPTURE_BUFFER46 ! monitor capture point associate CAPTURE_POINT6 CAPTURE_BUFFER46 monitor capture point associate CAPTURE_POINT4 CAPTURE_BUFFER46 |
Following is the result on the router
Exporting
| !Example of export to tftpR1#monitor capture buffer CAPTURE_BUFFER46 export ftp://login:password@192.168.0.32/Volume_1/ecp.pcap
Writing Volume_1/ecp.pcap R1# !Example of export to tftp R1# monitor capture buffer CAPTURE_BUFFER46 export tftp://192.168.0.145/ecp.pcap ! R1# |
And the file opened in wireshark:
EPC traffic opened with wireshark
Image may be NSFW.
Clik here to view.
Source: http://cciethebeginning.wordpress.com/2014/02/26/embedded-packet-capture-lets-go-fishing-for-some-packets/
Filed under: EPC (Embedded Packet Capture), IPv6 Tagged: EPC, IP SERVICES, IPV6, TRAFIC CAPTURE, TROUBLESHOOTING, WIRESHARK Image may be NSFW.
Clik here to view.
Image may be NSFW.Clik here to view.
