Support for Cisco’s Embedded Packet Capture was introduced in CloudShark v. 1.4.
Starting in Cisco IOS 12.4(20), IOS has the ability to capture packet data and export this externally. The Cisco IOS capture interface works with a CloudShark appliance starting with CloudShark version 1.4. You must first create an API key on your CloudShark appliance that can be used for the export on the Cisco devices.
Here is guide to the IOS commands. A simple example is below.
Here is an example. Note the ‘#’ lines are comments and not actual IOS commands.
# -- you must be in enable mode to start a capture enable # -- first you must define a capture buffer. There are more options for size, # etc. monitor capture buffer DM_TEST_CAPTURE # -- you must define a capture point. This can be interface specific or all # -- interfaces. monitor capture point ip cef CAP_POINT all both # -- the capture buffer must be associated with a capture point monitor capture point associate CAP_POINT DM_TEST_CAPTURE # -- This is how you start the capture monitor capture point start all # -- Here I am generating some sample traffic ping 172.16.1.1 # -- This is how you stop the capture monitor capture point stop all # -- Optionally you can view the packets in IOS (not recommended) show monitor capture buffer DM_TEST_CAPTURE dump # -- Now you can export your capture buffer to your cloudshark appliance using # -- your API key monitor cap buff DM_TEST_CAPTURE export http://10.0.0.190/api/v1/19ce32f269143a378f6faada7a0c73fe/upload
Now you can view your capture file through your CloudShark appliance. The API keys can be configured to apply specific tags to your capture or you can apply tags by adding arguments to the URL using the additional_tags argument. For example:
monitor cap buff DM_TEST_CAPTURE export
If you are using the additional_tags argument to the URL, you can not type a ‘?’ character in the Cisco IOS CLI without escaping it first. Use Control-V to escape the ‘?’ character. Type Control-V then ?.