Embedded Packet Capture Overview: Finding Feature Information

Embedded Packet Capture Overview
Embedded Packet Capture (EPC) provides an embedded systems management facility that helps in tracing
and troubleshooting packets. This feature allows network administrators to capture data packets flowing
through, to, and from a Cisco device. The network administrator may define the capture buffer size and type
(circular, or linear), the maximum number of bytes of each packet to capture, and the direction of the traffic
flow - ingress or egress, or both. The packet capture rate can be throttled using further administrative controls.
For example, you can use the available options for filtering the packets to be captured using an Access Control
List; and, optionally, further defined by specifying a maximum packet capture rate or by specifying a sampling
interval.
• Finding Feature Information, on page 1
• Prerequisites for Embedded Packet Capture, on page 1
• Restrictions for Embedded Packet Capture, on page 2
• Information About Embedded Packet Capture, on page 2
• How to Implement Embedded Packet Capture, on page 3
• Configuration Examples for Embedded Packet Capture, on page 6
• Additional References, on page 9
• Feature Information for Embedded Packet Capture, on page 9
Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for Embedded Packet Capture

The Embedded Packet Capture (EPC) software subsystem consumes CPU and memory resources during its
operation. You must have adequate system resources for different types of operations. Some guidelines for
using the system resources are provided in the table below.

1
Restrictions for Embedded Packet Capture
Table 1: System Requirements for the EPC Subsystem
System Resources Requirements
Hardware CPU utilization requirements are platform dependent.
Memory The packet buffer is stored in DRAM. The size of the

packet buffer is user specified.
Diskspace Packets can be exported to external devices. No

intermediate storage on flash disk is required.
Restrictions for Embedded Packet Capture

• Embedded Packet Capture (EPC) captures multicast packets only on ingress and does not capture the
replicated packets on egress.
• From Cisco IOS XE Release 3.7S, Embedded Packet Capture is only supported on Advance Enterprise
Krypto (K9) images.
• From Cisco IOS XE Release 3.9S, Embedded Packet Capture is available on the following images:
• IP Base Images
• Special Services Images
• Advance Security Images
• Advance IP Services Images
• Advance Enterprise Images
Information About Embedded Packet Capture

Embedded Packet Capture (EPC) provides an embedded systems management facility that helps in tracing
and troubleshooting packets. This feature allows network administrators to capture data packets flowing
through, to, and from a Cisco device. The network administrator may define the capture buffer size and type
(circular, or linear), the maximum number of bytes of each packet to capture, and the direction of the traffic
flow - ingress or egress, or both. The packet capture rate can be throttled using further administrative controls.
For example, you can use the available options for filtering the packets to be captured using an Access Control
List; and, optionally, further defined by specifying a maximum packet capture rate or by specifying a sampling
interval.
Benefits of Embedded Packet Capture

• Ability to capture IPv4 and IPv6 packets in the device.
• Extensible infrastructure for enabling packet capture points. A capture point is a traffic transit point
where a packet is captured and associated with a buffer.

2
Packet Data Capture
• Facility to export the packet capture in packet capture file (PCAP) format suitable for analysis using any
external tool.
• Methods to decode data packets captured with varying degrees of detail.
Packet Data Capture

Packet data capture is the capture of data packets that are then stored in a buffer. You can define packet data
captures by providing unique names and parameters.
You can perform the following actions on the capture:
• Activate captures at any interface.
• Apply access control lists (ACLs) or class maps to capture points.
Note Network Based Application Recognition (NBAR) and MAC-style class map is
not supported.
• Destroy captures.
• Specify buffer storage parameters such as size and type. The size ranges from 1 MB to 100 MB. The
default buffer is linear; the other option for the buffer is circular.
• Specify any of the following limit options:
• duration - limit total duration of capture in seconds.
• every - limit capture to one in every nth packet.
• packet-len - limit the packet length to capture.
• packets - limit number of packets to capture.
• pps - limit number of packets per second to capture.
• Specify match criteria that includes information about the protocol, IP address or port address.
How to Implement Embedded Packet Capture

Managing Packet Data Capture
SUMMARY STEPS
1. enable
2. monitor capture capture-name access-list access-list-name
3. monitor capture capture-name limit duration seconds
4. monitor capture capture-name interface interface-name both
5. monitor capture capture-name buffer circular size bytes

3
Managing Packet Data Capture
6. monitor capture capture-name start

7. monitor capture capture-name export file-location/file-name
8. monitor capture capture-name stop
9. end
DETAILED STEPS
Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.
Device> enable
Step 2 monitor capture capture-name access-list Configures a monitor capture specifying an access list as
access-list-name the core filter for the packet capture.
Example:
Device# monitor capture mycap access-list v4acl
Step 3 monitor capture capture-name limit duration seconds Configures monitor capture limits.
Example:
Device# monitor capture mycap limit duration 1000
Step 4 monitor capture capture-name interface interface-name Configures monitor capture specifying an attachment point
both and the packet flow direction.
Example: Note • To change the traffic direction from both
Device# monitor capture mycap interface to in (ingress direction), enter the no
GigabitEthernet 0/0/1 both monitor capture capture-name interface
interface-name out command.
• To change the traffic direction from both
to out (egress direction), enter the no
monitor capture capture-name interface
interface-name in command.
Step 5 monitor capture capture-name buffer circular size Configures a buffer to capture packet data.
bytes
Example:
Device# monitor capture mycap buffer circular size
10
Step 6 monitor capture capture-name start Starts the capture of packet data at a traffic trace point into
a buffer.
Example:
Device# monitor capture mycap start
Step 7 monitor capture capture-name export Exports captured data for analysis.
file-location/file-name
Example:

4
Monitoring and Maintaining Captured Data

Device# monitor capture mycap export
tftp://10.1.88.9/mycap.pcap
Step 8 monitor capture capture-name stop Stops the capture of packet data at a traffic trace point.
Example:
Device# monitor capture mycap stop
Step 9 end Exits privileged EXEC mode.

Example:
Device# end
Monitoring and Maintaining Captured Data

Perform this task to monitor and maintain the packet data captured. Capture buffer details and capture point
details are displayed.
SUMMARY STEPS
1. enable
2. show monitor capture capture-buffer-name buffer dump
3. show monitor capture capture-buffer-name parameter
4. debug epc capture-point
5. debug epc provision
6. exit
DETAILED STEPS

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.
Device> enable
Step 2 show monitor capture capture-buffer-name buffer (Optional) Displays a hexadecimal dump of captured packet
dump and its metadata.
Example:
Device# show monitor capture mycap buffer dump
Step 3 show monitor capture capture-buffer-name parameter (Optional) Displays a list of commands that were used to
specify the capture.
Example:
Device# show monitor capture mycap parameter
Step 4 debug epc capture-point (Optional) Enables packet capture point debugging.
Example:

5
Configuration Examples for Embedded Packet Capture
Device# debug epc capture-point
Step 5 debug epc provision (Optional) Enables packet capture provisioning debugging.
Example:
Device# debug epc provision
Step 6 exit Exits privileged EXEC mode.

Example:
Device# exit
Configuration Examples for Embedded Packet Capture

Example: Managing Packet Data Capture
The following example shows how to manage packet data capture:
Device> enable
Device# monitor capture mycap access-list v4acl
Device# monitor capture mycap limit duration 1000
Device# monitor capture mycap interface GigabitEthernet 0/0/1 both
Device# monitor capture mycap buffer circular size 10
Device# monitor capture mycap export tftp://10.1.88.9/mycap.pcap
Device# end
Example: Monitoring and Maintaining Captured Data

The following example shows how to dump packets in ASCII format:
Device# show monitor capture mycap buffer dump
0
0000: 01005E00 00020000 0C07AC1D 080045C0 ..^...........E.
0010: 00300000 00000111 CFDC091D 0002E000 .0..............
0020: 000207C1 07C1001C 802A0000 10030AFA .........*......
0030: 1D006369 73636F00 0000091D 0001 ..example.......
1
0000: 01005E00 0002001B 2BF69280 080046C0 ..^.....+.....F.
0010: 00200000 00000102 44170000 0000E000 . ......D.......
0020: 00019404 00001700 E8FF0000 0000 ..............
2
0000: 01005E00 0002001B 2BF68680 080045C0 ..^.....+.....E.
0010: 00300000 00000111 CFDB091D 0003E000 .0..............
0020: 000207C1 07C1001C 88B50000 08030A6E ...............n
0030: 1D006369 73636F00 0000091D 0001 ..example.......

6
3
0000: 01005E00 000A001C 0F2EDC00 080045C0 ..^...........E.
0010: 003C0000 00000258 CE7F091D 0004E000 .<.....X........
0020: 000A0205 F3000000 00000000 00000000 ................
0030: 00000000 00D10001 000C0100 01000000 ................
0040: 000F0004 00080501 0300 ................
The following example shows how to display the list of commands used to configure the capture
named mycap:
Device# show monitor capture mycap parameter
monitor capture mycap interface GigabitEthernet 1/0/1 both

monitor capture mycap match any
monitor capture mycap buffer size 10
monitor capture mycap limit pps 1000
The following example shows how to debug the capture point:

Device# debug epc capture-point
EPC capture point operations debugging is on

*Jun 4 14:17:15.463: EPC CP: Starting the capture cap1

*Jun 4 14:17:15.463: EPC CP: (brief=3, detailed=4, dump=5) = 0
*Jun 4 14:17:15.463: EPC CP: final check before activation
*Jun 4 14:17:15.463: EPC CP: setting up c3pl infra
*Jun 4 14:17:15.463: EPC CP: Setup c3pl acl-class-policy
*Jun 4 14:17:15.463: EPC CP: Creating a class
*Jun 4 14:17:15.464: EPC CP: Creating a class : Successful
*Jun 4 14:17:15.464: EPC CP: class-map Created
*Jun 4 14:17:15.464: EPC CP: creating policy-name epc_policy_cap1
*Jun 4 14:17:15.464: EPC CP: Creating Policy epc_policy_cap1 of type 49 and client type
21
*Jun 4 14:17:15.464: EPC CP: Storing a Policy
*Jun 4 14:17:15.464: EPC CP: calling ppm_store_policy with epc_policy
*Jun 4 14:17:15.464: EPC CP: Creating Policy : Successful
*Jun 4 14:17:15.464: EPC CP: policy-map created
*Jun 4 14:17:15.464: EPC CP: creating filter for ANY
*Jun 4 14:17:15.464: EPC CP: Adding acl to class : Successful
*Jun 4 14:17:15.464: EPC CP: Setup c3pl class to policy
*Jun 4 14:17:15.464: EPC CP: Attaching Class to Policy
*Jun 4 14:17:15.464: EPC CP: Attaching epc_class_cap1 to epc_policy_cap1
*Jun 4 14:17:15.464: EPC CP: Attaching Class to Policy : Successful
*Jun 4 14:17:15.464: EPC CP: setting up c3pl qos
*Jun 4 14:17:15.464: EPC CP: DBG> Set packet rate limit to 1000
*Jun 4 14:17:15.464: EPC CP: creating action for policy_map epc_policy_cap1 class_map
epc_class_cap1
*Jun 4 14:17:15.464: EPC CP: DBG> Set packet rate limit to 1000
*Jun 4 14:17:15.464: EPC CP: Activating Interface GigabitEthernet1/0/1 direction both
*Jun 4 14:17:15.464: EPC CP: Id attached 0
*Jun 4 14:17:15.464: EPC CP: inserting into active lists
*Jun 4 14:17:15.464: EPC CP: Id attached 0
*Jun 4 14:17:15.465: EPC CP: inserting into active lists
*Jun 4 14:17:15.465: EPC CP: Activating Vlan
*Jun 4 14:17:15.465: EPC CP: Deleting all temp interfaces
*Jun 4 14:17:15.465: %BUFCAP-6-ENABLE: Capture Point cap1 enabled.
*Jun 4 14:17:15.465: EPC CP: Active Capture 1
Device# monitor capture mycap1 stop

7
*Jun 4 14:17:31.963: EPC CP: Stopping the capture cap1

*Jun 4 14:17:31.963: EPC CP: Warning: unable to unbind capture cap1
*Jun 4 14:17:31.963: EPC CP: Deactivating policy-map
*Jun 4 14:17:31.963: EPC CP: Policy epc_policy_cap1
*Jun 4 14:17:31.964: EPC CP: Deactivating policy-map Successful
*Jun 4 14:17:31.964: EPC CP: removing povision feature
*Jun 4 14:17:31.964: EPC CP: Found action for policy-map epc_policy_cap1 class-map
epc_class_cap1
*Jun 4 14:17:31.964: EPC CP: cleanning up c3pl infra
*Jun 4 14:17:31.964: EPC CP: Removing Class epc_class_cap1 from Policy
*Jun 4 14:17:31.964: EPC CP: Removing Class from epc_policy_cap1
*Jun 4 14:17:31.964: EPC CP: Successfully removed
*Jun 4 14:17:31.964: EPC CP: Removing acl mac from class
*Jun 4 14:17:31.964: EPC CP: Removing acl from class : Successful
*Jun 4 14:17:31.964: EPC CP: Removing all policies
*Jun 4 14:17:31.964: EPC CP: Removing Policy epc_policy_cap1
*Jun 4 14:17:31.964: EPC CP: Removing Policy : Successful
*Jun 4 14:17:31.964: EPC CP: Removing class epc_class_cap1
*Jun 4 14:17:31.965: EPC CP: Removing class : Successful
*Jun 4 14:17:31.965: %BUFCAP-6-DISABLE: Capture Point cap1 disabled.
*Jun 4 14:17:31.965: EPC CP: Active Capture 0
The following example shows how to debug the Embedded Packet Capture (EPC) provisioning:
Device# debug epc provision
EPC provisionioning debugging is on
*Jun 4 14:17:54.991: EPC PROV: No action found for policy-map epc_policy_cap1 class-map
epc_class_cap1
*Jun 4 14:17:54.991: EPC PROV:
*Jun 4 14:17:54.991: Attempting to install service policy epc_policy_cap1
*Jun 4 14:17:54.992: EPC PROV: Attached service policy to epc idb subblock
*Jun 4 14:17:54.992: EPC PROV: Successful. Create feature object
*Jun 4 14:17:54.992: EPC PROV:
*Jun 4 14:17:54.992: Attempting to install service policy epc_policy_cap1
*Jun 4 14:17:54.992: EPC PROV: Successful. Create feature object

*Jun 4 14:17:54.992: %BUFCAP-6-ENABLE: Capture Point cap1 enabled.
*Jun 4 14:18:02.503: EPC PROV: Successful. Remove feature object

*Jun 4 14:18:02.504: EPC PROV: Successful. Remove feature object
*Jun 4 14:18:02.504: EPC PROV: Destroyed epc idb subblock
*Jun 4 14:18:02.504: EPC PROV: Found action for policy-map epc_policy_cap1 class-map
epc_class_cap1
*Jun 4 14:18:02.504: EPC PROV: Deleting EPC action
*Jun 4 14:18:02.504: EPC PROV: Successful. CLASS_REMOVE, policy-map epc_policy_cap1, class
epc_class_cap1
*Jun 4 14:18:02.504: %BUFCAP-6-DISABLE: Capture Point cap1 disabled.

8
Additional References
Additional References
Related Documents
Related Topic Document Title
Cisco IOS commands Cisco IOS Master Command List,

All Releases
Embedded Packet Capture commands Cisco IOS Embedded Packet

Capture Command Reference
Technical Assistance
Description Link
The Cisco Support and Documentation website provides http://www.cisco.com/cisco/web/support/index.html

online resources to download documentation, software,
and tools. Use these resources to install and configure
the software and to troubleshoot and resolve technical
issues with Cisco products and technologies. Access to
most tools on the Cisco Support and Documentation
website requires a Cisco.com user ID and password.
Feature Information for Embedded Packet Capture

The following table provides release information about the feature or features described in this module. This
table lists only the software release that introduced support for a given feature in a given software release
train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

9
Feature Information for Embedded Packet Capture
Table 2: Feature Information for Embedded Packet Capture
Feature Name Releases Feature Information
Embedded Packet Capture Cisco IOS XE Release 3.7S Embedded Packet Capture (EPC)
is an onboard packet capture
facility that allows network
administrators to capture packets
flowing to, through, and from a
device and to analyze them locally
or save and export them for offline
analysis using a tool such as
Wireshark. This feature simplifies
operations by allowing the devices
to become active participants in the
management and operation of the
network. This feature facilitates
better troubleshooting by gathering
information about packet format. It
also facilitates application analysis
and security.
The following commands were
introduced or modified: debug epc,
monitor capture (access list/class
map), monitor capture
(interface/control plane), monitor
capture export, monitor capture
limit, monitor capture start,
monitor capture stop, and show
monitor capture .

10

Embedded Packet Capture Overview: Finding Feature Information

Uploaded by

Copyright:

Available Formats

Embedded Packet Capture Overview: Finding Feature Information

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Embedded Packet Capture Overview: Finding Feature Information

Uploaded by

Copyright:

Available Formats

Embedded Packet Capture Overview

Finding Feature Information

Prerequisites for Embedded Packet Capture