Skip to content

Capturing connections on an interface

Introduction

Capturing (or dumping) means to capture network packets. In this article, we'll look at how to capture TCP packets that pass through our Cisco device, particularly through a specific interface. Here's how to proceed.

Creating the access list

First, create an access list called dumptcp to allow connections from a host to any of our interfaces. You can specify a particular one if you wish:

1
access-list dumptcp permit ip host 192.168.0.104 any

Then we do the reverse so that the Cisco can respond:

1
access-list dumptcp permit ip any host 192.168.0.104

Creating the Dump

Now that we have the ability to see the traffic, we need to create the dump rule that we'll call dump104, and that we'll use on the inside interface:

1
capture dump104 access-list dumptcp interface inside

Now, we verify that our dump is correctly configured:

1
2
$ show capture
capture dump104 access-list dumptcp interface inside

Now that everything is set up, we can view the capture:

1
2
3
4
$ show capture dump104
14:25:49.653545 192.168.0.77 > 192.168.0.104: icmp: echo request
14:25:50.650952 192.168.0.77 > 192.168.0.104: icmp: echo request
14:25:51.650967 192.168.0.77 > 192.168.0.104: icmp: echo request