Packet Capture inside Cisco Catalyst 3560 and 3750 ( Embedded Packet Capture)
1. Access List Creationswitch3560(config)#ip access-list extended cap1testaclswitch3560(config-ext-nacl)#permit icmp any anyswitch3560(config-ext-nacl)#^Zswitch3560#sho ip access-lists cap1testaclExtended IP access list cap1testacl 10 permit icmp any any
2. Monitor Capture Buffer Creationswitch3560#monitor capture ? buffer Control Capture Buffers point Control Capture Pointsswitch3560#monitor capture buffer ? WORD Name of the Capture Bufferswitch3560#monitor capture buffer cap1testbuffer ? circular Circular Buffer clear Clear contents of capture buffer export Export in Pcap format filter Configure filters limit Limit the packets dumped to the buffer linear Linear Buffer(Default) max-size Maximum size of element in the buffer (in bytes) size Packet Dump buffer size (in Kbytes) <cr>switch3560#monitor capture buffer cap1testbuffer size 2048 ? circular Circular Buffer linear Linear Buffer(Default) max-size Maximum size of element in the buffer (in bytes) <cr>switch3560#monitor capture buffer cap1testbuffer size 2048 max-size ? <68-9500> Element size in bytes : 9500 bytes or less (default is 68 bytes)switch3560#monitor capture buffer cap1testbuffer size 2048 max-size 1500 ? circular Circular Buffer linear Linear Buffer(Default) <cr>switch3560#monitor capture buffer cap1testbuffer size 2048 max-size 1500 circular ? <cr>switch3560#monitor capture buffer cap1testbuffer size 2048 max-size 1500 circular access-list Set access listswitch3560#monitor capture buffer cap1testbuffer filter access-list ? <1-199> IP access list <1300-2699> IP expanded access list WORD Access-list nameswitch3560#monitor capture buffer cap1testbuffer filter access-list cap1testacl ? <cr>switch3560#monitor capture buffer cap1testbuffer filter access-list cap1testaclFilter Association succeededswitch3560#sho monitor capture buffer ?
WORD Name of the Capture Buffer
all All capture buffers
merged Merged View of Capture Buffers
switch3560#sho monitor capture buffer cap1testbuffer parameters
Capture buffer cap1testbuffer (circular buffer)
Buffer Size : 2097152 bytes, Max Element Size : 1500 bytes, Packets : 0
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Configuration:
monitor capture buffer cap1testbuffer size 2048 max-size 1500 circular
monitor capture buffer cap1testbuffer filter access-list cap1testaclswitch3560#monitor capture ?
buffer Control Capture Buffers
point Control Capture Points
switch3560#monitor capture po
switch3560#monitor capture point ?
associate Associate capture point with capture buffer
disassociate Dis-associate capture point from capture buffer
ip IPv4
ipv6 IPv6
start Enable Capture Point
stop Disable Capture Point
switch3560#monitor capture point ip ?
cef IPv4 CEF
process-switched Process switched packets
switch3560#monitor capture point ip pr
switch3560#monitor capture point ip process-switched ?
WORD Name of the Capture Point
switch3560#monitor capture point ip process-switched cap1testpoint ?
both Inbound and outbound and packets
from-us Packets originating locally
in Inbound packets
out Outbound packets
switch3560#monitor capture point ip process-switched cap1testpoint bo
switch3560#monitor capture point ip process-switched cap1testpoint both ? <cr>
switch3560#monitor capture point ip process-switched cap1testpoint bothswitch3560#
3. Attach Buffer to Filterswitch3560#monitor capture buffer cap1testbuffer filter ?switch3560#monitor capture buffer cap1testbuffer filter cap1testacl
4. Verify Buffer Configurationswitch3560#sho monitor capture buffer ?
WORD Name of the Capture Buffer
all All capture buffers
merged Merged View of Capture Buffers
switch3560#sho monitor capture buffer cap1testbuffer parameters
Capture buffer cap1testbuffer (circular buffer)
Buffer Size : 2097152 bytes, Max Element Size : 1500 bytes, Packets : 0
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Configuration:
monitor capture buffer cap1testbuffer size 2048 max-size 1500 circular
monitor capture buffer cap1testbuffer filter access-list cap1testacel
5.Associate Capture Point to Capture Bufferswitch3560#monitor capture point associate ?
WORD Name of the Capture Point
switch3560#monitor capture point associate cap1testpoint ? WORD Name of the Capture Buffer
switch3560#monitor capture point associate cap1testpoint cap1testbuffer ? <cr>
switch3560#monitor capture point associate cap1testpoint cap1testbuffer
5.verify Capture Point
switch3560#sho monitor capture point cap1testpoint ? | Output modifiers
<cr>
switch3560#sho monitor capture point cap1testpointStatus Information for Capture Point cap1testpointIPv4 Process
Switch Path: IPv4 Process , Capture Buffer: cap1testbufferStatus : Inactive
Configuration:
monitor capture point ip process-switched cap1testpoint both
6.Start Capture Pointswitch3560#monitor capture point start ?
WORD Name of the Capture Point
all All Capture Points
switch3560#monitor capture point start cap1testpoint ? <cr>
switch3560#monitor capture point start cap1testpointswitch3560#sho moni cap poi cap1testpointStatus Information for Capture Point cap1testpointIPv4 Process
Switch Path: IPv4 Process , Capture Buffer: cap1testpointStatus : Active
Configuration:
monitor capture point ip process-switched cap1testpoint both
7. Stop after required time
switch3560#monitor capture point stop cap1testpoint8.View Statiticsswitch3560# show monitor capture buffer cap1testbuffer parametersCapture buffer cap1testbuffer (circular buffer)Buffer Size : 2097152 bytes, Max Element Size : 1500 bytes, Packets : 14
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : cap1testpoint, Status : InactiveConfiguration:
monitor capture buffer cap1testbuffer size 2048 max-size 1500 circularmonitor capture point associate cap1testpoint cap1testbuffermonitor capture buffer cap1testbuffer filter access-list cap1testacl
9.Export to TFTPswitch3560# monitor capture buffer cap1testbuffer export ? flash: Location to dump buffer
ftp: Location to dump buffer
http: Location to dump buffer
https: Location to dump buffer
rcp: Location to dump buffer
scp: Location to dump buffer
tftp: Location to dump buffer
switch3560# monitor capture buffer cap1testbuffer export tftp://192.168.100.1/cap1testbuffer.pcap!!