Richard Chomjak

Author Archives: Richard Chomjak

How to show captured data from Cisco IOS on the fly in Wireshark/tcpdump

Monitor features in Cisco devices are able to show data flows but Cisco IOS lacks the option to export data on the fly. I wrote tiny GNU/Linux shell script to solve this restriction.

That is something like ASA capture ( via HTTP/HTTPS.

I tested script on:

Router(config)#uname -a
IOSv Router IOS 15.4 Cisco IOS Software, vios Software (vios-ADVENTERPRISEK9-M), Experimental Version 15.4(20131213:232637) [lucylee-ca_pi23 137]
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Mon 16-Dec-13 19:50 by lucylee Unknown Unknown IOS

1. Create user and add privilege level 15 (root)

username user secret userpass
username user privilege 15

2. Start HTTP server, authentication style and optional (set max connection to 16 (default 5))

For security reasons you should set HTTP/HTTPS authorization with ACL and instead of HTTP use HTTPS server.

ip http server
ip http authentication local
ip http max-connections 16

3. Configure Monitor settings

Below I created a circular buffer called MY_BUFFER. Linear buffer is limited that means, if buffer is full IOS will stop capture. In circular buffer "old" data will be rewritten when buffer is full.

monitor capture buffer MY_BUFFER size 1024 max-size 9500 circular

Next step is to create a capture point. I created the Continue reading