#Cisco# Capturing Packets from a Cisco Router for Wireshark pcap
In case you wish to troubleshoot issues and view specific packet flow traversing your routers, you will need a tftp server setup so that you can export your captures.
I use tftpd64 or tftpd32. It’s a nice free, simple tftp daemon that runs on Windows: http://www.jounin.net/tftpd32.html
In this example, my tftp server is on 10.0.0.55.
First off, we need to create an access-list the matches the traffic you wish to capture. I am wanting to capture traffic traversing my router, destined to and from 184.108.40.206
Router(config)# access-list 140 permit ip host 220.127.116.11 any
Router(config)# access-list 140 permit ip any host 18.104.22.168
This ACL will capture all traffic to and from this IP address.
Next we need to enable the Cisco packet monitoring service:
Router# monitor capture buffer holdpackets
Now we can filter the monitored traffic by filtering it through our access-list:
Router# monitor capture buffer holdpackets filter access-list 140
Now for some tweaks so that we actually get complete packet data for inspection in Wireshark
Router# monitor capture buffer holdpackets size 10240 max-size 9500
Now we need to name our particular packet capture. I have called mine “testcap”
Router# monitor capture point ip cef testcap all both
Router# monitor capture point associate testcap holdpackets
Now we can start our capture!
Router# monitor capture point start testcap
Once you think you have acquired enough packets, to stop the capture, type:
Router# monitor capture point stop testcap
Now you can export your data to your tftp server by typing in the following command. You can then open the .pcap file in Wireshark for viewing
Router# monitor capture buffer holdpackets export tftp://10.0.0.55/testcap.pcap
Once uploaded you can clear your capture buffer by typing the following:
Router# no monitor capture buffer holdpackets
Router# no monitor capture point ip cef testcap all both
To check if there are any current captures or parameters configured, you can use the following command:
Router# sh monitor capture point all