IP Packet capture

IP Traffic Export Profiles Overview

All packet export configurations are specified using IP traffic export profiles, which consist of IP-traffic-export-related command-line interfaces (CLIs) that control various attributes for both incoming and outgoing exported IP traffic. You can configure a router with multiple IP traffic export profiles. (Each profile must have a different name.) You can apply different profiles on different interfaces.

The two different IP traffic export profiles are as follows:

•The global configuration profile, which is configured by the ip traffic-export profile command.

•The IP traffic export submode configuration profile, which is configured by any of the following router IP Traffic Export (RITE) commands—bidirectional, incoming, interface, mac-address, and outgoing.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip traffic-export profile profile-name

4. interface interface-name

5. bidirectional

6. mac-address H.H.H

7. incoming {access-list {standard | extended | named} | sample one-in-every packet-number}

8. outgoing {access-list {standard | extended | named} | sample one-in-every packet-number}

9. exit

10. interface type number

11. ip traffic-export apply profile-name

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	ip traffic-export profile profile-name Example: Router(config)# ip traffic-export profile my_rite	Creates or edits an IP traffic export profile, enables the profile on an ingress interface, and enters RITE configuration mode.
Step 4	interface interface-name Example: Router(config-rite)# interface FastEthernet 0/1	Specifies the outgoing (monitored) interface for exported traffic. Note If you do not enter this command, the profile will not recognize an interface in which to send the captured IP traffic.
Step 5	bidirectional Example: Router(config-rite)# bidirectional	(Optional) Exports incoming and outgoing IP traffic on the monitored interface. Note If you do not enable this command, only incoming traffic is exported.
Step 6	mac-address H.H.H Example: Router(config-rite)# mac-address 00a.8aab.90a0	Specifies the 48-bit address of the destination host that is receiving the exported traffic. Note If you do not enter this command, the profile will not recognize a destination host in which to send the exported packets.
Step 7	incoming {access-list {standard | extended | named} | sample one-in-every packet-number} Example: Router(config-rite)# incoming access-list my_acl	(Optional) Configures filtering for incoming traffic. After you create a profile using the ip traffic-export profile, this functionality is enabled by default.
Step 8	outgoing {access-list {standard | extended | named} | sample one-in-every packet-number} Example: Router(config-rite)# outgoing sample one-in-every 50	(Optional) Configures filtering for outgoing export traffic. Note If you enter this command, you must also enter the bidirectional command, which enables outgoing traffic to be exported. However, only routed traffic (such as passthrough traffic) is exported; that is, traffic that originates from the network device is not exported.
Step 9	exit	Exits RITE configuration mode.
Step 10	interface type number Example: Router(config)# interface FastEthernet0/0	Configures an interface type and enters interface configuration mode.
Step 11	ip traffic-export apply profile-name Example: Router(config-if)# ip traffic-export apply my_rite	Enables IP traffic export on an ingress interface.

Troubleshooting Tips

Creating an IP Traffic Export Profile

The interface and mac-address commands are required to successfully create a profile. If these commands are not entered, you will receive the following profile incomplete message when you enter the show running config command:

ip traffic-export profile newone 

! No outgoing interface configured

! No destination mac-address configured

Applying an IP Traffic Export Profile to an interface

The following system logging messages should appear immediately after you activate and deactivate a profile from an interface (via the ip traffic-export apply profile command):

•Activated profile:

%RITE-5-ACTIVATE: Activated IP traffic export on interface FastEthernet 0/0.

•Deactivated profile:

%RITE-5-DEACTIVATE: Deactivated IP traffic export on interface FastEthernet 0/0.

If you attempt to apply an incomplete profile to an interface, you will receive the following message:

Router(config-if)# ip traffic-export apply newone

RITE: profile newone has missing outgoing interface

What to Do Next

After you configure a profile and enable the profile on an ingress interface, you can monitor IP traffic exporting events and verify your profile configurations. To complete these steps, see the "Displaying IP Traffic Export Configuration Data" section.

Configuring IP Traffic Capture

IP traffic export provides the capability to export IPO traffic over an Ethernet port. IP traffic capture provides the capability to capture IP packets in local router memory, and then dump this data to a file on an external device, such as flash memory.

IP traffic capture is supported on the Cisco 1841, Cisco 2800 series, and Cisco 3800 series integrated services routers.

The following sections describe the configuration and control of IP traffic capture:

•Configuring IP Traffic Capture (required)

•Performing IP Traffic Capture (required)

Configuring IP Traffic Capture

Perform the following steps to configure IP traffic capture.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip traffic-export profile profile-name mode capture

4. bidirectional

5. incoming {access-list {standard | extended | named} | sample one-in-every packet-number}

6. outgoing {access-list {standard | extended | named} | sample one-in-every packet-number}

7. length bytes

8. exit

9. interface type number

10. ip traffic-export apply profile-name size size

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	ip traffic-export profile profile-name mode capture Example: Router(config)# ip traffic-export profile my_rite	Creates or edits an IP traffic export profile for capture and enters RITE configuration mode.
Step 4	bidirectional Example: Router(config-rite)# bidirectional	(Optional) Captures incoming and outgoing IP traffic on the monitored interface. Note If you do not enable this command, only incoming traffic is captured.
Step 5	incoming {access-list {standard | extended | named} | sample one-in-every packet-number} Example: Router(config-rite)# incoming access-list my_acl	(Optional) Configures filtering for incoming traffic. After you have created a capture profile using ip traffic-export profile name mode capture, this functionality is enabled by default.
Step 6	outgoing {access-list {standard | extended | named} | sample one-in-every packet-number} Example: Router(config-rite)# outgoing sample one-in-every 50	(Optional) Configures filtering for outgoing captured traffic. Note If you enter this command, you must also enter the bidirectional command, which enables outgoing traffic to be captured. However, only routed traffic (such as passthrough traffic) is captured; that is, traffic that originates from the network device is not captured.
Step 7	length bytes Example: Router(config-rite)# length 512	Specifies the length of the packet in capture mode. The options are 128, 256, and 512 bytes.
Step 8	exit Example: Router(config-rite)# exit	Exits RITE configuration mode.
Step 9	interface type number Example: Router(config)# interface FastEthernet0/0	Configures an interface type and enters interface configuration mode.
Step 10	ip traffic-export apply profile-name size size Example: Router(config-if)# ip traffic-export apply my_rite size 10000000	Applies IP traffic capture on an ingress interface, and specifies the size of the capture buffer.

Performing IP Traffic Capture

When traffic capture is configured, perform it using with CLI commands. There are commands to clear the capture buffer, to start and stop packet capture, and to copy the capture buffer to an external memory device. These commands are:

•traffic-export interface type number clear

•traffic-export interface type number start

•traffic-export interface type number stop

•traffic-export interface type number copy

Use these commands in privileged EXEC mode at your discretion to perform the following operations:

•Clear the IP Traffic Capture Buffer

•Start IP Traffic Capture

•Stop IP Traffic Capture

•Copy IP Traffic Capture

Clear the IP Traffic Capture Buffer

To clear the packet capture buffer for the designated interface, use the traffic-export interface clear command.

Command or Action	Purpose
traffic-export interface type number clear Example: Router# traffic-export interface fastethernet0/0 clear	Clears the packet capture buffer. Note The following system logging message should appear immediately after you enter the command: %RITE-5-CAPTURE_CLEAR: Cleared IP traffic capture buffer for interface FastEthernet0/0