![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Something I've been using a lot lately, this seems to be one of those things either you know about and use it or didn't know it even existed.
Basically, EPC is exactly what you'd think it is. Embedded packet capture built into Cisco IOS. Requires 12.4(20)T and higher.
The cool thing about this is you don't need to setup a SPAN to do a quick packet capture. If you've done enough packet captures, you know they're a pain in the ass. Take a laptop to where you are going to do the capture, configure the span (providing you have enough empty sessions and ports), run the capture, bring the laptop back, analyze the capture.. and so on.
I'm not going to go into the deep detail as how it works. Basically, it just buffers the capture into NVRAM (These values can be changed, buffer size, etc). You can view it directly from the router or export it via tftp/ftp/etc in pcap format to be viewed in wireshark.
Let's just jump into it.
I'm going to capture only telnet packets via an ACL.
1. Define the ACL. This is a standard ACL so the possibilities are pretty much endless. (This is only used by the capture, it doesn't get applied any where)
2. Define the capture buffer. This is where the capture will be stored in NVRAM. I'm also increasing the maximum element size to 100Kb and leaving the rest default.
3. Apply your access list to the capture buffer. Again, this part is optional but as you can imagine extremely helpful.
4. Define the capture point. This is where we define what interfaces and directions (ingress/egress) we want to capture. In this example, we want to capture on ALL interfaces in BOTH directions.
5. Next we're just associating the buffer with the capture point.
6. Finally, start the capture.
7. Run through some test's! I just telnet to a known IP address on the internet. While doing this, you can verifiy by running a show command and watching the packets captured increase.
and an output..
8. Stopping the capture.
9. Export the capture, in this example I tftp the file to a server of mine.
10. Removing the buffer.
11. Remove the capture point.
There you have it. Here is a screenshot from the imported .pacp file into wireshark. I filtered out my external IP address so no one gets any bright idea's.
Basically, EPC is exactly what you'd think it is. Embedded packet capture built into Cisco IOS. Requires 12.4(20)T and higher.
The cool thing about this is you don't need to setup a SPAN to do a quick packet capture. If you've done enough packet captures, you know they're a pain in the ass. Take a laptop to where you are going to do the capture, configure the span (providing you have enough empty sessions and ports), run the capture, bring the laptop back, analyze the capture.. and so on.
I'm not going to go into the deep detail as how it works. Basically, it just buffers the capture into NVRAM (These values can be changed, buffer size, etc). You can view it directly from the router or export it via tftp/ftp/etc in pcap format to be viewed in wireshark.
Let's just jump into it.
I'm going to capture only telnet packets via an ACL.
1. Define the ACL. This is a standard ACL so the possibilities are pretty much endless. (This is only used by the capture, it doesn't get applied any where)
Code:
ip access-list extended Telnet
permit tcp any any eq telnet
permit tcp any eq telnet any2. Define the capture buffer. This is where the capture will be stored in NVRAM. I'm also increasing the maximum element size to 100Kb and leaving the rest default.
Code:
monitor capture buffer buffer_23 max-size 1003. Apply your access list to the capture buffer. Again, this part is optional but as you can imagine extremely helpful.
Code:
monitor capture buffer buffer_23 filter access-list Telnet4. Define the capture point. This is where we define what interfaces and directions (ingress/egress) we want to capture. In this example, we want to capture on ALL interfaces in BOTH directions.
Code:
monitor capture point ip cef capture_23 all both5. Next we're just associating the buffer with the capture point.
Code:
monitor capture point associate capture_23 buffer_236. Finally, start the capture.
Code:
monitor capture point start capture_237. Run through some test's! I just telnet to a known IP address on the internet. While doing this, you can verifiy by running a show command and watching the packets captured increase.
Code:
sh monitor capture buffer buffer_23 parameters
Code:
Capture buffer buffer_23 (linear buffer)
Buffer Size : 262144 bytes, Max Element Size : 100 bytes, Packets : 4
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : capture_23, Status : Active
Configuration:
monitor capture buffer buffer_23 max-size 100
monitor capture point associate capture_23 buffer_23
monitor capture buffer buffer_23 filter access-list Telnet8. Stopping the capture.
Code:
monitor capture point stop capture_239. Export the capture, in this example I tftp the file to a server of mine.
Code:
monitor capture buffer buffer_23 export tftp://192.168.63.50/telnetcap.pcap10. Removing the buffer.
Code:
no monitor capture buffer buffer_2311. Remove the capture point.
Code:
no monitor capture point ip cef capture_23 all bothThere you have it. Here is a screenshot from the imported .pacp file into wireshark. I filtered out my external IP address so no one gets any bright idea's.
Last edited: