Packet Capture on Cisco Routers

Problem:

I look after multiple 'remote branch' type locations. These branches have internet connections which connect back to central hubs via DMVPN. Occasionally incidents happen at these locations which require investigation (a single client hogging bandwidth, suspicious activity, etc etc). How do you analyse this activity?

Several tools exist already which do a reasonable job. Things like SNMP and netflow allow the gathering of statistics and endpoint addresses which can give insight to such problems, but often it would be useful to have more information such as a packet capture to specifically analyse packet headers or even packet contents of branch clients.

Solution:

Cisco provides a mechanism to capture packets on router interfaces in pcap format and then export this back to a TFTP server for analysis! A feature I was unaware of until a few days ago.

This feature is known as 'capture monitor' and exists on the ISR series of routers I've been using. Below is an example of how to use such a feature.

(If you wish to skip the full configuration skip to the bottom for a summary).

First, we define a buffer to store the packets we capture. This buffer is a space allocated in memory upon creation which we can then link to a capture point.

GRANT-897#monitor capture buffer testbuf 
GRANT-897#
GRANT-897#
GRANT-897#
GRANT-897#show monitor capture buffer all parameters
Capture buffer testbuf (linear buffer)
Buffer Size : 1048576 bytes, Max Element Size : 68 bytes, Packets : 0
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Configuration:
monitor capture buffer testbuf 
GRANT-897#

As you can see, the default buffer size is 1MB in size and will capture the first 68 bytes of a packet. This is perfect for looking at packet headers but the actual content of the packets will be truncated if the length is greater than 68 bytes (which it will likely be).

If you want to capture the entire packet we can increase the maximum size captured. This will allow deeper analysis of packet content however will cause the buffer to fill rapidly after a short number of packets. Only do this if you actually need to capture the data itself.

GRANT-897#monitor capture buffer testbuf max-size 1600
GRANT-897#
GRANT-897#
GRANT-897#show monitor capture buffer all parameters 
Capture buffer testbuf (linear buffer)
Buffer Size : 1048576 bytes, Max Element Size : 1600 bytes, Packets : 0
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Configuration:
monitor capture buffer testbuf max-size 1600 
GRANT-897#

Various other options can also be configured in terms of the buffer itself. See below for such options:

GRANT-897#monitor capture buffer testbuf ?
  circular  Circular Buffer
  clear     Clear contents of capture buffer
  export    Export in Pcap format
  filter    Configure filters
  limit     Limit the packets dumped to the buffer
  linear    Linear Buffer(Default)
  max-size  Maximum size of element in the buffer
            (in bytes)
  size      Packet Dump buffer size (in Kbytes)
  <cr>

For now we'll stick to the default for the other options.

Next is to define a capture point. This is where the packets will actually be captured and defines what types of packets we will capture. For now, I want to capture everything on the LAN interface of the router, which in this case is an SVI on VLAN10:

GRANT-897#monitor capture point ?
  associate     Associate capture point with
                capture buffer
  disassociate  Dis-associate capture point from
                capture buffer
  ip            IPv4
  ipv6          IPv6
  start         Enable Capture Point
  stop          Disable Capture Point
  tcp           TCP
  udp           UDP

This defines the capture point itself. We want to capture IP traffic which is CEF switched in both directions on the vlan10 interface. We will call the capture point 'testcap'.

GRANT-897#monitor capture point ip cef testcap vlan10 both
GRANT-897#
020487: .Sep  3 15:47:33.849 UTC: %BUFCAP-6-CREATE: Capture Point testcap created.
GRANT-897#

Now we have the capture buffer and the capture point we need to link the two together using the following:

GRANT-897#monitor capture point associate testcap testbuf 

Time to begin capture! Our buffer and capture point are defined and linked, now one command is all it takes to begin capturing packets:

GRANT-897#monitor capture point start testcap 
GRANT-897#
020491: Sep  3 15:58:29.413 UTC: %BUFCAP-6-ENABLE: Capture Point testcap enabled.
GRANT-897#
GRANT-897#
020492: Sep  3 15:59:09.605 UTC: %BUFCAP-5-ELEM_TRIMMED: Element trimmed as there was not enough space in capture buffer testbuf. Original Size: 1306; Copied Size: 388.
020493: Sep  3 15:59:09.653 UTC: %BUFCAP-6-DISABLE: Capture Point testcap disabled.
GRANT-897#
020494: Sep  3 15:59:09.653 UTC: %BUFCAP-5-BUFFER_FULL: Linear Buffer associated with capture buffer testbuf is full.
GRANT-897#
GRANT-897#

As you can see, we were capturing for 40 seconds before the buffer became full. I was actually quite surprised there was not more activity! As soon as the buffer is full the capture will automatically stop. The capture can be stopped manually using the 'stop' keyword in place of 'start'.

The buffer can be viewed using the router's CLI for a quick but crude analysis, however personally I prefer to export the capture to an external server for analysis using wireshark:

GRANT-897#monitor capture buffer testbuf export tftp://10.208.27.30/testbuf.pcap 

Before we move onto analysis, it's a good idea to clear the buffer and capture point to avoid wasting router memory:

GRANT-897#no monitor capture buffer testbuf
Capture Buffer deleted
GRANT-897#no monitor capture point ip cef testcap vlan10
GRANT-897#
020509: Sep  3 16:28:27.400 UTC: %BUFCAP-6-DELETE: Capture Point testcap deleted.
GRANT-897#

Onto analysis in wireshark:

Voila!

Summary

!Create a capture buffer:
GRANT-897#monitor capture buffer testbuf 

! (Optional) Modify the buffer as required, e.g:
GRANT-897#monitor capture buffer testbuf max-size 1600

!Create a capture point:
GRANT-897#monitor capture point ip cef testcap vlan10 both

!Bind the capture point and capture buffer together:
GRANT-897#monitor capture point associate testcap testbuf 

!Start capturing
GRANT-897#monitor capture point start testcap 

!After capture completes / stopped, export it to a server:
GRANT-897#monitor capture buffer testbuf export tftp://10.208.27.30/testbuf.pcap 

!Delete the buffer and capture point to save memory:
GRANT-897#no monitor capture buffer testbuf
GRANT-897#no monitor capture point ip cef testcap vlan10