Unified Communications:Infrastructure:IOS Packet Capture

From WWJCDOWiki

Jump to: navigation, search

Contents

Description of Solution

If the need ever arises to grab a packet capture on a router running IOS this utility is great especially if the packet capture is required on a remote device The following are examples I have personally used this utility to assist in troubleshooting:

  • SIP Trunks through CUBE for detecting bleeding DTMF
  • Multicast Music on Hold to the ISR then out via a PRI Trunk
  • Audio quality issues through an ISR

Technical Requirements of Solution

Note: There are several commands around traffic-export utilized and the whole package appears to be introduced in IOS 12.4(11)T with some of the other commands being integrated in earlier versions of IOS. With that said I do not know if all of this will work on a Catalyst Switch running IOS.

This solution example is assuming the following:

  • Capture interface is GigabitEthernet0/0
  • Capture will be dumped to Flash and then uploaded via FTP to remote location
  • Capture file name will be packetcapture.pcap for ease of opening with Wireshark or another packet analyzer
  • Traffic Export Profile Name: sniffer
  • Traffic Export Profile RAM Buffer: 5MB (Command Default)
  • Assumptions are:
    • FTP server will require authentication and the following:
      • FTP Username: ftpuser
      • FTP Password: ftppassword
      • FTP Server: 192.168.1.1
    • You have an understanding of IOS and basic navigation required for utilization of commands below
  1. Create a traffic-export profile:
    2.  ip traffic-export profile sniffer mode capture
  bidirectional
  2. Apply profile to interface GigabitEthernet0/0:
    3.  interface GigabitEthernet0/0
  ip traffic-export apply sniffer size 5120

    Note: If you do not specify size xxx (in bytes) it will utilize the default of 5MB (5120 bytes) of RAM for the packet capture buffer. I recommend you utilize more than 5MB but it will depend on free RAM in your device

  3. Go back to enable mode and start the capture:
    4.  traffic-export interface GigabitEthernet0/0 clear
 traffic-export interface GigabitEthernet0/0 start
  4. Check the status of the packet capture:
    5.  show ip traffic-export

    Below is example output: 

     Router#show ip traffic-export
 Router IP Traffic Export Parameters
 Monitored Interface: GigabitEthernet0/1
        Capture full packet length.
        bi-directional traffic capture is on
     Output IP Traffic Capture Information
        Packets/Bytes Captured  74/16620
        Packets Dropped         0
        Sampling Rate           one-in-every 1 packets
        No Access List configured
     Input IP Traffic Capture Information
        Packets/Bytes Captured  95/7015
        Packets Dropped         0
        Sampling Rate           one-in-every 1 packets
        No Access List configured
     IP Traffic Capture Buffer Information
        Defined Buffer Size     5242880 bytes
        Capture Buffer Size     5242880 bytes
        Capture Buffer Used     26363 bytes
        Capture Buffer Free     5216517 bytes
     Profile sniffer capture state: Active
  5. Stop the capture:
    6.  traffic-export interface GigabitEthernet0/0 stop
  6. Dump To Flash:
    7.  traffic-export interface GigabitEthernet0/0 copy flash:packetcapture.pcap
  7. Configure and Copy To FTP:
    8.  ip ftp username ftpuser
 ip ftp password ftppassword
 copy flash:packetcapture.pcap ftp://192.168.75.1/packeetcapture.pcap

External References

These instructions initially came from a Cisco TAC Engineer with some heavy wordsmithing and modification of process

Below are URLs to the specific commands in the Cisco IOS Command Lookup Tool (All URLs will require authentication)

Command Lookup Tool: ip traffic-export profile

Command Lookup Tool: traffic-export

Command Lookup Tool: show ip traffic-export

Retrieved from "http://wiki.wwjcdo.com/w/index.php5?title=Unified_Communications:Infrastructure:IOS_Packet_Capture"
Personal tools