Cisco IOS debug commands and packet monitoring
Solution 1
You may look at Embedded Packet Capture feature - 12.4(20)T or later.
Solution 2
If you're looking for a very specific data flow, this might be do-able on a Cisco device alone. You can get basic packet source / destination information like this.
ip access-list extended acl-track-flow
permit ip host 10.2.3.4 any log-input
permit ip any any
log-input will cause the router to generate a syslog message every time the ACL entry is triggered, including the MAC address of the packet.
For more detail, you could use "debug ip packet acl [detail]", which should be run with an ACL filter to keep it from cratering your router.
Finally, you can do "debug ip packet acl dump", which is a hidden command. This will actually show you the full contents of the packets that match . Seriously un-recommend running this on a production router without a very specific ACL for a very small flow.
The correct answer is to configure a SPAN port on the downstream switch that mirrors all traffic on the router port to a Wireshark (or similar) capture device.
Related videos on Youtube
T. Webster
Updated on September 18, 2022Comments
-
T. Webster over 1 year
There is a long list of debug commands. Are there any debug (or other IOS) commands which can capture detailed packet or frame (layer 2, 3) data across an interface? I know we have show-mac-address-table and show arp, but this doesn't show things like what was the destination MAC of the frame, the destination IPv4 of the packet, or what type of protocol (e.g. ICMP, ARP) used. Does IOS 12.3+ offer a way to do this?
All I have found as far as debug is
http://www.cisco.com/en/US/docs/ios/12_4t/ip_addr/configuration/guide/htarpmon.html#wp1203532
-
kralyk about 11 yearsWhy not use Wireshark and SPAN? cisco.com/en/US/products/hw/switches/ps708/…
-
-
cpt_fink about 11 yearsEPC is very useful at a remote site where you don't have the ability to set up a SPAN port and a wireshark device.