Friday, September 30, 2011

IOS Packet Captures

It's actually quite easy to do full packet captures with ACL Filters on routers.  This is at times much better than relying on debugs to troubleshoot issues.  Here's how (in this case a SIP Signaling Packet Capture):

1. Create Traffic Profile.  Here, for SIP Signaling
!in config mode

ip access-list 123 permit udp any any eq 5060
ip access-list 123 permit tcp any any eq 5060

ip traffic-export profile SIP-CAP mode capture
   incoming access-list 123
   outgoing access-list 123

2. Apply to an interface
!in config mode
int g0/0
   ip traffic-export apply SIP-CAP

3. Capture the traffic
!in enable mode
 #traffic-export int g0/0 clear
 #traffic-export int g0/0 start
 #traffic-export int g0/0 stop

4. Export the CAP to a server using ftp or tftp
!in enable mode
 #traffic-export int g0/0 copy ftp://x.x.x.x/capture.pcap