This is part 2 of a two part blog on using Cisco IOS within routers to capture specific packets which can be downloaded and viewed locally. Part 1 explains how to setup the packet capture.  The second part outline below explains how to use Medianet Performance Monitoring with Embedded Event Manager (EEM) and embedded packet capture functionality to automatically provide the packets involved with a connection problem. In this example, we are capturing VoIP traffic.

EEM is a Cisco IOS feature that allows incredibly flexible event monitoring and action.  It can trigger on SNMP, Syslog, NetFlow or other data using the TCL scripting API. What is explained below is very useful and clearly demonstrates the power of Cisco IOS and EEM.

Here is an overview of the list of steps necessary to pull this off:

  1. Configure Packet capture buffer with relevant traffic see part 1
  2. Create a class maps for RTP Audio called Realtime
  3. Configure Performance monitor thresholds.
  4. Define the EEM environmental variables
  5. Have EEM detect threshold messages.
  6. Have EEM stop the embedded packet capture.
  7. Have EEM trigger a dump of the circular EPC buffer to FTP, TFTP or local disk.
  8. Have EEM restart the circular buffer so later captures can be initiated.
  9. Have EEM trigger an email or syslog of the event based on the same message to notify of a event
  10. Create a boot strap

Each step is explained below.

2) Create a class maps for RTP Audio called Realtime
#class-map match-all realtime
(config-cmap)#match rtp audio

3) Configure Performance monitor thresholds.
#policy-map type performance-monitor RTPMON
(config-pmap)#class realtime    
(config-pmap-c)#flow monitor RTP  
The above initiates the Performance Monitoring FnF setup
(config-pmap-c)#monitor parameters     
(config-pmap-c-mparam)#interval duration 10    
The above states that flows triggering must last > 10 seconds
(config-pmap-c-mparam)#flows 100      
The above states the cache maxes out at 100 flows
(config-pmap-c)#react 4 transport-packets-lost-rate
(config-pmap-c-react)#threshold value gt 0.05   
The above states the TPLR (aka TEPL) threshold at < .05 pps
(config-pmap-c-react)#alarm severity critical      
The above specifies the severity level for syslogs
(config-pmap-c-react)#action syslog        
The above sends a syslog when a threshold is breached
4) Define the EEM environmental variables
These environmental variables can be made available to different EEM scripts.
#event manager environment _mail_domain company.com  
The above specifies email domain
#event manager environment _mail_rcpt [email protected]    
The above specifies an address
#event manager environment _mail_smtp 66.66.222.111
The above specifies the IP address of the mail server

5) Have EEM detect threshold messages.
#event manager applet pcapkickoff
#event syslog pattern “%PERF_TRAFFIC_REACT-2-CRITSET: TCA RAISE”
NOTE: I triggered the syslog to know what text to capture.

6) Have EEM stop the embedded packet capture.
#action 3.0 cli command “monitor capture point stop cpfa0/1”
The above stops the packet capture before we export it.

7) Have EEM trigger a dump of the circular EPC buffer to FTP, TFTP or local disk.
#action 4.0 cli command “monitor capture buffer voip-cap export ftp://username:[email protected]/remotedalecap.pcap
The above FTPs the captured file.

8) Have EEM restart the circular buffer so later captures can be initiated.
#action 5.0 cli command “monitor capture point start cpfa0/1”
The above restarts the capture after the file is transferred.

9) Have EEM trigger an email of the event based on the same message
#action 5.1 info type routername
The above creates a router name variable “$_info_routername”.
#action 6.0 mail server “$_mail_smtp” to “$_mail_rcpt” from “[email protected]$_mail_domain” subject “PCAP @ $_info_routername .company.com” body “Pcap triggered on  $_info_routername .company.com. named dalel-remotepcap.pcap”
The above leverages steps 4 & 7 to send an email that a packet capture has been FTPd. We could have also triggered a syslog or SNMP trap.

10) Create a boot strap
Because step 1 cannot be saved in IOS, we must create a boot strap to start the packet capture in case the router is rebooted. Follow the syntax below:
#event manager applet pcapstart
#event syslog pattern “%PERF_TRAFFIC_REACT-2-CRITCLEAR: TCA CLEAR”
#action 1.0 cli command “monitor capture buffer voip-cap”
#action 1.1 cli command “monitor capture buffer voip-cap filter access-list 110”
#action 1.2 cli command “monitor capture buffer voip-cap size 4096 max-size 1500 circular”
#action 2.0 cli command “monitor capture point ip cef cpfa0/1 fa0/1 both”
#action 2.1 cli command “monitor capture point associate cpfa0/1 voip-cap”
#action 5.0 cli command “monitor capture point start cpfa0/1”
#action 5.1 info type routername
#action 6.0 mail server “$_mail_smtp” to “$_mail_rcpt” from “[email protected]$_mail_domain” subject “PCAP @ $_info_routername .company.com” body “Pcap started on  $_info_routername .company.com. Next violation will trigger an upload”

Keep in mind the following caveat: packets captured cannot be dumped to local flash however, they can be dumped to an external local disk.

As stated in part 1, I originally headed out to do all of this with a Flexible NetFlow Immediate Cache however, leveraging Cisco EEM for remote packet capture appears to be further along in the development cycle.  I’d still like to filter and export the packets that I want with Flexible NetFlow.  In the mean time, EEM works quite nicely.

Please join the NetFlow Developments group on linkedin.com.

 

Mike Patterson author pic

Michael

Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.

Related

Leave a Reply