Traffic capturing with Cisco ASR

Traffic capturing can be carried out not only by Cisco PIX/ASA hardware firewalls, which we had already written about earlier, but also using routers produced by the same vendor. This article will explain how one can use one of the most low-end routers from the ASR product line in order to make a local copy of the user data transmitted in the network (or packets which the device receives) and parse them on the spot or upload them to a remote server in order to perform a comprehensive analysis. The functional capability we are talking about is called Embedded Packet Capture.

This time ASR 1006 (cisco ASR1006 (RP2)) was at our disposal. We would like to point out that the technology under review has only appeared in IOS XE 3.7S and that is the reason why we used the firmware version specified below.

IOS XE Version: 03.07.01.S

The first thing one should begin with is to create an access list which will be used to filter the relevant data out. We want to receive all ICMP messages.

asr1006#conf t
Enter configuration commands, one per line. End with CNTL/Z.
asr1006(config)#ip access-list extended foxtestacl
asr1006(config-ext-nacl)#permit icmp any any
asr1006(config-ext-nacl)#exi
asr1006(config)#exi
asr1006#sho ip access-lists foxtestacl
Extended IP access list foxtestcap
10 permit icmp any any

The list we created has to be attached to a certain capture. Also, a necessary parameter to specify is the interface where the transmitted data will be gathered from. Following are the optional parameters: buffer where all captured packets are going to be stored; limit packets captured. Limits, which may be set by an administrator, allow storing packets over a certain period of time and length, as well as limiting their number. Also, you can limit the number of packets received per second or limit their capture to one packet from a group.

asr1006#monitor capture foxcap ?
access-list access-list to be attached
buffer Buffer options
class-map class name to attached
clear Clear Buffer
control-plane Control Plane
export Export Buffer
interface Interface
limit Limit Packets Captured
match Describe filters inline
start Enable Capture
stop Disable Capture
asr1006#monitor capture foxcap buffer ?
circular circular buffer
size Size of buffer in MB
asr1006#monitor capture foxcap lim ?
duration Limit total duration of capture in seconds
every Limit capture to one in every nth packet
packet-len Limit the packet length to capture
packets Limit number of packets to capture
pps Limit number of packets per second to capture

Now let's get decided about the interface we will use to capture packets (the command output is shortened).

asr1006#sho ip int bri
Interface IP-Address OK? Method Status Protocol
Te0/0/0 unassigned YES NVRAM down down
GigabitEthernet0/1/0 unassigned YES NVRAM up up
GigabitEthernet0/1/1 unassigned YES NVRAM up up
Gi0/1/1.1100 10.27.0.17 YES NVRAM up up

Let's create a capture and limit it with the previously created access list to attach it to Gi0/1/1.1100 interface specifying the direction we are interested in.

asr1006#mon cap foxcap access-list foxtestacl interface gi0/1/1.1100 both

Parameters of a certain capture can be learnt using show monitor capture name and show monitor capture name parameter commands, where you should change name to a name of the capture you are interested in.

asr1006#sho monitor capture foxcap
Status Information for Capture foxcap
Target Type:
Interface: GigabitEthernet0/1/1.1100, Direction: both
Status : Inactive
Filter Details:
Access-list: foxtestacl
Buffer Details:
Buffer Type: LINEAR (default)
Buffer Size (in MB): 10
Limit Details:
Number of Packets to capture: 0 (no limit)
Packet Capture duration: 0 (no limit)
Packet Size to capture: 0 (no limit)
Maximum number of packets to capture per second: 1000
Packet sampling rate: 0 (no sampling)
asr1006#sho monitor capture foxcap parameter
monitor capture foxcap interface GigabitEthernet0/1/1.1100 both
monitor capture foxcap access-list foxtestacl
monitor capture foxcap buffer size 10
monitor capture foxcap limit pps 1000

To start a capture one needs to apply monitor capture name start command, while monitor capture name stop command is used in order to stop it.

asr1006#mon cap foxtcap start

Now let's check the accessibility of a remote node which we will access using Gi0/1/1.1100 interface.

C:\>ping 10.27.0.18
Pinging 10.27.0.18 with 32 bytes of data:
Reply from 10.27.0.18: bytes=32 time=1ms TTL=250
Reply from 10.27.0.18: bytes=32 time=1ms TTL=250
Reply from 10.27.0.18: bytes=32 time=1ms TTL=250
Reply from 10.27.0.18: bytes=32 time=1ms TTL=250
Ping statistics for 10.27.0.18:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms

Downloading of the data saved by EPC can be carried out both during the capture procedure and after it. We decided to stop it.

asr1006#mon cap foxtcap stop

One can learn the workload information of the buffer where the captured packets are stored using show monitor capture name buffer command.

ag-asr1006-1#sho mon cap foxcap buffer
buffer size : 10485760
buffer used : 7554
packets in buffer: 67
average PPS : 1

The buffer contents are also available for a local analysis (the command output is shortened).

ag-asr1006-1#sho monitor capture foxcap buffer bri
-------------------------------------------------------------
# size timestamp source destination protocol
-------------------------------------------------------------
0 82 0.000000 192.168.1.2 -> 10.27.0.18 ICMP
1 82 0.000000 10.27.0.18 -> 192.168.1.2 ICMP
2 82 1.189038 192.168.1.2 -> 10.27.0.18 ICMP
3 82 1.190029 10.27.0.18 -> 192.168.1.2 ICMP
4 82 2.190029 192.168.1.2 -> 10.27.0.18 ICMP
5 82 2.191036 10.27.0.18 -> 192.168.1.2 ICMP
6 82 3.199032 192.168.1.2 -> 10.27.0.18 ICMP
7 82 3.209041 10.27.0.18 -> 192.168.1.2 ICMP

More detailed information can be found out using show monitor capture name buffer detailed and show monitor capture name buffer dump commands (the command output is shortened).

asr1006#sho monitor capture foxcap buffer detailed
-------------------------------------------------------------
# size timestamp source destination protocol
-------------------------------------------------------------
122 82 9.320820 10.27.4.14 -> 10.27.0.17 ICMP
0000: 30F70D1E 9611001C F6109438 8100044C 0..........8...L
0010: 08004500 0040C7A8 00003F01 9BC00A1B ..E..@....?.....
0020: 040E0A1B 00110800 01F0F928 0000AB89 ...........(....
0030: A2500000 0000A507 0F000000 00001011 .P..............
asr1006#sho monitor capture foxcap buffer dump
122
0000: 30F70D1E 9611001C F6109438 8100044C 0..........8...L
0010: 08004500 0040C7A8 00003F01 9BC00A1B ..E..@....?.....
0020: 040E0A1B 00110800 01F0F928 0000AB89 ...........(....
0030: A2500000 0000A507 0F000000 00001011 .P..............
0040: 12131415 16171819 1A1B1C1D 1E1F2021 .............. !
0050: 2223 "#

Apart from the local analysis of the captured data, an administrator can download them to a file in flash drive or remote server online.

asr1006#mon cap foxcap export ?
bootflash: Location of the file
flash: Location of the file
ftp: Location of the file
harddisk: Location of the file
http: Location of the file
https: Location of the file
pram: Location of the file
rcp: Location of the file
scp: Location of the file
tftp: Location of the file
asr1006#mon cap foxcap export flash:/foxcap.cap
Exported Successfully
asr1006#sho fla
-#- --length-- ---------date/time--------- path
1 4096 Nov 13 2012 22:21:14 +00:00 /bootflash/
2 16384 Jul 05 2012 04:32:24 +00:00 /bootflash/lost+found
3 4096 Nov 02 2012 01:46:07 +00:00 /bootflash/vman_fdb
4 6798 Nov 13 2012 22:16:52 +00:00 /bootflash/foxcap.cap
5 4096 Jul 05 2012 04:34:40 +00:00 /bootflash/.installer
6 4096 Jul 05 2012 05:05:46 +00:00 /bootflash/.prst_sync
7 4096 Jul 05 2012 05:05:50 +00:00 /bootflash/.rollback_timer
8 456402504 Aug 30 2012 15:52:32 +00:00 /bootflash/asr1000rp2-advipservicesk9.03.06.02.S.152-2.S2.bin
9 479485768 Nov 01 2012 10:13:08 +00:00 /bootflash/asr1000rp2-adventerprisek9.03.07.01.S.152-4.S1.bin
10 458460744 Sep 21 2012 23:27:44 +00:00 /bootflash/asr1000rp2-adventerprisek9.03.06.02.S.152-2.S2.bin
397017088 bytes available (1395777536 bytes used)
asr1006#cop fl tf
Source filename [foxcap.cap]?
Address or name of remote host []? 192.168.1.2
Destination filename [foxcap.cap]?
!!
6798 bytes copied in 0.017 secs (399882 bytes/sec)

Any file uploaded to a TFTP server can be analysed from an administrator's PC by using certain utilities, for example Wireshark.

In order to delete an existing capture one needs to use no monitor capture name command.

asr1006#no mon cap foxcap
asr1006#sho mon cap

That's where we bring the review of Cisco EPC (Embedded Packet Capture) functional capability to a conclusion and hope that our readers will be able to use it in order to efficiently troubleshoot various network-related issues.

Add comment


Security code
Refresh

Found a typo? Please select it and press Ctrl + Enter.