I wanted this blog to be about using Flexible NetFlow Immediate Cache to capture packets. The problem from my limited understanding is that it can only be done on all TCP or UDP frames as there is currently no filtering capability. For example you can’t setup a Flexible NetFlow (FnF) Immediate Cache to capture only UDP voice traffic for a specific host.  However, I recently learned about Cisco EEM (Embedded Event Manager) which basically allowed us to do what we needed.

Embedded Packet Capture or EPC:
Cisco IOS Embedded Packet Capture (EPC) is an onboard packet capture facility that allows network administrators to capture packets flowing to, through or from the device and to analyze them locally or save and export them for offline analysis using a tool like Wireshark. This feature simplifies operations by allowing the devices to become active participants in the management and operation of the network. This feature facilitates better troubleshooting by gathering information on packet format. It also facilitates application analysis and security.  The above paragraph taken from Cisco.com .

EEM allows administrators to capture packets in a remote locations that they can’t immediately get to. In short, this feature allows network administrators to use a Cisco router to capture packets. It can capture based on a filter and FTP the trace to a location in .pcap format. This blog is about how to setup and configure this.


  • Free memory on the router
  • Free Flash memory for storage OR remote FTP/TFTP server for upload

OK, lets get started by getting into Config mode on the router.
#configure terminal

I want to capture remote VoIP traffic because an end user is telling me he is getting a “lot of chop”. The person’s telephone has an IP address of and I want to capture the traffic from and to this host which means I must make two access list entries. I called this access list ‘PCAP’.
#access-list 110 permit ip host any
#access-list 110 permit ip any host
#access-list 110 remark PCAP

Now it is time to get into enable mode and check what kind of memory the router has available.
> enable
#show memory

IOS Packet Capture to Wireshark

Next I’ll create a buffer called ‘voip-cap’ and then I’ll set aside 4096 (4 Megabytes) of memory to store the first 1500 bytes of every packet. This will allow me to save over 2,700 huge packets or tens of thousands of smaller packets.  That should be plenty! I’ll also make it a circular buffer so that it will use FIFO logic and I can always go and download it if the user calls and tells me “I just had a lousy call!”.

Circular means FIFO (First In First Out). In other words, the router will continuously capture packets by getting rid of old packets. This is important because in part 2 we will discuss using a NetFlow trigger to send a PCAP of the desired traffic when there is a poor voice quality event. This FIFO method allows administrators to analyze the traffic that actually triggered the alert without DVRing all the traffic. It may not be as helpful to trigger an export after the problem occurred.
#monitor capture buffer voip-cap
#monitor capture buffer voip-cap size 4096 max-size 1500 circular

Now that the buffer has been created, I’ll assign the access list I create up above ‘110’ to it.
#monitor capture buffer voip-cap filter access-list 110

Now it is time to create a capture point ‘cpfa0/1’ which lists the interface the capture will take place on ‘fa0/1’.
#monitor capture point ip cef cpfa0/1 fa0/1 both

OK, stay with me! Next you associate the capture point ‘cpfa0/1 to the capture buffer we created ‘voip-cap’.
#monitor capture point associate cpfa0/1 voip-cap

We are ready to enable this.  Lets check out the parameters:
#show monitor capture buffer voip-cap parameters

Capturing VoIP Packets

Let’s start it up!
#monitor capture point start cpfa0/1

Wait for the user to call us about a bad phone call.  Stop the capture:
#monitor capture point stop cpfa0/1

FTP the capture to some place where you can get it.
#monitor capture buffer voip-cap export ftp://cfgbackup:[email protected]/remotedalecap.pcap
Open the attached with Wireshark or other favorite packet analyzer.

Remove the configuration for all of this and get back to work!
#no monitor capture buffer voip-cap

In the process of doing this, we learned that Wireshark will not playback g729 audio streams due to licensing costs. There are other ways to do that it though.  By default only uncompressed audio is supported.

In Part 2 of this post, I will outline how to use Medianet Performance Monitoring with EEM and the packet capture feature to automatically send packet captures of poorly performing connections (e.g. poor voice quality). This will allow many companies to avoid the need to deploy packet capture probes.


Mike Patterson author pic


Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.


Leave a Reply