Captures

From ip tuning
Jump to: navigation, search

How to make captures in different equipment versions and models.

Cisco IOS 15

On IOS 15 Cisco introduced a new capture method.

You now define "Buffers" and Capture "Points" and then you can associate both to make a capture.

The default buffer size is 1024kB - notice that on iOS XE the capture buffer is measured in MB.

Example capture

#monitor capture ?
 buffer  Control Capture Buffers
 point   Control Capture Points

Create a buffer. The default buffer size is 1024kB:

#monitor capture buffer BUFFER

  Create a capture point. You can capture IPv4 traffic and at the CEF interface:

#monitor capture point ip cef CAPTUREIG00 GigabitEthernet 0/0

Now, you have to associate both the buffer and the capture point:

#monitor capture point associate CAPTUREIG00 BUFFER

Now, to start the capture:

#monitor capture point start CAPTUREIG00

To stop the capture:

#monitor capture point stop CAPTUREIG00

And to finally export the capture to the flash (you can also export it at the network. Issue ? after export to see your options.

#monitor capture buffer BUFFER export flash:capture.cap

When you're finished and no longer require to do captures, don't forget to delete both:

#no monitor capture buffer BUFFER
#no monitor capture point ip cef CAPTUREIG00 GigabitEthernet 0/0

Cisco IOS XE

The simplest way to capture all traffic in a particular interface is to mention it directly.

If you want to capture all IPv4 traffic, just add ipv4 any any. If you want to capture particular IP addresses and/or ports, use access-lists.

Example capture

Please note that the buffer size is expressed in megabytes!

monitor capture CAPTURA buffer size 4
monitor capture CAPTURA interface gigabitEthernet 0/0/2 both
monitor capture CAPTURA match ipv4 any any

When you're ready to start the capture, issue:

monitor capture CAPTURA start

You can stop the capture with this:

monitor capture CAPTURA stop 

You can export to an external server too! Check the options with ?

monitor capture CAPTURA export flash:capture.cap

Don't forget to delete the monitor session when you don't need it any more.

no monitor capture CAPTURA