TL;DR: On CISCO router, capture traffic locally to a pcap file and send it later to your computer.
I don’t know how did I missed that! I needed to capture a traffic on an interface, however for some reason, i couldn’t use live capture. So I was trying to find a way to capture, using the “?” a lot in CISCO terminal. Accidentally, I found a way to store a capture locally. I pretty sure everyone knows about this but me, but I”ll write this anyway.
After the capture is complete it needed to be sent somewhere. In my case I will send it to tftp server. So make sure you have tftp server running somewhere.
Performing the capture
Configure capture to match some traffic. In my case I want to capture any IPv6 traffic. For me the command would be :
Router# monitor capture cap_name match ipv6 any any interface gigabitEthernet 2 both
The command breakdown with some of the fields explained:
Router#monitor capture cap_name match ipv6 any any interface gigabitEthernet 2 both ^ ^ ^ ^ | | | +----------------+ +---------+ +-----------+ +-------------+ | | | | Destination selection + + | Capture name Match traffic type Source selection any all packets A.B.C.D/nn IPv4 source Prefix ... ip^4 IP^4 packets only or ipv6 IPv6 packets only X:X:X:X::X/<0-128> IPv6 source... mac MAC filter configuration any Any source prefix host A single source host protocol Protocols
Now I can start the capture:
Router# monitor capture cap_name start
Now the capture runs. It is probably a good idea to have some good match for a specific traffic to make sure to keep the capture file small and memory of the CISCO free.
While the capture runs, I can check it status:
Router#show monitor capture cap_name Status Information for Capture cap_name Target Type: Interface: GigabitEthernet2, Direction: both Status : Active Filter Details: IPv6 Source IP: any Destination IP: any Protocol: any Buffer Details: Buffer Type: LINEAR (default) Buffer Size (in MB): 10 Limit Details: Number of Packets to capture: 0 (no limit) Packet Capture duration: 0 (no limit) Packet Size to capture: 0 (no limit) Maximum number of packets to capture per second: 1000 Packet sampling rate: 0 (no sampling)
When the capture is done, I can stop it:
Router#monitor capture cap_name stop
And now I need to send the capture to my tftp server:
Router#monitor capture cap_name export tftp://10.0.0.44/my_capture.pcap ! Exported Successfully
Other destinations where a traffic can be exported to:
Router#monitor capture cap_name export ? bootflash: Location of the file flash: Location of the file ftp: Location of the file http: Location of the file https: Location of the file pram: Location of the file rcp: Location of the file scp: Location of the file tftp: Location of the file
This is it! Just open the file you’ve received in wireshark.