Ran into a situation where I needed to perform a packet capture on the WAN interface of a router that was facing an ISP. The site was rather remote and so putting a hub in between the router and ISP and capturing the packets via Wireshark was going to be very time consuming. Here is how to perform a packet capture right on the router and then export the capture to Wireshark for analysis.
- Create the capture buffer
monitor capture buffer holdpackets
monitor capture buffer holdpackets size 2048 max-size 1024 - Create capture profile. (This will capture everything on the router, but you can use an access-list to filter this down)
monitor capture point ip process-switched capturepackets both - Associate the profile with the buffer
monitor capture point associate capturepackets holdpackets
- Start the capture
monitor capture point start capturepackets - Generate traffic you want to capture and then view the buffer to verify captured packets (optional)
show monitor capture buffer all parameters - Stop the capture
monitor capture point stop capturepackets - Export the capture via TFTP for viewing in Wireshark
monitor capture buffer holdpackets export tftp://10.1.1.11/capture.pcap
- Clear the buffer and start the capture over again at step 4 to repeat
monitor capture buffer holdpackets clear
Here is the Cisco document that goes into further detail: https://supportforums.cisco.com/docs/DOC-5799
Great write-up! Thank you.
Very helpful!