Just upgraded my 871 to 12.4(20)T, the new
release, and I've been playing with the IP traffic-export functions. I
think this was actually added in 12.4(11)T but I never bothered to play
with it. This lets me run a packet capture right on the router, store
the capture in memory, then copy it off to flash, or tftp, for later
viewing in Wireshark.
Configuration is pretty straight forward in its most simplest implementation:
1. Create a traffic-export profile:
ip traffic-export profile sniffer mode capture
bidirectional
!
Be
sure to specify mode "capture", otherwise it will be looking for
additional commands to be entered. "sniffer" is just a tag, could be
whatever you want. "bidirectional" gets me packets in / out of an
interface.
2. Apply said profile to an interface:
interface vlan 1
ip traffic-export apply sniffer
!
3. Go back to enable mode, and start the capture:
traffic-export interface vlan 1 start
4. Check the status of the sniffer with this command:
show ip traffic-export
You should see something like this:
Note,
it tells you how many packets it captured in the in / out directions,
how many it missed, and some stats on the buffer itself. I think its
limited at how fast it can capture packets, I'm not entirely sure, but
you can be more finer grain in what you capture by attaching ACLs under
the profile.
5. Stop the capture:
traffic-export interface vlan 1 stop
6. Copy it some place so you can look at it:
traffic-export interface vlan 1 copy tftp://192.168.1.200/sniffer.pcap
7. Open file in wireshark, look at your capture.
Pretty neat I think. This doc has more information:
http://www.cisco.com/en/US/docs/ios/12_ ... rawip.html
release, and I've been playing with the IP traffic-export functions. I
think this was actually added in 12.4(11)T but I never bothered to play
with it. This lets me run a packet capture right on the router, store
the capture in memory, then copy it off to flash, or tftp, for later
viewing in Wireshark.
Configuration is pretty straight forward in its most simplest implementation:
1. Create a traffic-export profile:
ip traffic-export profile sniffer mode capture
bidirectional
!
Be
sure to specify mode "capture", otherwise it will be looking for
additional commands to be entered. "sniffer" is just a tag, could be
whatever you want. "bidirectional" gets me packets in / out of an
interface.
2. Apply said profile to an interface:
interface vlan 1
ip traffic-export apply sniffer
!
3. Go back to enable mode, and start the capture:
traffic-export interface vlan 1 start
4. Check the status of the sniffer with this command:
show ip traffic-export
You should see something like this:
- Code:
Bunson#show ip traffic-export
Router IP Traffic Export Parameters
Monitored Interface: Vlan1
Capture full packet length.
bi-directional traffic capture is on
Output IP Traffic Capture Information
Packets/Bytes Captured 74/16620
Packets Dropped 87
Sampling Rate one-in-every 1 packets
No Access List configured
Input IP Traffic Capture Information
Packets/Bytes Captured 95/7015
Packets Dropped 146
Sampling Rate one-in-every 1 packets
No Access List configured
IP Traffic Capture Buffer Information
Defined Buffer Size 5242880 bytes
Capture Buffer Size 5242880 bytes
Capture Buffer Used 26363 bytes
Capture Buffer Free 5216517 bytes
Profile sniffer capture state: Active
Note,
it tells you how many packets it captured in the in / out directions,
how many it missed, and some stats on the buffer itself. I think its
limited at how fast it can capture packets, I'm not entirely sure, but
you can be more finer grain in what you capture by attaching ACLs under
the profile.
5. Stop the capture:
traffic-export interface vlan 1 stop
6. Copy it some place so you can look at it:
traffic-export interface vlan 1 copy tftp://192.168.1.200/sniffer.pcap
7. Open file in wireshark, look at your capture.
Pretty neat I think. This doc has more information:
http://www.cisco.com/en/US/docs/ios/12_ ... rawip.html
