I wanted this blog to be about using Flexible NetFlow Immediate Cache to capture packets. The problem from my limited understanding is that it can only be done on all TCP or UDP frames as there is currently no filtering capability. For example you can’t setup a Flexible NetFlow (FnF) Immediate Cache to capture only UDP voice traffic for a specific host. However, I recently learned about Cisco EEM (Embedded Event Manager) which basically allowed us to do what we needed.
Embedded Packet Capture or EPC:
Cisco IOS Embedded Packet Capture (EPC) is an onboard packet capture facility that allows network administrators to capture packets flowing to, through or from the device and to analyze them locally or save and export them for offline analysis using a tool like Wireshark. This feature simplifies operations by allowing the devices to become active participants in the management and operation of the network. This feature facilitates better troubleshooting by gathering information on packet format. It also facilitates application analysis and security. The above paragraph taken from Cisco.com .
EEM allows administrators to capture packets in a remote locations that they can’t immediately get to. In short, this feature allows network administrators to use a Cisco router to capture packets. It can capture based on a filter and FTP the trace to a location in .pcap format. This blog is about how to setup and configure this.
- Free memory on the router
- Free Flash memory for storage OR remote FTP/TFTP server for upload
OK, lets get started by getting into Config mode on the router.
I want to capture remote VoIP traffic because an end user is telling me he is getting a “lot of chop”. The person’s telephone has an IP address of 10.2.2.2 and I want to capture the traffic from and to this host which means I must make two access list entries. I called this access list ‘PCAP’.
#access-list 110 permit ip host 10.2.2.2 any
#access-list 110 permit ip any host 10.2.2.2
#access-list 110 remark PCAP
Now it is time to get into enable mode and check what kind of memory the router has available.
Next I’ll create a buffer called ‘voip-cap’ and then I’ll set aside 4096 (4 Megabytes) of memory to store the first 1500 bytes of every packet. This will allow me to save over 2,700 huge packets or tens of thousands of smaller packets. That should be plenty! I’ll also make it a circular buffer so that it will use FIFO logic and I can always go and download it if the user calls and tells me “I just had a lousy call!”.
Circular means FIFO (First In First Out). In other words, the router will continuously capture packets by getting rid of old packets. This is important because in part 2 we will discuss using a NetFlow trigger to send a PCAP of the desired traffic when there is a poor voice quality event. This FIFO method allows administrators to analyze the traffic that actually triggered the alert without DVRing all the traffic. It may not be as helpful to trigger an export after the problem occurred.
#monitor capture buffer voip-cap
#monitor capture buffer voip-cap size 4096 max-size 1500 circular
Now that the buffer has been created, I’ll assign the access list I create up above ‘110’ to it.
#monitor capture buffer voip-cap filter access-list 110
Now it is time to create a capture point ‘cpfa0/1’ which lists the interface the capture will take place on ‘fa0/1’.
#monitor capture point ip cef cpfa0/1 fa0/1 both
OK, stay with me! Next you associate the capture point ‘cpfa0/1 to the capture buffer we created ‘voip-cap’.
#monitor capture point associate cpfa0/1 voip-cap
We are ready to enable this. Lets check out the parameters:
#show monitor capture buffer voip-cap parameters
Let’s start it up!
#monitor capture point start cpfa0/1
Wait for the user to call us about a bad phone call. Stop the capture:
#monitor capture point stop cpfa0/1
FTP the capture to some place where you can get it.
#monitor capture buffer voip-cap export ftp://cfgbackup:[email protected]/remotedalecap.pcap
Open the attached with Wireshark or other favorite packet analyzer.
Remove the configuration for all of this and get back to work!
#no monitor capture buffer voip-cap
In the process of doing this, we learned that Wireshark will not playback g729 audio streams due to licensing costs. There are other ways to do that it though. By default only uncompressed audio is supported.
In Part 2 of this post, I will outline how to use Medianet Performance Monitoring with EEM and the packet capture feature to automatically send packet captures of poorly performing connections (e.g. poor voice quality). This will allow many companies to avoid the need to deploy packet capture probes.