Yesterday, I have posted about internal packet capture in Cisco IOS (=tcpdump) and simple example. Now please find the example with more various traffic and filter.
The scenario is simple, generate two kind of traffic, UDP use traceroute and ICMP use ping. Then create filter to pass (permit) UDP and drop (deny) ICMP use access-list extended.
Hope this is usefull for you ;-)
#### Preconfig for test IOS packet capture, read here
#### Step by step IOS packet capture with filter
#### Define a capture buffer
IOS-1# monitor capture buffer PACKET size 512 max-size 1024 circular
#### Create filter with access-list and attach to capture buffer
#### Permit UDP (traceroute), deny ICMP (ping)
IOS-1# conf t
IOS-1(config)# access-list 100 permit udp any any
IOS-1(config)# access-list 100 deny ip any any
IOS-1(config)# exit
IOS-1# monitor capture buffer PACKET filter access-list 100
#### Define a capture point
IOS-1# monitor capture point ip cef Vlan11_CAP Vlan11 both
#### Create associate capture point with capture buffer
IOS-1# monitor capture point associate Vlan11_CAP PACKET
#### Enable the capture point for start capture packet data
IOS-1# monitor capture point start Vlan11_CAP
#### Disable the capture point for stop capture packet data
IOS-1# monitor capture point stop Vlan11_CAP
#### Verify and test
#### The summary view of capture point
IOS-1# show monitor capture point Vlan11_CAP
Status Information for Capture Point Vlan11_CAP
IPv4 CEF
Switch Path: IPv4 CEF , Capture Buffer: PACKET
Status : Active
Configuration:
monitor capture point ip cef Vlan11_CAP Vlan11 both
#### Generate traffic ICMP from other side
IOS-2# ping 172.16.12.1 source 172.16.12.2 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 172.16.12.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.12.2
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/3/8 ms
#### The summary view of capture buffer, packet couter 0
IOS-1# show monitor capture buffer PACKET parameters
Capture buffer PACKET (circular buffer)
Buffer Size : 524288 bytes,Max Element Size : 1024 bytes,Packets : 0
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : Vlan11_CAP, Status : Active
Configuration:
monitor capture buffer PACKET size 512 max-size 1024 circular
monitor capture point associate Vlan11_CAP PACKET
monitor capture buffer PACKET filter access-list 100
#### Generate traffic UDP from other side
IOS-2# traceroute 172.16.12.1
Type escape sequence to abort.
Tracing the route to 172.16.12.1
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.12.1 0 msec 0 msec *
#### The summary view of capture buffer, packet counter 6
IOS-1# show monitor capture buffer PACKET parameters
Capture buffer PACKET (circular buffer)
Buffer Size : 524288 bytes,Max Element Size : 1024 bytes,Packets : 6
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : Vlan11_CAP, Status : Active
Configuration:
monitor capture buffer PACKET size 512 max-size 1024 circular
monitor capture point associate Vlan11_CAP PACKET
monitor capture buffer PACKET filter access-list 100
#### Information captured packets
IOS-1# show monitor capture buffer PACKET
10:10:54.271 UTC Aug 27 2013 : IPv4 LES CEF : Vl11 None
10:10:57.275 UTC Aug 27 2013 : IPv4 LES CEF : Vl11 None
10:11:00.275 UTC Aug 27 2013 : IPv4 LES CEF : Vl11 None
10:11:03.287 UTC Aug 27 2013 : IPv4 LES CEF : Vl11 None
10:11:06.283 UTC Aug 27 2013 : IPv4 LES CEF : Vl11 None
10:11:09.283 UTC Aug 27 2013 : IPv4 LES CEF : Vl11 None
#### Show the dump packets
IOS-1# show monitor capture buffer PACKET dump
10:10:54.271 UTC Aug 27 2013 : IPv4 LES CEF : Vl11 None
AAF183C0: FFFFFFFF FFFFAABB ......*;
AAF183D0: CC800800 08004500 00460000 0000FE11 L.....E..F....~.
AAF183E0: 0495AC10 0C02FFFF FFFFC4F2 00350032 ..,.......Dr.5.2
AAF183F0: 00000003 01000001 00000000 00000131 ...............1
AAF18400: 02313202 31360331 37320769 6E2D6164 .12.16.172.in-ad
AAF18410: 64720461 72706100 000C0001 00 dr.arpa......
10:10:57.275 UTC Aug 27 2013 : IPv4 LES CEF : Vl11 None
AAF183C0: FFFFFFFF FFFFAABB ......*;
AAF183D0: CC800800 08004500 00460001 0000FE11 L.....E..F....~.
AAF183E0: 0494AC10 0C02FFFF FFFFC4F2 00350032 ..,.......Dr.5.2
AAF183F0: 00000003 01000001 00000000 00000131 ...............1
AAF18400: 02313202 31360331 37320769 6E2D6164 .12.16.172.in-ad
AAF18410: 64720461 72706100 000C0001 00 dr.arpa......
10:11:00.275 UTC Aug 27 2013 : IPv4 LES CEF : Vl11 None
AAF183C0: FFFFFFFF FFFFAABB ......*;
AAF183D0: CC800800 08004500 00460002 0000FE11 L.....E..F....~.
AAF183E0: 0493AC10 0C02FFFF FFFFC4F2 00350032 ..,.......Dr.5.2
AAF183F0: 00000003 01000001 00000000 00000131 ...............1
AAF18400: 02313202 31360331 37320769 6E2D6164 .12.16.172.in-ad
AAF18410: 64720461 72706100 000C0001 00 dr.arpa......
10:11:03.287 UTC Aug 27 2013 : IPv4 LES CEF : Vl11 None
AAF183C0: FFFFFFFF FFFFAABB ......*;
AAF183D0: CC800800 08004500 00460000 0000FE11 L.....E..F....~.
AAF183E0: 0495AC10 0C02FFFF FFFFD796 00350032 ..,.......W..5.2
AAF183F0: 00000004 01000001 00000000 00000131 ...............1
AAF18400: 02313202 31360331 37320769 6E2D6164 .12.16.172.in-ad
AAF18410: 64720461 72706100 000C0001 00 dr.arpa......
10:11:06.283 UTC Aug 27 2013 : IPv4 LES CEF : Vl11 None
AAF183C0: FFFFFFFF FFFFAABB ......*;
AAF183D0: CC800800 08004500 00460001 0000FE11 L.....E..F....~.
AAF183E0: 0494AC10 0C02FFFF FFFFD796 00350032 ..,.......W..5.2
AAF183F0: 00000004 01000001 00000000 00000131 ...............1
AAF18400: 02313202 31360331 37320769 6E2D6164 .12.16.172.in-ad
AAF18410: 64720461 72706100 000C0001 00 dr.arpa......
10:11:09.283 UTC Aug 27 2013 : IPv4 LES CEF : Vl11 None
AAF183C0: FFFFFFFF FFFFAABB ......*;
AAF183D0: CC800800 08004500 00460002 0000FE11 L.....E..F....~.
AAF183E0: 0493AC10 0C02FFFF FFFFD796 00350032 ..,.......W..5.2
AAF183F0: 00000004 01000001 00000000 00000131 ...............1
AAF18400: 02313202 31360331 37320769 6E2D6164 .12.16.172.in-ad
AAF18410: 64720461 72706100 000C0001 00 dr.arpa......
Friday, August 30, 2013
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment