Monitor features in Cisco devices are able to show data flows but Cisco IOS lacks the option to export data on the fly. I wrote tiny GNU/Linux shell script to solve this restriction.
That is something like ASA capture (https://supportforums.cisco.com/document/69281/asa-using-packet-capture-troubleshoot-asa-firewall-configuration-and-scenarios) via HTTP/HTTPS.
I tested script on:
Router(config)#uname -a
IOSv Router IOS 15.4 Cisco IOS Software, vios Software (vios-ADVENTERPRISEK9-M), Experimental Version 15.4(20131213:232637) [lucylee-ca_pi23 137]
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Mon 16-Dec-13 19:50 by lucylee Unknown Unknown IOS
1. Create user and add privilege level 15 (root)
username user secret userpass
username user privilege 15
2. Start HTTP server, authentication style and optional (set max connection to 16 (default 5))
For security reasons you should set HTTP/HTTPS authorization with ACL and instead of HTTP use HTTPS server.
ip http server
ip http authentication local
ip http max-connections 16
3. Configure Monitor settings
Below I created a circular buffer called MY_BUFFER. Linear buffer is limited that means, if buffer is full IOS will stop capture. In circular buffer "old" data will be rewritten when buffer is full.
monitor capture buffer MY_BUFFER size 1024 max-size 9500 circular
Next step is to create a capture point. I created the capture point MY_CAPTURE and pointing it to the interface GigabitEthernet 0/1.
monitor capture point ip cef MY_CAPTURE Gig 0/1 both
Capturing process needs connect (association) capture point to buffer.
monitor capture point associate MY_CAPTURE MY_BUFFER
After this step we can start the capturing process.
monitor capture point start MY_CAPTURE
For more information about monitor features see Cisco's documentation.
4. HTTP modification
You can download contents from the buffer in two different ways. The first method is Direct URI, the second method is Server Side Includes (SSIs). Using the SSIs method is explained in more details below.
4.1 HTTP modification - Server Side Includes (SSIs)
This way uses the Server Side Includes technology.
I created a file "test.shtml" with the following content:
<!--#exec cmd="show monitor capture buffer MY_BUFFER dump"-->
You can upload that file to router via "traditional way" - TFTP/SCP/... style or you can use IOS.sh.
IOS.sh way:
Turn on shell.
shell processing full
Create file with following content:
printf "<!--#exec cmd=\"show monitor capture buffer MY_BUFFER dump\"-->" > test.shtml
Check the content of file. In my case files are stored in flash memory.
cat test.shtml
You can get result from HTTP server with URI like this: "http://ip_add_of_router/path/to/file.shtml"
4.2 HTTP modification - Direct URI
Tiny challenge for you, write script, which download contents from buffer and these contents save as file in pcap format.
HINT:
level/15/exec/show/monitor/capture/buffer/MY_BUFFER/dump/CR
5. GNU/Linux Script - Server Side Includes (SSIs)
IP address of the router is "192.168.20.3", a path to the file is "flash/test.shtml"
wget http://192.168.20.3/flash/test.shtml --http-user "user" --http-password "userpass" -O - | sed -u '/^[0-9][0-9]:[0-9][0-9].*$/d' | sed -u 's: .*$::g' | sed -u 's/^.*\://' | tr -d ' ' | sed -u 's/\r/Z/g' | tr -d '\n' | tr 'Z' '\n' | sed -u 's/\(..\)/\1 /g' | sed -u 's/^\(..*\)/00000 \1/g' | awk 'NF > 0' | text2pcap -q -l1 - - | wireshark -k -i -
6. Notes
You can change download speed in wget with option "--limit-rate=amount"
Please read carefully documentation of monitor features.