Hi Rene
Is there any way to capture packet from swtichport using EPC?
Regards
Hi Rene
Is there any way to capture packet from swtichport using EPC?
Regards
Hello Carlo
The EPC packet capturing feature can be applied to Layer 2 switchports as well by simply specifying them. The capture can be performed on physical interfaces, sub-interfaces as well as tunnel interfaces.
I hope this has been helpful!
Laz
Hi ,
if i use the linear buffer or circular buffer i donât have problem to crash the router. confirm me?
thanks
Hello Andrea
Packet capturing in general is a mechanism that does use up some CPU and memory resources of the device. Obviously the better the CPU and the more memory you have, the less chance you have of crashing the router.
The use of a linear or circular buffer do not have a very big impact on whether or not the device will crash. A linear buffer will probably be safer, since it automatically stops once the buffer is reached. A circular buffer will continue to capture packets forever until you configure it to stop.
However, the most important configuration parameters that have an impact on CPU and memory usage such as:
Also, the CPU usage during capture depends on how many packets match the specified conditions and on the intended actions for the matched packets (store, decode and display, or both).
You can find more information about what impacts a deviceâs resource usage at the following Cisco documentation:
I hope this has been helpful!
Laz
thanks so much for the explanation.
Hi Rene and Laz,
I donât know why but it doesnât seem to work.
Every time that I opened the pcap file which I transfered to my pc, Iâve got an error message would it be packet corrupted or that the number of packets in the file exceeded the maximum packets that the software can handle - even though I configured 8k max size for the buffer.
I tested the configuration on GNS3 lab, and conencted teh virtual lab to my PC and used tftp from the pc to one of the routers , The file itself is 4.5KB so I donât know why would it say 7 trilion packets exists in the file when I open it with wireshark.
used TFTP on windows client.
Hi Guys,
Just a query about EPC.
I was doing some packet captures on a 9300 running 16.9.4
I had a read through the configuration guide and it lists the following restriction.
Embedded Packet Capture is not supported on logical ports, which includes port channels, switch virtual interfaces (SVIs), and subinterfaces. It is supported only on physical ports.
I set up the following capture with a SVI as the interface to capture in both directions. .
Status Information for Capture drillcap
Target Type:
Interface: Vlan704, Direction: BOTH
Status : Inactive
Filter Details:
IPv4
Source IP: 172.16.229.16/28
Destination IP: any
Protocol: any
Buffer Details:
Buffer Type: LINEAR (default)
File Details:
Associated file name: flash:drillcap.pcap
Size of buffer(in MB): 100
Limit Details:
Number of Packets to capture: 0 (no limit)
Packet Capture duration: 600
Packet Size to capture: 0 (no limit)
Maximum number of packets to capture per second: 1000
Packet sampling rate: 0 (no sampling)
I seem to be able to capture with those settings. ALTHOUGH⌠i do seem to be missing some data that I believe is there. Would this be expected or it shouldnât work at all?
Cheers
Josh
Hello Rene/Lagapides,
Can EPC capture traffic which is not destined to the switch itself? I mean, can I capture all traffic between two host in the same vlan in a switch in between that its only doing L2 with EPC?
I have tried but packet counter doesnt increase at all.
Is SPAN the only alternative in that case?
Thanks
Regards
Hello Josh
Hmm, thatâs interesting. If a feature is ânot supportedâ it should typically not allow you to configure it in an unsupported manner. I was unable to find any info concerning this, but suffice it to say that any resulting captures should not be considered accurate, which is something that you have confirmed with the missing data you have discovered.
This reminds me of the situation where you can assign a switchport to a particular VLAN without that VLAN having been configured yet. It will accept the command, much like in your situation, but it will not be functional (until you actually create the VLAN). Itâs not quite the same, but it demonstrates how you can configure a feature without receiving any error messages, even if it is unsupported or non functional.
Thanks for sharing this, as it is useful for us and for the readers of the forum!
Laz
Hello Ignacio
EPC is capable of capturing any packets that flow to, through, and from the device. This means that if a packet enters or exits a physical interface of the device, regardless of what the source or destination is, it can be captured. So based on the description of your scenario, i would have to say yes, it should be able to capture such traffic.
Now the fact that you are not capturing traffic may be due to a misconfiguration, platform, or due to EPC prerequisites or restrictions. One of these, mentioned by @ignacio.rodriguez.or and in my post above, is the fact that EPC must be applied only to physical ports of the device and not virtual ports (such as SVIs, or port channels for example).
Take a look at some of the restrictions, and review your configuration and let us know what you find. If you need further assistance, you know where to find us!
I hope this has been helpful!
Laz
Hello Rene,
I try to test EPC with this topology on EVE-NG:
R1-------R2
I ping from R1 to R2, and use EPC to capture packets
If R1 runs IOS-XE, I see both request and reply ICMP packets
But if R1 runs normal IOS (ex IOS 15), it only show one direction
ip access-list extended PACKET_FILTER
permit ip any any
exit
monitor capture buffer CAP-BUF size 8192 max-size 2048 circular
monitor capture buffer CAP-BUF filter access-list PACKET_FILTER
monitor capture point ip cef CAP-POINT <Gi1/0/4> both
monitor capture point associate CAP-POINT CAP-BUF
monitor capture point start CAP-POINT
monitor capture point stop CAP-POINT
Thanks you!!!
Hello Hai
There are a couple of things that I can think of that may result in such behavior.
First, you should make sure that everything else is the same for both your tests with IOS-XE and with IOS 15. Ensure that the ping being performed does indeed exit and reenter the same interface and that there is no routing that may cause the ping to return via a different route. Make sure that the size of the ping does not exceed the sizes configured in the buffer command.
Second, ensure that CEF is enabled on both IOS versions. Because specifically CEF packets are being captured, itâs important to ensure that CEF is enabled. I suggest you also use the process-switched
keyword for the monitor capture point
command to see if those missing ping packets will be seen.
Try these out and let us know.
One question I do have is, in which direction do you see packets when using IOS 15? The image is cut off at the right edge and doesnât clarify if theyâre echo replies or echo requests.
I hope this has been helpful!
Laz
Hello,
so to capture packets on a Cisco router(or Switch) with IOS or IOS XE the tool is EPC.
And I always need an external tool like Wireshark?
Can´t I view the data on the fly, on the CLI directly like on the ASA (witch capture command) ?
Thank you.
Regards.
Hello Alexis
Well, using EPC is one way to do it. The other way is to use SPAN, RSPAN, or ERSPAN. For those features, you need to configure switches and routers, as well as provision for a dedicated packet capture PC running Wireshark or another capture program.
EPC is convenient because you donât need elaborate configurations, and you can save your pcap files directly to the device. This is useful if you donât have a laptop/PC on hand to capture immediately.
Once the pcap file is saved, you must view it using some packet capture analysis program such as Wireshark.
You can view some data on the CLI using the following command:
R2#show monitor capture buffer CAPTURE dump
where CAPTURE is the name of the buffer. But the result shown is in hex and is not useful to examine. Using Wireshark presents the data in a much more useful way. When exported, the buffer becomes a pcap file.
Cisco Nexus devices have a more comprehensive packet capture and analysis feature called Ethanalyzer with which you can view more useful packet capture info in the CLI. You can find out more about it here:
But as far as I know, similar functionality is not yet available on IOS devices.
I hope this has been helpful!
Laz