How to show captured data from Cisco IOS on the fly in Wireshark/tcpdump

Monitor features in Cisco devices are able to show data flows but Cisco IOS lacks the option to export data on the fly. I wrote tiny GNU/Linux shell script to solve this restriction.

That is something like ASA capture (https://supportforums.cisco.com/document/69281/asa-using-packet-capture-troubleshoot-asa-firewall-configuration-and-scenarios) via HTTP/HTTPS.

I tested script on:

Router(config)#uname -a
IOSv Router IOS 15.4 Cisco IOS Software, vios Software (vios-ADVENTERPRISEK9-M), Experimental Version 15.4(20131213:232637) [lucylee-ca_pi23 137]
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Mon 16-Dec-13 19:50 by lucylee Unknown Unknown IOS

1. Create user and add privilege level 15 (root)

username user secret userpass
username user privilege 15

2. Start HTTP server, authentication style and optional (set max connection to 16 (default 5))

For security reasons you should set HTTP/HTTPS authorization with ACL and instead of HTTP use HTTPS server.

ip http server
ip http authentication local
ip http max-connections 16

3. Configure Monitor settings

Below I created a circular buffer called MY_BUFFER. Linear buffer is limited that means, if buffer is full IOS will stop capture. In circular buffer "old" data will be rewritten when buffer is full.

monitor capture buffer MY_BUFFER size 1024 max-size 9500 circular

Next step is to create a capture point. I created the capture point MY_CAPTURE and pointing it to the interface GigabitEthernet 0/1.

monitor capture point ip cef MY_CAPTURE Gig 0/1 both

Capturing process needs connect (association) capture point to buffer.

monitor capture point associate MY_CAPTURE MY_BUFFER

After this step we can start the capturing process.

monitor capture point start MY_CAPTURE

For more information about monitor features see Cisco's documentation.

4. HTTP modification

You can download contents from the buffer in two different ways. The first method is  Direct URI, the  second method is  Server Side Includes (SSIs). Using the SSIs method is  explained in more details below.

4.1 HTTP modification - Server Side Includes (SSIs)

This way uses the Server Side Includes technology.

I  created a file "test.shtml" with the following content:
<!--#exec cmd="show monitor capture buffer MY_BUFFER dump"-->
You can upload that file to router via "traditional way" - TFTP/SCP/... style or you can use IOS.sh.

IOS.sh way:

Turn on shell.

shell processing full

Create file with following content:

printf "<!--#exec cmd=\"show monitor capture buffer MY_BUFFER dump\"-->" > test.shtml

Check the content of file. In my case files are stored in flash memory.

cat test.shtml

You can get result from HTTP server with URI like this: "http://ip_add_of_router/path/to/file.shtml"

4.2 HTTP modification - Direct URI

In this method you use direct URI to download content from buffer but you must remove HTML tags at header. I decided  not to publish this variation of the script. I want you to do it by your own in order to learn something new.

Tiny challenge for you, write script, which download contents from buffer and these contents save as file in pcap format.

HINT:

level/15/exec/show/monitor/capture/buffer/MY_BUFFER/dump/CR

5. GNU/Linux Script - Server Side Includes (SSIs)

IP address of the router is "192.168.20.3", a path to the file is "flash/test.shtml"

wget http://192.168.20.3/flash/test.shtml --http-user "user" --http-password "userpass" -O - | sed -u '/^[0-9][0-9]:[0-9][0-9].*$/d' | sed -u 's:  .*$::g' |  sed -u 's/^.*\://' | tr -d ' ' | sed -u 's/\r/Z/g' | tr -d '\n' | tr 'Z' '\n' |  sed -u 's/\(..\)/\1 /g' | sed -u 's/^\(..*\)/00000 \1/g' | awk 'NF > 0' | text2pcap -q -l1 - - | wireshark -k -i -

brezular.com-on-the-fly-capture-wireshark-screenshot

Telnet communication between 192.168.100.1 and 192.168.100.2

6. Notes

You can change download speed in wget with option "--limit-rate=amount"

Please read carefully documentation of monitor features.


Richard CHOMJAK

Leave a comment

Your email address will not be published. Required fields are marked *