Sunday, February 5, 2017

1.3.a (iii) Embedded packet capture

1.3.a Use IOS troubleshooting tools
1.3.a (i) debug, conditional debug
1.3.a (ii) ping, traceroute with extended options
1.3.a (iii) Embedded packet capture
1.3.a (iv) Performance monitor

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/epc/configuration/15-mt/epc-15-mt-book/nm-packet-capture.html

Embedded Packet Capture (EPC) is an onboard packet capture facility that allows network administrators to capture packets flowing to, through, and from the device and to analyze them locally or save and export them for offline analysis by using a tool such as Wireshark. This feature simplifies network operations by allowing devices to become active participants in the management and operation of the network. This feature facilitates troubleshooting by gathering information about the packet format. This feature also facilitates application analysis and security.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for Embedded Packet Capture

The Embedded Packet Capture (EPC) software subsystem consumes CPU and memory resources during its operation. You must have adequate system resources for different types of operations. Some guidelines for using the system resources are provided in the table below.
Table 1System Requirements for the EPC Subsystem
System Resources Requirements
Hardware CPU utilization requirements are platform dependent.
Memory The packet buffer is stored in DRAM. The size of the packet buffer is user specified.
Diskspace Packets can be exported to external devices. No intermediate storage on flash disk is required.

Restrictions for Embedded Packet Capture

  • In Cisco IOS Release 12.2(33)SRE, EPC is supported only on 7200 platform.
  • EPC only captures multicast packets on ingress and does not capture the replicated packets on egress.
  • Currently, the capture file can only be exported off the device; for example, TFTP or FTP servers and local disk.

Embedded Packet Capture Overview

Embedded Packet Capture (EPC) provides an embedded systems management facility that helps in tracing and troubleshooting packets. This feature allows network administrators to capture data packets flowing through, to, and from a Cisco device. The network administrator may define the capture buffer size and type (circular, or linear) and the maximum number of bytes of each packet to capture. The packet capture rate can be throttled using further administrative controls. For example, options allow for filtering the packets to be captured using an Access Control List and, optionally, further defined by specifying a maximum packet capture rate or by specifying a sampling interval.

Benefits of EPC

Some of the benefits of this feature include:
  • Ability to capture IPv4 and IPv6 packets in the Cisco Express Forwarding (CEF) path.
  • A flexible method for specifying the capture buffer parameters.
  • Filter captured packets.
  • Methods to decode data packets captured with varying degree of detail.
  • Facility to export the packet capture in PCAP format suitable for analysis using an external tool.
  • Extensible infrastructure for enabling packet capture points.

Capture Buffer

The capture buffer is an area in memory for holding the packet data. You can specify unique names, size and type of the buffer, and configure the buffer to handle incoming data as required.
The following types of data are stored in a capture buffer:
  • Packet data
  • Metadata
The packet data starts from datagramstart and copies a minimum of the per-packet-capture size or datagramsize to the capture buffer.
The metadata contains descriptive information about a set of packet data. It contains:
  • A timestamp of when it is added to a buffer.
  • The direction in which the packet data is transmitted--egress or ingress.
  • The switch path captured.
  • Encapsulation type corresponding to input or output interface to allow the decoding of L2 decoders.
The following actions can be performed on capture buffers:
  • Define a capture buffer and associate it with a capture point.
  • Clear capture buffers.
  • Export capture buffers for offline analysis. Export writes off the file using one of the supported file transfer options: FTP, HTTP, HTTPS, PRAM, RCP, SCP, and TFTP.
  • Display content of the capture buffers.

Capture Point

The capture point is a traffic transit point where a packet is captured and associated with a buffer. You can define capture points by providing unique names and different parameters.
The following capture points are available:
  • IPv4 CEF/interrupt switching path with interface input and output
  • IPv6 CEF/interrupt switching path with interface input and output
You can perform the following actions on the capture point:
  • Associate or disassociate capture points with capture buffers. Each capture point can be associated with only one capture buffer.
  • Destroy capture points.
  • Activate packet capture points on a given interface. Multiple packet capture points can be made active on a given interface. For example, Border Gateway Protocol (BGP) packets can be captured into one capture buffer and Open Shortest Path First (OSPF) packets can captured into another capture buffer.
  • Access Control Lists (ACLs) can be applied to capture points.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)