alternate number (828)-505-7480

Ran into a situation where I needed to perform a packet capture on the WAN interface of a router that was facing an ISP.  The site was rather remote and so putting a hub in between the router and ISP and capturing the packets via Wireshark was going to be very time consuming.  Here is how to perform a packet capture right on the router and then export the capture to Wireshark for analysis.

  1. Create the capture buffer
    monitor capture buffer holdpackets
    monitor capture buffer holdpackets size 2048 max-size 1024
  2. Create capture profile.  (This will capture everything on the router, but you can use an access-list to filter this down)
    monitor capture point ip process-switched capturepackets both
  3. Associate the profile with the buffer
    monitor capture point associate capturepackets holdpackets
  4. Start the capture
    monitor capture point start capturepackets
  5. Generate traffic you want to capture and then view the buffer to verify captured packets (optional)
    show monitor capture buffer all parameters
  6. Stop the capture
    monitor capture point stop capturepackets
  7. Export the capture via TFTP for viewing in Wireshark
    monitor capture buffer holdpackets export tftp://10.1.1.11/capture.pcap
  8. Clear the buffer and start the capture over again at step 4 to repeat
    monitor capture buffer holdpackets clear

Here is the Cisco document that goes into further detail:  https://supportforums.cisco.com/docs/DOC-5799