Packet Capture – Cisco IOS

Certainly, here’s the packet capture procedure on Cisco IOS with specific source IPs, destination IPs, and ports incorporated into the step-by-step process:

1. Create an access list:

To capture traffic from a specific source IP, destination IP, or port, you need to create an access list that permits the traffic you want to capture. Here are some examples:

– Capturing packets with a specific source IP:

     Router(config)# access-list 101 permit ip host 192.168.1.1 any

– Capturing packets with a specific destination IP:

     Router(config)# access-list 102 permit ip any host 192.168.1.2

– Capturing packets with a specific source and destination IP:

     Router(config)# access-list 103 permit ip host 192.168.1.1 host 192.168.1.2

– Capturing packets on a specific port (e.g., TCP 80):

     Router(config)# access-list 104 permit tcp any any eq 80

– Capturing packets with a specific source IP and port:

     Router(config)# access-list 105 permit tcp host 192.168.1.1 any eq 80

2. Create a capture buffer:

This is where captured data will be stored. You can specify the size and maximum packet length. Use the name that is relevant to your capture scenario:

Router(config)# monitor capture buffer BUFFER1

3. Create a capture point:

This specifies where in the process path the capture will take place and the direction of traffic to capture. Use the name that is relevant to your capture scenario:

Router(config)# monitor capture point ip cef CAPPOINT1 FastEthernet0/0 both

4. Associate the capture buffer with the capture point:

Router(config)# monitor capture point associate CAPPOINT1 BUFFER1

5. Apply the access list to the capture point:

Router(config)# monitor capture point ip cef CAPPOINT1 FastEthernet0/0 both access-list 101

6. Start the capture:

Router# monitor capture point start CAPPOINT1

7. Show the capture:

Router# show monitor capture buffer BUFFER1

8. Stop the capture:

Router# monitor capture point stop CAPPOINT1

Remember to replace “FastEthernet0/0” with the interface you want to capture on, and the IP addresses and port numbers in these examples with the ones that are relevant to your situation. Also, replace “BUFFER1” and “CAPPOINT1” with names that are meaningful for your capture scenario.

As with the previous instructions, you can also export the capture to a .pcap file for further analysis with a tool like Wireshark:

Router# monitor capture buffer BUFFER1 export tftp://192.168.1.2/MYBUFFER.pcap

And as before, the `terminal length 0` command can be used if you want to view the entire capture output at once, which disables the default behavior of pausing the output after a certain number of lines.

Finally, as with all configuration changes, remember to save your changes with `copy running-config startup-config` if you want them to persist after a reboot.