Full Packet Capture Feature Native in Cisco IOS

Excellent troubleshooting tool is embedded in Cisco IOS

Every good network engineer loves to capture packets to help with troubleshooting problems. The issue is that it takes time, effort and expense to setup a distributed packet capture solution. For years we've just wanted the ability to have our switches capture packets for us and thus save us from having to setup span and monitor sessions with external capture devices. Well, I'm happy to report that your Cisco Catalyst 6500/7600 switches and your Cisco IOS routers have been able to do that for quite some time now. Most folks I run into had no idea this was available, so thus the reason for the blog on it. Spread the word! Here are the details. The feature is called mini Protocol Analyzer (MPA). It is available in router IOS 12.4(20)T and in Catalyst 6500/7600 IOS 12.2.33SXI or later. MPA can either save the pcap file to flash or export it off-box. MPA can even interface CEF switches flows which is nice. If you just want to look at the capture buffer from the IOS CLI you can do that too. It looks like this:


Router# show monitor capture buffer detail       
 1      Arrival time : 09:44:30 UTC Fri Nov 17 2006 
        Packet Length : 74 , Capture Length : 68 
        Ethernet II :  0100.5e00.000a  0008.a4c8.c038  0800  
        IP: s=10.12.0.5 , d=224.0.0.10, len 60, proto=88 
 2      Arrival time : 09:44:31 UTC Fri Nov 17 2006 
        Packet Length : 346 , Capture Length : 68 
346   0180.c200.000e  0012.44d8.5000  88CC 020707526F757463031 
Using the dump command at the end of the above command will even show you a full data payload decode as well. When you setup the capture you can filter the capture traffic so you only capture what you want to. Options for this include filtering on a vlan, ACL, mac-address, packet length and ethertype. You can also schedule the capture to begin at a certain time/date. The biggest draw back of this feature is its limited buffer size, max is 65000KB. But for quick and clean troubleshooting it can be a savior. Enjoy! TAC guide on how to use the feature in router IOS https://supportforums.cisco.com/docs/DOC-5799 6500 Guide on using MPA in IOS http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/mpa.html

The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.

More from Jamey Heary: Credit Card Skimming: How thieves can steal your card info without you knowing it Google Nexus One vs. Top 10 Phone Security RequirementsWhy you should always shred your boarding pass Video rental records are afforded more privacy protections than your online dataThe truth about new SSL attacks 2009 Top Urban Legends in IT Security/a>Go to Jamey’s Blog for more articles on security.

*

*

*

*

*

*

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.

IT Salary Survey: The results are in