{"id":461,"date":"2022-09-22T13:04:51","date_gmt":"2022-09-22T18:04:51","guid":{"rendered":"https:\/\/cloudlearning365.com\/?p=461"},"modified":"2024-01-19T23:05:51","modified_gmt":"2024-01-20T04:05:51","slug":"packet-capture-on-cisco-isr","status":"publish","type":"post","link":"https:\/\/cloudlearning365.com\/?p=461","title":{"rendered":"Packet capture on Cisco ISR\/CSR"},"content":{"rendered":"\n<p>Learned this from my friend <a href=\"https:\/\/www.linkedin.com\/in\/rtrentin73\/\">Ricardo<\/a> today, no longer running blind trying to figure out if a specific packet is received and what the router did with it.<\/p>\n\n\n\n<!--more-->\n\n\n\n<p>To check if packet capture is already enabled:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>show debugging<\/code><\/pre>\n\n\n\n<p>To enable capture from specific IP<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>debug platform condition ipv4 &lt;ip\/cidr&gt; both<\/code><\/pre>\n\n\n\n<p>To start the capture and tell it the max packet to be captured<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>debug platform condition start\ndebug platform packet-trace packet 1024<\/code><\/pre>\n\n\n\n<p>To check the capture result<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>show platform packet-trace summary<\/code><\/pre>\n\n\n\n<p>Example output of above command<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Pkt   Input             Output            State  Reason\n0     Gi0\/0\/0.703       Gi0\/0\/1.32        FWD    \n1     Gi0\/0\/0.703       Gi0\/0\/1.32        FWD    \n2     Gi0\/0\/0.703       Gi0\/0\/1.32        FWD    \n3     Gi0\/0\/0.703       Gi0\/0\/1.32        FWD    \n4     Gi0\/0\/0.703       Gi0\/0\/1.32        FWD   <\/code><\/pre>\n\n\n\n<p>To check the detail of specific packet, eg packet 3<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>show platform packet-trace packet 3<\/code><\/pre>\n\n\n\n<p>Example of above command:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Packet: 3           CBUG ID: 18\nSummary\n  Input     : GigabitEthernet0\/0\/0.703\n  Output    : GigabitEthernet0\/0\/1.32\n  State     : FWD \n  Timestamp\n    Start   : 90348958754799 ns (09\/22\/2022 18:40:07.21077 UTC)\n    Stop    : 90348958764809 ns (09\/22\/2022 18:40:07.21087 UTC)\nPath Trace\n  Feature: IPV4(Input)\n    Input       : GigabitEthernet0\/0\/0.703\n    Output      : &lt;unknown&gt;\n    Source      : 10.64.0.73\n    Destination : 10.1.32.100\n    Protocol    : 1 (ICMP)<\/code><\/pre>\n\n\n\n<p><br><br>To reset <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>clear platform condition all\nclear platform packet-trace statistics\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Another method<\/h2>\n\n\n\n<p>Create access list named CAPTURE<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>conf t\nip access-list extended CAPTURE\npermit ip any any\nend<\/code><\/pre>\n\n\n\n<p>Enable and setup capture name &#8216;CAP&#8217; using access list named CAPTURE, add interface g1, specify both directions, and running circular buffer (new override old when filled up)<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>monitor capture CAP access-list CAPTURE interface g1 both buffer circular<\/code><\/pre>\n\n\n\n<p>It&#8217;s possible to add additional interfaces to be captured, eg following adds Tunnel 1 to be captured<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>monitor cap CAP interface Tunnel 1 both<\/code><\/pre>\n\n\n\n<p>To check current capture setting<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>show monitor cap CAP<\/code><\/pre>\n\n\n\n<p>Start\/Stop\/Clear capture<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>monitor cap CAP start\nmonitor cap CAP stop\nmonitor cap CAP clear<\/code><\/pre>\n\n\n\n<p>To view the capture<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>show monitor cap CAP buffer brief<\/code><\/pre>\n\n\n\n<p>To view the capture for specific IP:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>show monitor cap CAP buffer brief | inc 33.33.33.33<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Learned this from my friend Ricardo today, no longer running blind trying to figure out if a specific packet is received and what the router did with it.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[11],"tags":[],"class_list":["post-461","post","type-post","status-publish","format-standard","hentry","category-cisco"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=\/wp\/v2\/posts\/461","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=461"}],"version-history":[{"count":5,"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=\/wp\/v2\/posts\/461\/revisions"}],"predecessor-version":[{"id":1666,"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=\/wp\/v2\/posts\/461\/revisions\/1666"}],"wp:attachment":[{"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=461"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=461"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=461"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}