Embedded packet capture (EPC) is a way to capture packets directly on a router. These packet captures can then be sent to a server (FTP,SCP,HTTP,ETC) for packet analysis in a program such as wireshark. EPC requires IOS version 12.4(20)t or greater.
The below code sets up a capture for interface fa0/0 and exports the capture to an ftp server.
monitor capture buffer BUFFER
monitor capture buffer BUFFER size 512 max-size 256
monitor capture point ip cef FA0_0 fa0/0 both
monitor capture point asso FA0_0 BUFFER
monitor capture point start FA0_0
monitor capture buffer BUFFER export ftp://host/filename.pcap
The capture can be stopped with the following
monitor capture point stop FA0_0
You can determine if the capture is woring with the following.
show monitor capture buffer BUFFER parameters
Rack1R1#show monitor capture buffer BUFFER parameters
Capture buffer BUFFER (linear buffer)
Buffer Size : 524288 bytes, Max Element Size : 256 bytes, Packets : 5
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : FA0_0, Status : Active
Configuration:
monitor capture buffer BUFFER size 512 max-size 256 linear
monitor capture point associate FA0_0 BUFFER
More information can be found in the config guide under Cisco IOS Network Management Configuration Guide->Troubleshooting, Fault Management, and Logging->Embedded Packet Capture
Embedded Packet Capture
