.pcap on Cisco Router

Below is my basic set of step on doing a packet capture on a CUBE. There are 2 ACL’s The first one access-list 123 uses port 5060 to capture unsecure SIP messages only. The second ACL WANSIDEACL is used if you want to capture all traffic

!access-list to filter only SIP messages (port 5060)
access-list 123 permit udp any any eq 5060
access-list 123 permit tcp any any eq 5060

!OR Use extended ACL with IP address
ip access-list extended WANSIDEACL
permit ip any host 135.196.1.100
!135.196.31.196 is IP address of WAN interface
permit ip host 135.196.1.100 any

!create profile
ip traffic-export profile SIP_PCAP_FILE mode capture
bidirectional
incoming access-list 123 !OR WANSIDEACL
outgoing access-list 123 !OR WANSIDEACL

! apply to an interface, default memory is 5M
interface GigabitEthernet0/1
ip traffic-export apply SIP_PCAP_FILE size 5242880

traffic-export interface GigabitEthernet0/1 clear
traffic-export interface GigabitEthernet0/1 start

!capture the problem
traffic-export interface GigabitEthernet0/1 stop

!Export the pcap file to a server
traffic-export interface GigabitEthernet0/1 copy ftp://10.100.1.100/capture.pcap
traffic-export interface GigabitEthernet0/1 copy ftp://alexis:alexis@10.100.1.100/capture.pcap
!if the ftp needs a username and password

Tags:

About Alexis Katsavras

Working as Freelance Cisco Unified Communications Consultant in the UK. www.NetPacket.co.uk