Knowing what your network is doing is central to the NSM doctrine, and the usual method of collecting NSM data is to attach a sensor of some kind to a tap or a span port on a switch.
But what if you can’t do this? What if you need to see what’s going on on a network that’s geographically remote and/or unprepared for conventional layer-2 capture? Quite a bit, as it turns out.
In the first of a two-part post, the Cisco Kid (i.e., me) is going to walk you through a number of ways to use an IOS router or ASA/PIX firewall to perform full packet capture. The two product sets have different capabilities and limitations, so we’ll look at each in turn.
Full packet capture has been supported on these devices for many years, and it’s quite simple to operate. Step one is to create an ACL that defines the traffic we’re interested in capturing – because all of the captures are stored in memory, we need to be as specific as we can otherwise we’ll be using scarce RAM to capture stuff we don’t care about.
Let’s assume we’re interested in POP3 traffic. Start by defining an ACL like this:
pix(config)# access-list temp-pop3-acl permit tcp any eq 110 any
pix(config)# access-list temp-pop3-acl permit tcp any any eq 110
Note that we’ve specified port 110 as the source or the destination – we wouldn’t want to risk only capturing one side of the conversation.
Now we can fire up the capture, part of which involves specifying the size of the capture buffer. Remembering that this will live in main memory, we’d better have a quick check to see how much is going spare:
pix# show memory
Free memory: 31958528 bytes (34%)
Used memory: 60876368 bytes (66%)
Total memory: 92834896 bytes (100%)
Plenty, in this case. Let’s start the capture:
pix# capture temp-pop3-cap access-list temp-pop3-acl buffer 1024000 packet-length 1514 interface outside-if circular-buffer
This command gives us a capture called temp-pop3-cap, filtered using our ACL, stored in a one-meg (circular) memory buffer, that will capture frames of up to 1514 bytes in size from the interface called outside-if. If you don’t specify a packet-length, you won’t end up capturing entire frames.
Now we can check that we’re actually capturing stuff:
pix# show capture temp-pop3-cap
5 packets captured
1: 12:22:02.410440 xxx.xxx.xxx.xxx.39032 > yyy.yyy.yyy.yyy.110: S 3534424301:3534424301(0) win 65535 <mss 1260,nop,nop,sackOK>
2: 12:22:02.411401 yyy.yyy.yyy.yyy.110 > xxx.xxx.xxx.xxx.39032: S 621655548:621655548(0) ack 3534424302 win 16384 <mss 1380,nop,nop,sackOK>
3: 12:22:02.424691 xxx.xxx.xxx.xxx.39032 > yyy.yyy.yyy.yyy.110: . ack 621655549 win 65535
4: 12:22:02.425515 yyy.yyy.yyy.yyy.110 > xxx.xxx.xxx.xxx.39032: P 621655549:621655604(55) ack 3534424302 win 65535
5: 12:22:02.437462 xxx.xxx.xxx.xxx.39032 > yyy.yyy.yyy.yyy.110: P 3534424302:3534424308(6) ack 621655604 win 65480
To get the capture off the box and into Wireshark, point your web browser at the PIX/ASA like this, specifying the capture’s name in the URL:
Don’t forget the /pcap on the end, or you’ll end up downloading only the output of the ‘show capture temp-pop3-cap’ command.
To clean up, you can use the ‘clear capture’ command to empty the capture buffer (but still keep on capturing) and the ‘no capture’ command to destroy the buffer and stop capturing altogether.
Provided one is careful with the size of the capture buffer, it’s nice and easy, it works, and it’s quick to implement in an emergency. If you’re using the ASDM GUI, Cisco have a how-to here that will walk you through the process.
As we’ll see, things aren’t quite as nice in IOS land, but there’s still useful stuff we can do. As of 12.4(20)T, IOS supports the Embedded Packet Capture feature (EPC) which at first glance seems to be equivalent to the PIX/ASA’s capture feature. Again, we’ll start by creating an ACL for capturing POP3 traffic:
router(config)#ip access-list extended temp-pop3-acl
router(config-ext-nacl)#permit tcp any eq 110 any
router(config-ext-nacl)#permit tcp any any eq 110
Now we can set up the capture. This involves two steps, setting up a capture buffer (where to store the capture) and a capture point (where to capture from). The capture buffer is set up like this:
router#monitor capture buffer temp-pop3-buffer size 512 max-size 1024 circular
Here is where Cisco seem to have missed a trick. The ‘size’ parameter refers to the buffer size in kilobytes, and 512 is the maximum. That’s “Why???” #1 – 512KB seems like a very low limit to place on a capture buffer. “Why???” #2 is the ‘max-size’ parameter, which refers to the amount of bytes in each frame that will be captured; 1024 is the maximum, well below ethernet’s 1500 byte MTU. So we seem to be limited in that we can capture only a small amount of incomplete frames, which isn’t really in the spirit of “full” packet capture…
Sighing deeply, we move on to setting up the buffer’s filter using our ACL:
router#monitor capture buffer temp-pop3-buffer filter access-list temp-pop3-acl
Next, we create a capture point. This specifies where the frames will be captured, both from an interface and an IOS architecture point of view:
router#monitor capture point ip cef temp-pop3-point GigabitEthernet0/0.2 both
‘ip cef’ means we’re interested in capturing CEF-switched frames as opposed to process-switched ones, so if traffic you’re expecting to see in the buffer isn’t there it could be that the router process switched it thus avoiding the capture point. The capture interface is specified, as is ‘both’ which means we’re interested in ingress and egress traffic.
Next (we’re almost there) we have to associate a buffer with a capture point:
router#monitor capture point associate temp-pop3-point temp-pop3-buffer
Now we can check our work before we start the capture:
router#show monitor capture buffer temp-pop3-buffer parameters
Capture buffer temp-pop3-buffer (circular buffer)
Buffer Size : 524288 bytes, Max Element Size : 1024 bytes, Packets : 0
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : temp-pop3-point, Status : Inactive
monitor capture buffer temp-pop3-buffer size 512 max-size 1024 circular
monitor capture point associate temp-pop3-point temp-pop3-buffer
monitor capture buffer temp-pop3-buffer filter access-list temp-pop3-acl
router#sh monitor capture point temp-pop3-point
Status Information for Capture Point temp-pop3-point
Switch Path: IPv4 CEF , Capture Buffer: temp-pop3-buffer
Status : Inactive
monitor capture point ip cef temp-pop3-point GigabitEthernet0/0.2 both
Start the capture:
router#monitor capture point start temp-pop3-point
And make sure we’re capturing stuff:
router#show monitor capture buffer temp-pop3-buffer dump
<frame by frame raw dump snipped>
When we’re done, we can stop the capture:
router#monitor capture point stop temp-pop3-point
And finally, we can export it off the box for analysis:
router#monitor capture buffer temp-pop3-buffer export tftp://10.1.8.6/temp-pop3.pcap
…and for all that work, we’ve ended up with a tiny pcap containing truncated frames. Better than nothing though!
However, there is a second option for IOS devices, provided that you have a capture workstation that’s on a directly attached ethernet subnet. It’s called Router IP Traffic Export (RITE), and will copy nominated packets and send them off-box to a workstation running Wireshark or similar (or an IDS, etc.). Captures therefore do not end up in a memory buffer, and it is the responsibility of the workstation to capture the exported packets and to work out which packets were actually exported from the router and which are those sent or received by the workstation itself.
After carefully reading the restrictions and caveats in the documentation, we can start by setting up a RITE profile. This defines what we’re going to monitor, and where we’re going to export the copied packets:
router#ip traffic-export profile temp-pop3-profile
# Set the capture filter
router(conf-rite)#incoming access-list temp-pop3-acl
router(conf-rite)#outgoing access-list temp-pop3-acl
# Specify that we want to capture ingress and egress traffic
# The capture workstation lives on the subnet attached to Gi0/0.2
router(conf-rite)#interface GigabitEthernet 0/0.2
# And the workstation’s MAC address is:
Finally, we apply the profile to the interface from which we actually want to capture packets:
router(config)#interface GigabitEthernet 0/0.2
router(config-subif)#ip traffic-export apply temp-pop3-profile
If all’s gone well, the capture workstation on hhhh.hhhh.hhhh should start seeing a flow of POP3 traffic. We can ask the router how it’s getting on, too:
router#show ip traffic-export
Router IP Traffic Export Parameters
Monitored Interface GigabitEthernet0/0
Export Interface GigabitEthernet0/0.2
Destination MAC address hhhh.hhhh.hhhh
bi-directional traffic export is on
Output IP Traffic Export Information Packets/Bytes Exported 19/1134
Packets Dropped 17877
Sampling Rate one-in-every 1 packets
Access List temp-pop3-acl [named extended IP]
Input IP Traffic Export Information Packets/Bytes Exported 27/1169
Packets Dropped 12153
Sampling Rate one-in-every 1 packets
Access List temp-pop3-acl [named extended IP]
Profile temp-pop3-profile is Active
You get full packets captured (note packets, not frames – the encapsulating Ethernet frame isn’t the same as the original, in that it has the router’s MAC address as the source and the capture workstation’s MAC address as the destination), and provided you’re local to the router and can afford the potential performance hit on the box, it’s quite a neat way to perform an inline capture. Furthermore, this may be your only capturing option sometimes – granted, the capture workstation has to be on a local ethernet segment, but the traffic profile itself can be applied to other kinds of circuit for which you may not have a tap (ATM, synchronous serial, etc.). It’s a very useful tool.
In the next exciting installment, the Cisco Kid will look at ways of extracting network session information from IOS routers, PIXes and ASAs.
Alec Waters is responsible for all things security at Dataline Software, and can be emailed at firstname.lastname@example.org