Friday, December 24, 2010

Cisco Security Expert: Full Packet Capture Feature Native in Cisco IOS

Every good network engineer loves to capture packets to help with troubleshooting problems. The issue is that it takes time, effort and expense to setup a distributed packet capture solution. For years we've just wanted the ability to have our switches capture packets for us and thus save us from having to setup span and monitor sessions with external capture devices. Well, I'm happy to report that your Cisco Catalyst 6500/7600 switches and your Cisco IOS routers have been able to do that for quite some time now. Most folks I run into had no idea this was available, so thus the reason for the blog on it. Spread the word! Here are the details.

The feature is called mini Protocol Analyzer (MPA). It is available in router IOS 12.4(20)T and in Catalyst 6500/7600 IOS 12.2.33SXI or later. MPA can either save the pcap file to flash or export it off-box. MPA can even interface CEF switches flows which is nice. If you just want to look at the capture buffer from the IOS CLI you can do that too. It looks like this:

Router# show monitor capture buffer detail
1 Arrival time : 09:44:30 UTC Fri Nov 17 2006
Packet Length : 74 , Capture Length : 68
Ethernet II : 0100.5e00.000a 0008.a4c8.c038 0800
IP: s=10.12.0.5 , d=224.0.0.10, len 60, proto=88
2 Arrival time : 09:44:31 UTC Fri Nov 17 2006
Packet Length : 346 , Capture Length : 68
346 0180.c200.000e 0012.44d8.5000 88CC 020707526F757463031

Using the dump command at the end of the above command will even show you a full data payload decode as well. When you setup the capture you can filter the capture traffic so you only capture what you want to. Options for this include filtering on a vlan, ACL, mac-address, packet length and ethertype. You can also schedule the capture to begin at a certain time/date. The biggest draw back of this feature is its limited buffer size, max is 65000KB. But for quick and clean troubleshooting it can be a savior. Enjoy!

TAC guide on how to use the feature in router IOS
https://supportforums.cisco.com/docs/DOC-5799

6500 Guide on using MPA in IOS
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/con...

More..
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)