Today we are going to discuss regarding an interesting topic which I came across during a troubleshooting of a reported incident and we were asked to capture and analyze the packets send and received on a router.
So here we will be focusing on the feature of EPC for Cisco IOS.
Will discuss -
What is EPC
When to use EPC
How to enable EPC -->Configuration
How to disable EPC -->Configuration
So let’s start
Available IOS 12.4.20T and above.
Once you enable this feature the router starts capturing the send and received packets.
This Is temporary enabled and don’t remain in place after reboot
These packets are stored in DRAM of the router.
We can examine the packet on the router itself in summary or detailed manner
We can also export these packets in Packet Capture (pcap) format
When to use EPC ?
Before using EPC it is very important to understand the potential impact of this command in production network.
Always keep note of CPU utilization of the router before and after using the EPC feature.
During configuration we will come across of 2 things -Capture Buffer & Capture Point
Routing is already in place and our user PC1 able to access the server 3.3.3.3 which over the cloud .
PC1> ping 3.3.3.3
84 bytes from 3.3.3.3 icmp_seq=1 ttl=253 time=29.002 ms
84 bytes from 3.3.3.3 icmp_seq=2 ttl=253 time=29.002 ms
84 bytes from 3.3.3.3 icmp_seq=3 ttl=253 time=30.002 ms
84 bytes from 3.3.3.3 icmp_seq=4 ttl=253 time=33.002 ms
84 bytes from 3.3.3.3 icmp_seq=5 ttl=253 time=40.002 ms
Now we need to capture the traffic send and received on the interface fa0/0 Of INTERNET ROUTER only for the user PC1 and not for the other users
Step 1 :- Define Capture Buffer.
We need to first define a 'capture buffer', which is a temporary buffer where the captured packets are stored.
We need to configure this commands in privilege mode and not in configuration mode since it not the part of the global configuration of the router.
INTERNET_ROUTER#monitor capture buffer techbuf size 2048 linear
We have defined a “capture buffer” named techbuf which will have a buffer size of 2048 (default 68) with linear option
There are various options that can be selected when the buffer is defined; such as size, maxium packet size, and circular/linear
Linear Capture Buffer: When the capture buffer is full, it stops capturing data.
Circular Capture Buffer: When the capture buffer is full, it continues capturing data by overwriting older data
Step 2- Create ACL to define the traffic and apply same on Capture Buffer
INTERNET_ROUTER(config)#ip access-list extended techbuf_filter
INTERNET_ROUTER(config-ext-nacl)#permit ip host 10.1.1.10 host 3.3.3.3
INTERNET_ROUTER(config-ext-nacl)#permit ip host 3.3.3.3 host 10.1.1.10
INTERNET_ROUTER(config-ext-nacl)#^Z
INTERNET_ROUTER#monitor capture buffer techbuf filter access-list techbuf_filter
Filter Association succeeded
Our access list includes traffic originating from both hosts because we want to capture bidirectional traffic.
If we included only one ACL statement, then only one-way traffic would be captured.
Step 3- Define a 'capture point'
The capture Point defines –
Location where the capture occurs
Whether the capture is for IPV4 or IPV6
Also switching path – Process Vs CEF
INTERNET_ROUTER(config)#ip cef
INTERNET_ROUTER#monitor capture point ip cef techpoint fastEthernet 0/0 ?
both capture ingress and egress
in capture on ingress
out capture on egress
INTERNET_ROUTER#monitor capture point ip cef techpoint fastEthernet 0/0 both
*Jul 4 12:49:33.095: %BUFCAP-6-CREATE: Capture Point techpoint created.
Step 4-Attach the buffer to the capture point
INTERNET_ROUTER#monitor capture point associate ?
WORD Name of the Capture Point
INTERNET_ROUTER#monitor capture point associate techpoint ?
WORD Name of the Capture Buffer
INTERNET_ROUTER#monitor capture point associate techpoint techbuf
INTERNET_ROUTER#^Z
INTERNET_ROUTER#show monitor capture buffer techbuf
INTERNET_ROUTER#show monitor capture point techpoint
Status Information for Capture Point techpoint
IPv4 CEF
Switch Path: IPv4 CEF , Capture Buffer: techbuf
Status : Inactive
Configuration:
monitor capture point ip cef techpoint FastEthernet0/0 both
Step 5-Start the capture
INTERNET_ROUTER#monitor capture point start techpoint
*Jul 06 00:26:34.067: %BUFCAP-6-ENABLE: Capture Point techpoint enabled.
Step 6 – Capture in now live
Allow the packets to flow
Step 7 - Stop the capture
monitor capture point stop techpoint
Step 8 -Examine the buffer
show monitor capture buffer techbuf dump
Now this output shows only the HEX dump of packet capture .
So there are 2 options to make it human readable
Option 1- Export the buffer from Router
monitor capture buffer techbuf export tftp://10.1.1.101/BUF.pcap
Here we would need an TFTP server.
If we don’t have any TFTP server we can go for option 2.
Option 2 – Use online HEX-PCAP converter
We can take a copy of the hex dump and use any online hex-pcap convertor in order to view the files
Step 9 – Delete the capture point and capture buffer
Once we are done we the packet capture we can delete the capture buffer and capture point
no monitor capture point ip cef techpoint fastEthernet 0/0 both
no monitor capture buffer techbuff
Diagram - TFTP STEPS
=====================
Diagram - EPC WIRESHARK PCAP FILE SNAPSHOT
===========================================
INTERNET_ROUTER#show monitor capture buffer techbuf dump
10:59:13.871 UTC Jul 6 2018 : IPv4 CEF Turbo : Fa0/0 None
678F2CB0: CA011368 J..h
678F2CC0: 00000050 79666800 08004500 0054FE3E ...Pyfh...E..T~>
678F2CD0: 00003F01 6C5A0A01 010A0303 03030800 ..?.lZ..........
678F2CE0: E10C3EFE 00010809 0A0B0C0D 0E0F1011 a.>~............
678F2CF0: 12131415 16171819 1A1B1C1D 1E1F2021 .............. !
678F2D00: FD }
10:59:13.907 UTC Jul 6 2018 : IPv4 CEF Turbo : Se1/0 Fa0/0
...
<output omitted>
The above commands will show you the capture buffer " techbuf" dump output on the router itself
Hopefully This would help you all and get a good understanding regarding the feature of EPC
Thanks for Reading
So here we will be focusing on the feature of EPC for Cisco IOS.
Will discuss -
What is EPC
When to use EPC
How to enable EPC -->Configuration
How to disable EPC -->Configuration
So let’s start
What is EPC?
EPC is Embedded Packet Capture which a feature of Cisco IOS which allow us to capture packets transiting a Cisco router.Available IOS 12.4.20T and above.
Once you enable this feature the router starts capturing the send and received packets.
This Is temporary enabled and don’t remain in place after reboot
These packets are stored in DRAM of the router.
We can examine the packet on the router itself in summary or detailed manner
We can also export these packets in Packet Capture (pcap) format
When to use EPC ?
Before using EPC it is very important to understand the potential impact of this command in production network.
Always keep note of CPU utilization of the router before and after using the EPC feature.
EPC Configuration
================= |
| EPC LAB |
During configuration we will come across of 2 things -Capture Buffer & Capture Point
Routing is already in place and our user PC1 able to access the server 3.3.3.3 which over the cloud .
PC1> ping 3.3.3.3
84 bytes from 3.3.3.3 icmp_seq=1 ttl=253 time=29.002 ms
84 bytes from 3.3.3.3 icmp_seq=2 ttl=253 time=29.002 ms
84 bytes from 3.3.3.3 icmp_seq=3 ttl=253 time=30.002 ms
84 bytes from 3.3.3.3 icmp_seq=4 ttl=253 time=33.002 ms
84 bytes from 3.3.3.3 icmp_seq=5 ttl=253 time=40.002 ms
Now we need to capture the traffic send and received on the interface fa0/0 Of INTERNET ROUTER only for the user PC1 and not for the other users
Step 1 :- Define Capture Buffer.
We need to first define a 'capture buffer', which is a temporary buffer where the captured packets are stored.
We need to configure this commands in privilege mode and not in configuration mode since it not the part of the global configuration of the router.
INTERNET_ROUTER#monitor capture buffer techbuf size 2048 linear
We have defined a “capture buffer” named techbuf which will have a buffer size of 2048 (default 68) with linear option
There are various options that can be selected when the buffer is defined; such as size, maxium packet size, and circular/linear
Linear Capture Buffer: When the capture buffer is full, it stops capturing data.
Circular Capture Buffer: When the capture buffer is full, it continues capturing data by overwriting older data
Step 2- Create ACL to define the traffic and apply same on Capture Buffer
INTERNET_ROUTER(config)#ip access-list extended techbuf_filter
INTERNET_ROUTER(config-ext-nacl)#permit ip host 10.1.1.10 host 3.3.3.3
INTERNET_ROUTER(config-ext-nacl)#permit ip host 3.3.3.3 host 10.1.1.10
INTERNET_ROUTER(config-ext-nacl)#^Z
INTERNET_ROUTER#monitor capture buffer techbuf filter access-list techbuf_filter
Filter Association succeeded
Our access list includes traffic originating from both hosts because we want to capture bidirectional traffic.
If we included only one ACL statement, then only one-way traffic would be captured.
Step 3- Define a 'capture point'
The capture Point defines –
Location where the capture occurs
Whether the capture is for IPV4 or IPV6
Also switching path – Process Vs CEF
INTERNET_ROUTER(config)#ip cef
INTERNET_ROUTER#monitor capture point ip cef techpoint fastEthernet 0/0 ?
both capture ingress and egress
in capture on ingress
out capture on egress
INTERNET_ROUTER#monitor capture point ip cef techpoint fastEthernet 0/0 both
*Jul 4 12:49:33.095: %BUFCAP-6-CREATE: Capture Point techpoint created.
Step 4-Attach the buffer to the capture point
INTERNET_ROUTER#monitor capture point associate ?
WORD Name of the Capture Point
INTERNET_ROUTER#monitor capture point associate techpoint ?
WORD Name of the Capture Buffer
INTERNET_ROUTER#monitor capture point associate techpoint techbuf
INTERNET_ROUTER#^Z
INTERNET_ROUTER#show monitor capture buffer techbuf
INTERNET_ROUTER#show monitor capture point techpoint
Status Information for Capture Point techpoint
IPv4 CEF
Switch Path: IPv4 CEF , Capture Buffer: techbuf
Status : Inactive
Configuration:
monitor capture point ip cef techpoint FastEthernet0/0 both
Step 5-Start the capture
INTERNET_ROUTER#monitor capture point start techpoint
*Jul 06 00:26:34.067: %BUFCAP-6-ENABLE: Capture Point techpoint enabled.
Step 6 – Capture in now live
Allow the packets to flow
Step 7 - Stop the capture
monitor capture point stop techpoint
Step 8 -Examine the buffer
show monitor capture buffer techbuf dump
Now this output shows only the HEX dump of packet capture .
So there are 2 options to make it human readable
Option 1- Export the buffer from Router
monitor capture buffer techbuf export tftp://10.1.1.101/BUF.pcap
Here we would need an TFTP server.
If we don’t have any TFTP server we can go for option 2.
Option 2 – Use online HEX-PCAP converter
We can take a copy of the hex dump and use any online hex-pcap convertor in order to view the files
Step 9 – Delete the capture point and capture buffer
Once we are done we the packet capture we can delete the capture buffer and capture point
no monitor capture point ip cef techpoint fastEthernet 0/0 both
no monitor capture buffer techbuff
Diagram - TFTP STEPS
=====================
 |
| TFTP |
Diagram - EPC WIRESHARK PCAP FILE SNAPSHOT
===========================================
 |
| EPC WIRESHARK OUTPUT |
INTERNET_ROUTER#show monitor capture buffer techbuf dump
10:59:13.871 UTC Jul 6 2018 : IPv4 CEF Turbo : Fa0/0 None
678F2CB0: CA011368 J..h
678F2CC0: 00000050 79666800 08004500 0054FE3E ...Pyfh...E..T~>
678F2CD0: 00003F01 6C5A0A01 010A0303 03030800 ..?.lZ..........
678F2CE0: E10C3EFE 00010809 0A0B0C0D 0E0F1011 a.>~............
678F2CF0: 12131415 16171819 1A1B1C1D 1E1F2021 .............. !
678F2D00: FD }
10:59:13.907 UTC Jul 6 2018 : IPv4 CEF Turbo : Se1/0 Fa0/0
...
<output omitted>
The above commands will show you the capture buffer " techbuf" dump output on the router itself
Hopefully This would help you all and get a good understanding regarding the feature of EPC
Thanks for Reading
No comments:
Post a Comment