Thursday, 16 April 2020

Embedded Packet Capture

Today we are going to discuss regarding an interesting topic which I came across during a troubleshooting of a reported incident and we were asked to capture and analyze the packets send and received on a router.

So here we will be focusing on the feature of EPC for Cisco IOS.

Will discuss -

What is EPC
When to use EPC
How to enable EPC -->Configuration
How to disable EPC -->Configuration

So let’s start

What is EPC?

EPC is Embedded Packet Capture which a feature of Cisco IOS which allow us to capture packets transiting a Cisco router.
Available IOS 12.4.20T and above.
Once you enable this feature the router starts capturing the send and received packets.
This Is temporary  enabled and don’t remain in place after reboot
These packets are stored in DRAM of the router.
We can examine the packet on the router itself in summary or detailed manner
We can also export these packets in  Packet Capture (pcap) format
When to use EPC ?

Before using EPC it is very important to understand the potential impact of this command in production network.

Always keep note of CPU utilization of the router before and after using the EPC feature.

EPC Configuration 

=================


EPC LAB



During configuration we will come across of 2 things -Capture Buffer  & Capture Point

Routing is already in place and our user PC1 able to access the server 3.3.3.3 which over the cloud .

PC1> ping 3.3.3.3

84 bytes from 3.3.3.3 icmp_seq=1 ttl=253 time=29.002 ms

84 bytes from 3.3.3.3 icmp_seq=2 ttl=253 time=29.002 ms

84 bytes from 3.3.3.3 icmp_seq=3 ttl=253 time=30.002 ms

84 bytes from 3.3.3.3 icmp_seq=4 ttl=253 time=33.002 ms

84 bytes from 3.3.3.3 icmp_seq=5 ttl=253 time=40.002 ms



Now we need to capture the traffic send and received on  the interface fa0/0 Of INTERNET ROUTER only for the user PC1 and not for the other users

Step 1 :- Define Capture Buffer.

We need to first define a 'capture buffer', which is a temporary buffer where the captured packets are stored.

We need to configure this commands in privilege mode and not in configuration mode since it not the part of the global configuration of the router.


INTERNET_ROUTER#monitor capture buffer techbuf size 2048 linear

We have defined a “capture buffer” named techbuf which will have a buffer size of 2048 (default 68) with linear option

There are various options that can be selected when the buffer is defined; such as size, maxium packet size, and circular/linear

Linear Capture Buffer: When the capture buffer is full, it stops capturing data.

Circular Capture Buffer: When the capture buffer is full, it continues capturing data by overwriting older data


Step 2- Create ACL to define the traffic and apply same on Capture Buffer


INTERNET_ROUTER(config)#ip access-list extended techbuf_filter

INTERNET_ROUTER(config-ext-nacl)#permit ip host 10.1.1.10 host 3.3.3.3

INTERNET_ROUTER(config-ext-nacl)#permit ip host 3.3.3.3 host 10.1.1.10

INTERNET_ROUTER(config-ext-nacl)#^Z

INTERNET_ROUTER#monitor capture buffer techbuf filter access-list techbuf_filter

Filter Association succeeded

Our access list includes traffic originating from both hosts because we want to capture bidirectional traffic.

If we included only one ACL statement, then only one-way traffic would be captured.


Step 3- Define a 'capture point'

The capture Point defines –

Location where the capture occurs

Whether the capture is for IPV4 or IPV6

Also switching path – Process Vs CEF


INTERNET_ROUTER(config)#ip cef

INTERNET_ROUTER#monitor capture point ip cef techpoint fastEthernet 0/0 ?

  both  capture ingress and egress

  in    capture on ingress

  out   capture on egress

INTERNET_ROUTER#monitor capture point ip cef techpoint fastEthernet 0/0 both

*Jul  4 12:49:33.095: %BUFCAP-6-CREATE: Capture Point techpoint created.

Step 4-Attach the buffer to the capture point


INTERNET_ROUTER#monitor capture point associate ?

  WORD  Name of the Capture Point

INTERNET_ROUTER#monitor capture point associate techpoint ?

  WORD  Name of the Capture Buffer

INTERNET_ROUTER#monitor capture point associate techpoint techbuf

INTERNET_ROUTER#^Z

INTERNET_ROUTER#show monitor capture buffer techbuf

INTERNET_ROUTER#show monitor capture point techpoint

Status Information for Capture Point techpoint

IPv4 CEF

Switch Path: IPv4 CEF            , Capture Buffer: techbuf

Status : Inactive

Configuration:

monitor capture point ip cef techpoint FastEthernet0/0 both


Step 5-Start the capture


INTERNET_ROUTER#monitor capture point start techpoint

*Jul 06 00:26:34.067: %BUFCAP-6-ENABLE: Capture Point techpoint enabled.


Step 6 – Capture in now live

Allow the packets to flow


Step 7 - Stop the capture

monitor capture point stop techpoint


Step 8 -Examine the buffer

show monitor capture buffer techbuf dump

Now this output shows only the HEX dump of packet capture .


So there are 2 options to make it human readable


Option 1- Export the buffer from Router

monitor capture buffer techbuf export tftp://10.1.1.101/BUF.pcap

Here we would need an TFTP server.

If we don’t have any TFTP server we can go for option 2.


Option 2 – Use online HEX-PCAP converter

We can take a copy of the hex dump and use any online hex-pcap convertor in order to view the files


Step 9 – Delete the capture point and capture buffer


Once we are done we the packet capture we can delete the capture buffer and capture point


no monitor capture point ip cef techpoint fastEthernet 0/0 both

no monitor capture buffer techbuff


Diagram - TFTP STEPS
=====================

TFTP


Diagram - EPC WIRESHARK PCAP FILE SNAPSHOT
===========================================

EPC WIRESHARK OUTPUT


INTERNET_ROUTER#show monitor capture buffer techbuf dump

10:59:13.871 UTC Jul 6 2018 : IPv4 CEF Turbo  : Fa0/0 None



678F2CB0:                            CA011368              J..h

678F2CC0: 00000050 79666800 08004500 0054FE3E  ...Pyfh...E..T~>

678F2CD0: 00003F01 6C5A0A01 010A0303 03030800  ..?.lZ..........

678F2CE0: E10C3EFE 00010809 0A0B0C0D 0E0F1011  a.>~............

678F2CF0: 12131415 16171819 1A1B1C1D 1E1F2021  .............. !

678F2D00: FD                                   }



10:59:13.907 UTC Jul 6 2018 : IPv4 CEF Turbo  : Se1/0 Fa0/0

...

<output omitted>


The above  commands will show you the capture buffer " techbuf" dump output on the router itself

Hopefully This would help you all and get a good understanding regarding the feature of EPC

Thanks for Reading

No comments:

Post a Comment