Learned this from my friend Ricardo today, no longer running blind trying to figure out if a specific packet is received and what the router did with it.
To check if packet capture is already enabled:
show debuggingTo enable capture from specific IP
debug platform condition ipv4 <ip/cidr> bothTo start the capture and tell it the max packet to be captured
debug platform condition start
debug platform packet-trace packet 1024To check the capture result
show platform packet-trace summaryExample output of above command
Pkt Input Output State Reason
0 Gi0/0/0.703 Gi0/0/1.32 FWD
1 Gi0/0/0.703 Gi0/0/1.32 FWD
2 Gi0/0/0.703 Gi0/0/1.32 FWD
3 Gi0/0/0.703 Gi0/0/1.32 FWD
4 Gi0/0/0.703 Gi0/0/1.32 FWD To check the detail of specific packet, eg packet 3
show platform packet-trace packet 3Example of above command:
Packet: 3 CBUG ID: 18
Summary
Input : GigabitEthernet0/0/0.703
Output : GigabitEthernet0/0/1.32
State : FWD
Timestamp
Start : 90348958754799 ns (09/22/2022 18:40:07.21077 UTC)
Stop : 90348958764809 ns (09/22/2022 18:40:07.21087 UTC)
Path Trace
Feature: IPV4(Input)
Input : GigabitEthernet0/0/0.703
Output : <unknown>
Source : 10.64.0.73
Destination : 10.1.32.100
Protocol : 1 (ICMP)
To reset
clear platform condition all
clear platform packet-trace statistics
Another method
Create access list named CAPTURE
conf t
ip access-list extended CAPTURE
permit ip any any
endEnable and setup capture name ‘CAP’ using access list named CAPTURE, add interface g1, specify both directions, and running circular buffer (new override old when filled up)
monitor capture CAP access-list CAPTURE interface g1 both buffer circularIt’s possible to add additional interfaces to be captured, eg following adds Tunnel 1 to be captured
monitor cap CAP interface Tunnel 1 bothTo check current capture setting
show monitor cap CAPStart/Stop/Clear capture
monitor cap CAP start
monitor cap CAP stop
monitor cap CAP clearTo view the capture
show monitor cap CAP buffer briefTo view the capture for specific IP:
show monitor cap CAP buffer brief | inc 33.33.33.33