本帖最后由 guangxil 于 2019-4-1 15:40 编辑 以下命令如没有特殊说明,则为特权模式下执行。红色倾斜字体则为根据实际情况更改的部分。
1. 定义Buffer
# monitor capture buffer
BUFFER_NAME max-size 10000
#monitor capture buffer
BUFFER_NAME size 1024
2. 添加ACL只捕获特定的数据包
如果省略此步骤, 将抓获所有的数据包
(config)#ip access-list extended
ACL_NAME permit ip
10.0.0.0 0.0.0.255 host 10.1.1.1 #monitor capture buffer
BUFFER_NAME filter access-list
ACL_NAME 3.设置捕获点 下面的命令设置在接口Gi0/0捕获所有CEFswitched traffic.你可以设置数据方向 – in/out/both.
#monitor capture point ip cef
CAPTUREPOINT_NAME Gi0/0 both
下面的命令将抓获所有不是CEF switched traffic
#monitor capture point ip process-switched
CAPTUREPOINT_NAME both
4.关联Buffer和捕获点,并开始抓包
#monitor capture point associate
CAPTUREPOINT_NAME BUFFER_NAME #monitor capture point start
CAPTUREPOINT_NAME 5.停止抓包
#monitor capture point stop
CAPTUREPOINT_NAME 6.导出数据
#monitor capture buffer
BUFFER_NAME export
ftp://1.1.1.1/CAPTURER.pcap 7.使用TCPDUMP分析
# tcpdump -r CAPTURE.pcap -nn -v
8.在路由器上分析
#show monitor capture buffer
BUFFER_NAME dump
9.显示BUFFER和所有的捕获点
#show monitor capture point all
#show monitor capture buffer all parameters
10.删除捕获点和BUFFER
# no monitor capture point ip cef
CAPTUREPOINT_NAME Gig0/0 both
# no monitor capture buffer
BUFFER_NAME
另外关于IOS-XE路由器嵌入式抓包的操作,请参考另一篇帖子,链接如下:http://bbs.csc-china.com.cn/forum.php?mod=viewthread&tid=988743&extra=page%3D2