Cisco IOS EPC

Justin Guagliata
Jul 20, 2017 · 1 min read

Embedded packet capture (EPC) is a way to capture packets directly on a router. These packet captures can then be sent to a server (FTP,SCP,HTTP,ETC) for packet analysis in a program such as wireshark. EPC requires IOS version 12.4(20)t or greater.

The below code sets up a capture for interface fa0/0 and exports the capture to a ftp server.

monitor capture buffer BUFFER
monitor capture buffer BUFFER size 512 max-size 256
monitor capture point ip cef FA0_0 fa0/0 both
monitor capture point asso FA0_0 BUFFER
monitor capture point start FA0_0
monitor capture buffer BUFFER export ftp://host/filename.pcap

The capture can be stopped with the following

monitor capture point stop FA0_0

You can determine if the capture is working with the following:

show monitor capture buffer BUFFER parameters
Rack1R1#show monitor capture buffer BUFFER parameters
Capture buffer BUFFER (linear buffer)
Buffer Size : 524288 bytes, Max Element Size : 256 bytes, Packets : 5
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : FA0_0, Status : Active
Configuration:
monitor capture buffer BUFFER size 512 max-size 256 linear
monitor capture point associate FA0_0 BUFFER

More information can be found in the config guide:

http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html

)
Justin Guagliata

Written by

CCIE #36702.Network Consultant>

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade