How can I capture traffic on Cisco Router

If your traffic happened to be passing through a router running Cisco IOS 12.4(20)T or greater, you can use the Embedded Packet Capture feature.

This feature is NOT available on switch platforms like the 3560 or 3750.

What this feature does is capture and save a small PCAP file on the router that you can download and analyze with Wireshark.

Go here for more info: http://www.cisco.com/c/dam/en/us/products/collateral/ios-nx-os-software/embedded-automation-systems/ppt_EASy_Packet_Capture_c78-577851.pdf

 

Another option:

Add ELAM in the mix. ELAM is supported on PFC3 (6500, 7600).

You need to have ‘service internal’ enabled, This is a safe feature to run, You can ran it in production networks and not experience negative impact.

Essentially what ELAM does is it shows you what was send for lookup processing to PFC via DBUS (Data BUS) and what did the PFC give as lookup result in RBUS (Result BUS).

  1. show plat cap elam asic superman slot DFC/PFC_SLOT_YOU_WANT_TO_LOOK
  2. show plat cap elam trigger dbus ipv4 if ip_sa=192.0.2.1
  3. show plat cap elam start
  4. show plat cap elam data

For the triggers there is online help, IP_SA == IP Source Address, IP_DA == IP Destination Address, lot of others are available. IF what you want to check isn’t available you can do data + mask match for arbitrary data on the first 64B.
The arbitrary trigger is a bit awkward but can be a lifesaver, you’ll use it like this:

show platform capture elam trigger dbus others if data = DATA1 DATA2 DATAn [MASK1 MASK2 MASKn ]

Data starts from DMAC. So say we want to catch incoming MPLS stack of [0 1951], but we don’t care about MAC addresses, we could do this:

show platform capture elam trigger dbus others if data = 0 0 0 0x88470000 0x00000079 0xF0000000 [ 0 0 0 0xffffffff 0xf000ffff 0xf0000000 ]

Example output might be:

7600#show platform capture elam data
DBUS data:
SEQ_NUM                          [5] = 0x1D
QOS                              [3] = 1
QOS_TYPE                         [1] = 0
TYPE                             [4] = 0 [ETHERNET]
STATUS_BPDU                      [1] = 0
IPO                              [1] = 1
NO_ESTBLS                        [1] = 0
RBH                              [3] = b000   ! port-channel hash
CR                               [1] = 1      ! recirculated
TRUSTED                          [1] = 1
NOTIFY_IL                        [1] = 0
NOTIFY_NL                        [1] = 0
DISABLE_NL                       [1] = 0
DISABLE_IL                       [1] = 0
DONT_FWD                         [1] = 0
INDEX_DIRECT                     [1] = 0
DONT_LEARN                       [1] = 0
COND_LEARN                       [1] = 0
BUNDLE_BYPASS                    [1] = 0
QOS_TIC                          [1] = 1
INBAND                           [1] = 0
IGNORE_QOSO                      [1] = 0
IGNORE_QOSI                      [1] = 0
IGNORE_ACLO                      [1] = 0
IGNORE_ACLI                      [1] = 0
PORT_QOS                         [1] = 0
CACHE_CNTRL                      [2] = 0 [NORMAL]
VLAN                             [12] = 4086
SRC_FLOOD                        [1] = 0
SRC_INDEX                        [19] = 0xC0          ! divmod64(0xc0) = 3,0, add 1 to each, 4/1 == our physical port
LEN                              [16] = 102
FORMAT                           [2] = 0 [IP]
MPLS_EXP                         [3] = 0x0
REC                              [1] = 0
NO_STATS                         [1] = 0
VPN_INDEX                        [10] = 0x7F

All bigger platforms have this type of low-level captures for transit packets, which are exceptionally useful when you need to verify HW is doing what configuration says, sometimes there are software defects and it does something else than expected.

I know that in GSR you can see transit in memory, in Juniper Trio there is quite nice tool for it as well. Brocade can do it. It’s quite baffling they are not documented in vendor pages.

 

 

 

Was this article helpful?

Related Articles

Leave A Comment?

You must be logged in to post a comment.