Cat 9K Embedded Packet Capture (IOS XE)
Embedded Packet Capture (EPC) is an onboard packet capture facility that allows network administrators to capture packets flowing to, through, and from the device and to analyze them locally or save and export them for offline analysis by using a tool such as Wireshark. This feature simplifies network operations by allowing devices to become active participants in the management and operation of the network. This feature facilitates troubleshooting by gathering information about the packet format. This feature also facilitates application analysis and security.
You can do Packet Data Capture : (with some limitation check the IOS XE version reference)
- Activate captures at any interface.
- Apply access control lists (ACLs) or class maps to capture points.
- Destroy captures.
- Specify buffer storage parameters such as size and type. The size ranges from 1 MB to 100 MB. The default buffer is linear; the other option for the buffer is circular.
- Specify match criteria that includes information about the protocol, IP address or port address.
Here i am using Cat 9500 model with 17.X code.
Step-by-step guide for Embedded Packet Capture (EPC)
1. Define the capture buffer
The buffer is where the captured packets are temporarily stored on the switch. You must define its size and whether it is linear (stops when full) or circular (overwrites old packets).
monitor capture my-capture-name buffer size 10 linear
! (For a 10 MB buffer that stops when full)Options:
size <bytes>: Specify the buffer size in bytes, kilobytes (k), or megabytes (m).linear: Stops capturing when the buffer is full.circular: Overwrites the oldest packets when the buffer is full.
2. Create an Access Control List (ACL) (Optional but recommended)
Using an ACL is the best way to filter the traffic and prevent the capture buffer from filling up too quickly with irrelevant packets.
ip access-list extended CAPTURE-ACL
permit ip host 10.1.1.1 host 10.2.2.2
permit tcp any any eq 80
endNote: Do not include a deny any statement at the end of the ACL, as this can prevent traffic from being captured
3. Define the capture point
This step specifies the interface and direction of the traffic to be captured.
monitor capture my-capture-name interface <interface-id> both access-list CAPTURE-ACL
Options:
<interface-id>: The specific physical interface (e.g., GigabitEthernet1/0/10) where the traffic is flowing. The Catalyst 9500 does not support EPC on SVIs, port-channels, or logical interfaces.
in: Capture incoming traffic.
out: Capture outgoing traffic.
both: Capture traffic in both directions.
access-list <acl-name>: Applies the named ACL created in the previous step to filter the captured packets.4. Start the packet capture
monitor capture my-capture-name start5. Reproduce the issue
Now is the time to perform the action that is causing the problem you want to troubleshoot, so the relevant packets are captured
6. Stop the packet capture
monitor capture my-capture-name stop7. View the captured packets
You can view a summary or detailed hexadecimal dump of the captured packets directly on the CLI.
- Summary:
show monitor capture my-capture-name buffer brief - Detailed dump:
show monitor capture my-capture-name buffer dump
8. Export the capture file
For a more detailed analysis using a tool like Wireshark, export the capture buffer to a file (PCAP) and copy it off the switch.
#monitor capture my-capture-name export tftp://10.10.10.1/my-capture-file.pcap
! (Alternatively, use FTP, SCP, or a local flash card)
9. Clear the capture
After you have collected and exported your data, it is good practice to remove the temporary files and configurations to free up resources.
clear monitor capture my-capture-name buffer
no monitor capture my-capture-name
Happy Labbbingggggggggggggggggg !