Before iOS revision 12.4 you were having access-lists and debug facility to get a clue about the packets passing through an interface. Now it is fairly easy to get packets and even export them as .pcap to analyse within a few easy steps.

First thing to do is, create an access-list based on your requirements:

conf t
ip access-list extended HTTP_TEST
	permit tcp any any eq www
end

Now on the enable mode “type en” type the following to create your capture related to the access-list you created

monitor capture buffer HTTP_BUFFER
monitor capture buffer HTTP_BUFFER filter access-list HTTP_TEST

Select the desired interface you want your capture to collect packets

monitor capture point ip cef HTTP_POINT GigabitEthernet0/2 both

Now start collecting packets

monitor capture point associate HTTP_POINT HTTP_BUFFER

monitor capture point start HTTP_POINT

Type “sh monitor capture buffer all parameters” to get if a packet collected or not

Capture buffer HTTP_BUFFER (linear buffer)
Buffer Size : 1048576 bytes, Max Element Size : 68 bytes, Packets : 5
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : HTTP_POINT, Status : Inactive
Configuration:
monitor capture buffer HTTP_BUFFER 
monitor capture point associate HTTP_POINT HTTP_BUFFER
monitor capture buffer HTTP_BUFFER filter access-list HTTP_TEST

don’t forget to stop the capture with the command:

monitor capture point stop HTTP_POINT

to export the packets type the following and don’t forget to delete the capture buffer, install a tftp server to your client and change the IP below to your client’s IP address.

monitor capture buffer HTTP_BUFFER export tftp://192.168.1.2/HTTP.pcap
!and delete the capture buffer
no monitor capture buffer HTTP_BUFFER

and as a summary of the commands all together:

conf t
ip access-list extended HTTP_TEST
	permit tcp any any eq http
end

monitor capture buffer HTTP_BUFFER
monitor capture buffer HTTP_BUFFER filter access-list HTTP_TEST


monitor capture point ip cef HTTP_POINT GigabitEthernet0/2 both

monitor capture point associate HTTP_POINT HTTP_BUFFER

monitor capture point start HTTP_POINT

sh monitor capture buffer all parameters

monitor capture point stop HTTP_POINT

monitor capture buffer HTTP_BUFFER export tftp://192.168.1.2/HTTP2.pcap

no monitor capture buffer HTTP_BUFFER

show monitor capture buffer HTTP_BUFFER dump

Leave a Reply

Your email address will not be published. Required fields are marked *