EPC or embedded packet capture is like running SPAN on a router, yes this is possible but only on the primary interfaces. See below. EPC allows you to capture both directions, and for multiple AFI, IPv4 and IPv6 and on subinterfaces!
R1(config-mon-local)#source interface gigabitEthernet 1. - You can't SPAN a subinterface on a router. So for those utilizing ESXi for CCIE R&S or SPv4 prep like I do, EPC is your alternative.
The other issue you have is if the traffic is in the data plane of the router, the router is forwarding the traffic nor is the traffic destined for the router, then debugging won't work either. You could write an ACL to permit ip any any log, but that's hard on the CPU. Plus you'll see part of what you want anyways so, EPC is the way to go.
So how do we get this thing working anyway. Easy! There a few steps that need to be taken first before you just start sending traffic to the wireshark machine.
SIDEBAR, these are recommendations, not requirements!
First you'll need to set a limit of how much to capture. You'll be saving the capture in IO memory on the router until you have export it.
R1#monitor capture blog buffer size 10 - "blog" is the name of the capture
Second, you'll want to specify a circular buffer, this means that after 10MBs of capture data, the older data will be overwrote.
R1#monitor capture blog buffer circular
Third, you'll want to specify the interface to do the capturing on, the direction of the capture and what to capture.
R1#monitor capture blog interface gigabitEthernet 1.12 both any
Now, that's a step by step to just get ready to start capturing. You also have a one liner available:
R1#monitor capture blog buffer size 10 circular interface g1.12 both match any
Now we need to start the capture.
R1#monitor capture blog start
R1#
*Mar 29 23:28:18.126: %BUFCAP-6-ENABLE: Capture Point blog enabled.
Send some traffic over that link:
R1#ping 10.1.2.2 repeat 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 10.1.2.2, timeout is 2 seconds:
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 1/7/50 ms
Stop the capture now, you don't have to do this, but if you don't and you start an export, there will be a steady stream of capture data sent to the TFTP server. The only way to stop it is to close the TFTP server.
R1#monitor capture blog stop
R1#
*Mar 29 23:29:04.817: %BUFCAP-6-DISABLE: Capture Point blog disabled.
Now let's export the capture and import it to Wireshark!
R1#monitor capture blog export tftp://10.255.1.17/R1R2PINK.pcap
!
Exported Successfully
Open that file in Wireshark by double clicking on it.
And as you can see, the ping was captured successfully.
Thanks for reading!
Rob Riker, CCIE #50693
No comments:
Post a Comment