Friday, December 11, 2015

Capture traffic on Cisco switch with EPC (both directions)

Embedded Packet Capture is a powerful tool implemented on certain Cisco devices. With this technology, it's no more mandatory to SPAN traffic in order to capture it. You can capture traffic at differents points of your network with some limitations described in the Cisco documentation.
In my case, I would like capture traffic between 2 machines (only these 2 machines) has described in diagram below:

In order to do this, you can use the following configuration:
ip access-list extended HOST-TO-FILTER
 permit ip host 10.10.10.1 host 10.10.20.1
 permit ip host 10.10.20.1.1 10.10.10.1
!
monitor capture MY-CAPTURE file location flash:mycapture.pcap  size 10 int GigabitEthernet1/0/1 both access-list HOST-TO-FILTER

After that, you can start the capture with the command:
monitor capture MY-CAPTURE start

And stop it:
monitor capture MY-CAPTURE stop


This capture can be export and read with wireshark for example.
!! Warning!!
EPC can consumes CPU and memory. Take care to apply a good filter in order to not overload your router or switch.

No comments:

Post a Comment