One thing that puzzles me about EPC is this seemingly artificial choice Cisco has you make between CEF and Process-switched methods. Why not just have it capture everything that traverses the interface in question? For example, I was trying to extend your example (and practice with extended ACLs) so that I would capture only BGP information being exchange between neighbors. I filtered on TCP 179 in both directions, and even threw in TCP established for good measure. No matter what I did, I would always capture zero packets. The only thing I can think of is that BGP traffic must be process-switched and not CEF switched.
Also, I find it a bit odd that any commands entered as “monitor capture” don’t show up in the running config. It would sure be handy to run a “show run | s monitor capture” to see all the related commands that have already been issued.