Cisco Embedded Packet Capture (EPC)

carloemmanuelvalle · February 7, 2019, 8:57pm

Hi Rene

Is there any way to capture packet from swtichport using EPC?

Regards

lagapidis · February 11, 2019, 11:13am

Hello Carlo

The EPC packet capturing feature can be applied to Layer 2 switchports as well by simply specifying them. The capture can be performed on physical interfaces, sub-interfaces as well as tunnel interfaces.

I hope this has been helpful!

Laz

acoruzzi · December 16, 2019, 7:45am

Hi ,

if i use the linear buffer or circular buffer i don’t have problem to crash the router. confirm me?
thanks

lagapidis · December 16, 2019, 9:21am

Hello Andrea

Packet capturing in general is a mechanism that does use up some CPU and memory resources of the device. Obviously the better the CPU and the more memory you have, the less chance you have of crashing the router.

The use of a linear or circular buffer do not have a very big impact on whether or not the device will crash. A linear buffer will probably be safer, since it automatically stops once the buffer is reached. A circular buffer will continue to capture packets forever until you configure it to stop.

However, the most important configuration parameters that have an impact on CPU and memory usage such as:

Decoding and displaying packets
using a display and decode mode of "detailed:
the activation of a wireshark capture point as this creates a fixed rate policer in the hardware that can flood the CPU
capturing an excessive number of attachment points at the same time

Also, the CPU usage during capture depends on how many packets match the specified conditions and on the intended actions for the matched packets (store, decode and display, or both).

You can find more information about what impacts a device’s resource usage at the following Cisco documentation:

I hope this has been helpful!

Laz

acoruzzi · December 16, 2019, 9:56am

thanks so much for the explanation.

nitayp1 · May 7, 2020, 8:05pm

Hi Rene and Laz,

I don’t know why but it doesn’t seem to work.

Every time that I opened the pcap file which I transfered to my pc, I’ve got an error message would it be packet corrupted or that the number of packets in the file exceeded the maximum packets that the software can handle - even though I configured 8k max size for the buffer.

I tested the configuration on GNS3 lab, and conencted teh virtual lab to my PC and used tftp from the pc to one of the routers , The file itself is 4.5KB so I don’t know why would it say 7 trilion packets exists in the file when I open it with wireshark.

seems like I transferred the file in some ASCII mode instead of binary , after changing to binary mode I can access the files.

used TFTP on windows client.

joshspam83 · May 15, 2020, 11:43am

Hi Guys,

Just a query about EPC.
I was doing some packet captures on a 9300 running 16.9.4

I had a read through the configuration guide and it lists the following restriction.

Embedded Packet Capture is not supported on logical ports, which includes port channels, switch virtual interfaces (SVIs), and subinterfaces. It is supported only on physical ports.

I set up the following capture with a SVI as the interface to capture in both directions. .

 Status Information for Capture drillcap
  Target Type: 
 Interface: Vlan704, Direction: BOTH
   Status : Inactive
  Filter Details: 
   IPv4 
    Source IP:  172.16.229.16/28
    Destination IP:  any
   Protocol: any
  Buffer Details: 
   Buffer Type: LINEAR (default)
  File Details: 
   Associated file name: flash:drillcap.pcap
   Size of buffer(in MB): 100
  Limit Details: 
   Number of Packets to capture: 0 (no limit)
   Packet Capture duration: 600
   Packet Size to capture: 0 (no limit)
   Maximum number of packets to capture per second: 1000
   Packet sampling rate: 0 (no sampling)

I seem to be able to capture with those settings. ALTHOUGH… i do seem to be missing some data that I believe is there. Would this be expected or it shouldn’t work at all?

Cheers
Josh

ignacio.rodriguez.or · May 16, 2020, 12:17pm

Hello Rene/Lagapides,

Can EPC capture traffic which is not destined to the switch itself? I mean, can I capture all traffic between two host in the same vlan in a switch in between that its only doing L2 with EPC?
I have tried but packet counter doesnt increase at all.
Is SPAN the only alternative in that case?

Thanks
Regards

lagapidis · May 18, 2020, 7:18am

Hello Josh

Hmm, that’s interesting. If a feature is “not supported” it should typically not allow you to configure it in an unsupported manner. I was unable to find any info concerning this, but suffice it to say that any resulting captures should not be considered accurate, which is something that you have confirmed with the missing data you have discovered.

This reminds me of the situation where you can assign a switchport to a particular VLAN without that VLAN having been configured yet. It will accept the command, much like in your situation, but it will not be functional (until you actually create the VLAN). It’s not quite the same, but it demonstrates how you can configure a feature without receiving any error messages, even if it is unsupported or non functional.

Thanks for sharing this, as it is useful for us and for the readers of the forum!

Laz

lagapidis · May 18, 2020, 9:13am

Hello Ignacio

EPC is capable of capturing any packets that flow to, through, and from the device. This means that if a packet enters or exits a physical interface of the device, regardless of what the source or destination is, it can be captured. So based on the description of your scenario, i would have to say yes, it should be able to capture such traffic.

Now the fact that you are not capturing traffic may be due to a misconfiguration, platform, or due to EPC prerequisites or restrictions. One of these, mentioned by @ignacio.rodriguez.or and in my post above, is the fact that EPC must be applied only to physical ports of the device and not virtual ports (such as SVIs, or port channels for example).

Take a look at some of the restrictions, and review your configuration and let us know what you find. If you need further assistance, you know where to find us!

I hope this has been helpful!

Laz

dragonhunt911 · February 4, 2022, 3:19pm

Hello Rene,
I try to test EPC with this topology on EVE-NG:
R1-------R2
I ping from R1 to R2, and use EPC to capture packets
If R1 runs IOS-XE, I see both request and reply ICMP packets
But if R1 runs normal IOS (ex IOS 15), it only show one direction

Is this a limit of EPC in IOS?
Below is my configuration:

ip access-list extended PACKET_FILTER
permit ip any any
exit

monitor capture buffer CAP-BUF size 8192 max-size 2048 circular
monitor capture buffer CAP-BUF filter access-list PACKET_FILTER
monitor capture point ip cef CAP-POINT <Gi1/0/4> both
monitor capture point associate CAP-POINT CAP-BUF
monitor capture point start CAP-POINT
monitor capture point stop CAP-POINT

Thanks you!!!

lagapidis · February 7, 2022, 3:48pm

Hello Hai

There are a couple of things that I can think of that may result in such behavior.

First, you should make sure that everything else is the same for both your tests with IOS-XE and with IOS 15. Ensure that the ping being performed does indeed exit and reenter the same interface and that there is no routing that may cause the ping to return via a different route. Make sure that the size of the ping does not exceed the sizes configured in the buffer command.

Second, ensure that CEF is enabled on both IOS versions. Because specifically CEF packets are being captured, it’s important to ensure that CEF is enabled. I suggest you also use the process-switched keyword for the monitor capture point command to see if those missing ping packets will be seen.

Try these out and let us know.

One question I do have is, in which direction do you see packets when using IOS 15? The image is cut off at the right edge and doesn’t clarify if they’re echo replies or echo requests.

I hope this has been helpful!

Laz

bavalao1 · June 3, 2022, 6:24pm

Hello,

so to capture packets on a Cisco router(or Switch) with IOS or IOS XE the tool is EPC.
And I always need an external tool like Wireshark?
Can´t I view the data on the fly, on the CLI directly like on the ASA (witch capture command) ?

Thank you.
Regards.

lagapidis · June 6, 2022, 7:17am

Hello Alexis

Well, using EPC is one way to do it. The other way is to use SPAN, RSPAN, or ERSPAN. For those features, you need to configure switches and routers, as well as provision for a dedicated packet capture PC running Wireshark or another capture program.

EPC is convenient because you don’t need elaborate configurations, and you can save your pcap files directly to the device. This is useful if you don’t have a laptop/PC on hand to capture immediately.

Once the pcap file is saved, you must view it using some packet capture analysis program such as Wireshark.

You can view some data on the CLI using the following command:

R2#show monitor capture buffer CAPTURE dump

where CAPTURE is the name of the buffer. But the result shown is in hex and is not useful to examine. Using Wireshark presents the data in a much more useful way. When exported, the buffer becomes a pcap file.

Cisco Nexus devices have a more comprehensive packet capture and analysis feature called Ethanalyzer with which you can view more useful packet capture info in the CLI. You can find out more about it here:

But as far as I know, similar functionality is not yet available on IOS devices.

I hope this has been helpful!

Laz