Cisco ASR1000 Packet Capture
Running packet capture on a router is, in my opinion, one of the best features Cisco provide. Most Cisco router platforms have the facility to run a packet capture on the box and here I demonstrate how to carry one out on any ASR1k platform such as the ASR1001, ASR1002, ASR1002x etc.
First, we should check what, if any monitors are already configured and remove any that are no longer required
Router#show monitor capture
Status Information for Capture mycap
Target Type:
Interface: GigabitEthernet0, Direction: both
Status : Inactive
Filter Details:
Access-list: mycap-acl
Buffer Details:
Buffer Type: CIRCULAR
Buffer Size (in MB): 10
Limit Details:
Number of Packets to capture: 0 (no limit)
Packet Capture duration: 120
Packet Size to capture: 0 (no limit)
Maximum number of packets to capture per second: 1000
Packet sampling rate: 0 (no sampling)
Router#
Router#no monitor capture mycap
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#no ip access-list ext mycap-acl
In order to begin our capture, we need to create an ACL to match the interesting traffic and drop out of configuration mode
Router(config)#ip access-list ext mycap-acl
Router(config-ext-nacl)#permit tcp any host 192.168.25.100 eq 80
Router(config-ext-nacl)#end
Router#
Create your capture and align the ACL to the capture
Router#monitor capture mycap access-list mycap-acl
Set a duration for the packet capture, 2 minutes is usually more than enough for me
Router#monitor capture mycap limit duration 120
Set the interface you want the capture to run in, and in what direction
Router#monitor capture mycap interface GigabitEthernet0 both
Set the buffer size you want to allocate to store the capture locally (Note: this is Mbytes)
Router#monitor capture mycap buffer circular size 2
Finally, we can begin the capture
Router#monitor capture mycap start
This is obviously the point where you generate the traffic you want to observe, and you can then stop the capture manually (or let the timer run out)
Router#monitor capture mycap stop
In order to get the capture into wireshark, we need to export it from the box. Startup your FTP server that the router has access to, i like 'BabyFTP' as its pretty simple to use and simply supports anonymous connections
Router#monitor capture mycap export ftp://192.168.0.10/test.capture.pcap
A bit of house cleaning afterwards to clear and remove the capture from the router
Router#monitor capture mycap clear
Router#no monitor capture mycap
And finally check your ftp server for the pcap, and open it up!
Basic Cisco Template
Configure DHCPv6 on an IOS Router for IPv6 Clients
Cisco Router – Frame relay switch configuration (Point to Point)
About Author
