Posted by Chris on December 7, 2009
Background
Cisco IOS Embedded Packet Capture (EPC) is an extremely useful troubleshooting tool and can prove particularly helpful when it is not feasible to set up a network tap or when diagnosing a problem on a remote system.
My lab device is a ASA5505, however the capture commands are similar across most platforms. (ASA, PIX, FWSM and ISR routers running IOS 12.4(20)T or later)
Capturing Traffic on the ASA
The basic syntax of the capture command is as follows:
capture <capture name> interface <interface name>
While the capture is running, you can view the results on the console (not always a good idea and not very easy to read) or in a web browser.
To view the capture in a browser, format the URL as follows:
https://<device ip address>/admin/capture/<capture name>
A better option would be to open the capture in Wireshark. We can download the capture in libpcap format by specifying the /pcap option at the end of the URL.
https://<device ip address>/admin/capture/<capture name>/pcap
When prompted, select the “Open With” radio button and select Wireshark from the list. (you’ll need to have Wireshark installed on your host)
To stop the capture, simply negate the capture command, followed by the capture name. This also removes the capture from the buffer so make sure you export it using the above procedure if you want to save the results:
no capture <capture name>
Options
Besides the many filtering options, it’s possible to specify multiple simultaneous captures, each with different criteria. Let’s capture only IP traffic on the outside interface and ARP traffic on the inside interface.
If you lose track of what captures are running on the device, enter show capture at the prompt to display active captures and their options.
Conclusions
EPC is a useful feature and has numerous capabilities beyond what I’ve demonstrated here. When combined with Wireshark, EPC provides the ability to quickly capture and analyze network traffic without a tap or mirroring a port on an adjacent switch.
Additional Reading
ASA/PIX/FWSM: Packet Capturing using CLI and ASDM Configuration Example
Cisco IOS Embedded Packet Capture
Posted in ASA, Security, Troubleshooting | Tagged: IOS Commands, Security | Leave a Comment »
Posted by Chris on May 2, 2009
Here’s a helpful documentation and troubleshooting tool.
Paste the output of the “show diag” command from a Cisco router into an email. Send the email to diag@external.cisco.com. Within a few minutes you’ll receive a reply with a listing of part numbers for the router and installed modules.
Here’s an example of the show diag output (abbreviated)
Slot 0:
C2650 1FE Mainboard Port adapter, 2 ports
Port adapter is analyzed
Port adapter insertion time unknown
EEPROM contents at hardware discovery:
Hardware Revision : 0.0
PCB Serial Number : JAD06200P1E (2212953557)
Part Number : 73-5024-05
etc……
WIC Slot 0:
FT1 WAN daughter card
Hardware revision 1.3 Board revision C0
Serial number 28073293 Part number 800-03279-04
Test history 0×0 RMA number 00-00-00
Connector type Wan Module
etc…..
And the return email:
Slot 0: CISCO2650 Mainboard
Slot 0: WIC-1DSU-T1
Posted in Cisco, IOS, Networking, Routing, Switching | Tagged: Cisco, IOS Commands, Networking, Routing | Leave a Comment »
Posted by Chris on February 24, 2009
A co-worker was on a call with TAC today and noticed the Cisco engineer using the more system:running config command.
It turns out that more system:running config is the replacement for write terminal and was introduced somewhere around IOS 12.1 from what I can tell.
It also displays the same information as show running-confiig with one exception, more system:running-config will display VPN pre-shared keys in clear text.
There were a number of new file management commands introduced in IOS 12.1 and 12.2. Check out the Cisco IOS Configuration Fundamentals Command Reference pdf for more information.
The more command also works on an ASA. Here’s the output from an ASA5505:
asa5505# more ?
/ascii Display binary files in ASCII
/binary Force display to hex/text format
/ebcdic Display binary files in EBCDIC
disk0: File to display
flash: File to display
ftp: File to display
http: File to display
https: File to display
smb: File to display
system: File to display
tftp: File to display
Posted in ASA, IOS, Networking, Routing, Switching | Tagged: ASA, IOS Commands, Networking, Routing, Switching | Leave a Comment »
