{
	"id": "66a8e5b8-154f-467f-84c8-c3455d1e237d",
	"created_at": "2026-04-06T00:06:45.792342Z",
	"updated_at": "2026-04-10T13:11:33.240732Z",
	"deleted_at": null,
	"sha1_hash": "9a4c0a4186f5b0b0f920c4bcfa9f65a23f39824b",
	"title": "Configure and Capture Embedded Packet on Software",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 74463,
	"plain_text": "Configure and Capture Embedded Packet on Software\r\nBy Contributed by Cisco Engineers\r\nPublished: 2024-10-02 · Archived: 2026-04-05 15:26:57 UTC\r\nIntroduction\r\nThis document describes the Embedded Packet Capture (EPC) feature in Cisco IOS® software. \r\nPrerequisites\r\nRequirements\r\nThere are no specific requirements for this document.\r\nComponents Used\r\nThe information in this document is based on these software and hardware versions:\r\nCisco IOS Release 12.4(20)T or later\r\nCisco IOS XE Release 15.2(4)S - 3.7.0 or later\r\nThe information in this document was created from the devices in a specific lab environment. All of the devices\r\nused in this document started with a cleared (default) configuration. If your network is live, ensure that you\r\nunderstand the potential impact of any command.\r\nBackground Information\r\nWhen enabled, the router captures the sent and received packets. The packets are stored within a buffer in DRAM\r\nand do not persist through a reload. Once the data is captured, it can be examined in a summary or detailed view\r\non the router.\r\nIn addition, the data can be exported as a packet capture (PCAP) file to allow for further examination. The tool is\r\nconfigured in exec mode and is considered a temporary assistance tool. As a result, the tool configuration is not\r\nstored within the router configuration and does not remain in place after a system reload.\r\nThe Packet Capture Config Generator and Analyzer tool is available for Cisco Customers to aid in the\r\nconfiguration, capture, and extraction of packet captures.\r\nCisco IOS Configuration Example\r\nBasic EPC Configuration\r\n1. Define a capture buffer, which is a temporary buffer where the captured packets are stored.\r\nhttps://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html\r\nPage 1 of 6\n\n2. There are various options that can be selected when the buffer is defined; such as size, maximum packet\r\nsize, and circular/linear:\r\nmonitor capture buffer BUF size 2048 max-size 1518 linear\r\n3. A filter is applicable to limit the capture to desired traffic. Define an Access Control List (ACL) within\r\nconfig mode and apply the filter to the buffer:\r\nip access-list extended BUF-FILTER\r\n permit ip host 192.168.1.1 host 172.16.1.1\r\n permit ip host 172.16.1.1 host 192.168.1.1\r\nmonitor capture buffer BUF filter access-list BUF-FILTER\r\n4. Define a capture point which defines the location where the capture occurs.\r\n5. The capture point also defines whether the capture occurs for IPv4 or IPv6 and in which switching path\r\n(process versus cef):\r\nmonitor capture point ip cef POINT fastEthernet 0 both\r\n6. Attach the buffer to the capture point:\r\nmonitor capture point associate POINT BUF\r\n7. Start the capture:\r\nmonitor capture point start POINT\r\n8. The capture is now active. Allow collection of the necessary data.\r\n9. Stop the capture:\r\nmonitor capture point stop POINT\r\n10. Examine the buffer on the unit:\r\nshow monitor capture buffer BUF dump\r\nNote: This output only shows the hex dump of the packets captures. In order to see them in human\r\nreadable, there are two ways.\r\nExport the buffer from the router for further analysis:\r\nhttps://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html\r\nPage 2 of 6\n\nmonitor capture buffer BUF export tftp://10.1.1.1/BUF.pcap\r\nThe previous method is not always practical as it requires T/FTP access to the router. In such situations,\r\ntake a copy of the hex dump and use any online hex-pcap converter in order to view the files.\r\n11. Once the necessary data has been collected, delete the capture point and capture buffer:\r\nno monitor capture point ip cef POINT fastEthernet 0 both\r\nno monitor capture buffer BUF\r\nAdditional Cisco IOS Configuration Information\r\nIn releases earlier than Cisco IOS Release 15.0(1)M, the buffer size was limited to 512K.\r\nIn releases earlier than Cisco IOS Release 15.0(1)M, the captured packet size was limited to 1024 bytes.\r\nThe packet buffer is stored in DRAM and does not persist through reloads.\r\nThe capture configuration is not stored in NVRAM and does not persist through reloads.\r\nThe capture point can be defined to capture in the cef or process switching paths.\r\nThe capture point can be defined to capture only on an interface or globally.\r\nWhen the capture buffer is exported in PCAP format, L2 information (such as Ethernet encapsulation) is\r\nnot preserved.\r\nSee Best Practices for Search Commands for more information on the commands used in this section.\r\nBasic IP Traffic-Export Configuration\r\nThe IP Traffic Export is a different method to export IP packets that are received on multiple, simultaneous WAN\r\nor LAN interfaces.\r\n1. In configuration mode, define an IP traffic export profile.\r\nDevice(config)# iptraffic-exportprofilemypcapmodecapture\r\n2. Configure bidirectional traffic in the profile.\r\nDevice(config-rite)# bidirectional\r\n3. Exit.\r\n4. Specify the interface for exported traffic.\r\nDevice(config-if)# interface GigabitEthernet 0/1\r\n5. Enable IP traffic export on the interface.\r\nhttps://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html\r\nPage 3 of 6\n\nDevice(config-if)# ip traffic-export apply mypcap\r\nsize10000000\r\n6. Exit.\r\n7. Start the capture. The capture is now active. Allow collection of the necessary data.\r\nDevice# traffic-exportinterfaceGigabitEthernet0/1start\r\n8. Stop the capture.\r\nDevice# traffic-exportinterfaceGigabitEthernet0/1stop\r\n9. Export the capture to an external TFTP server.\r\nDevice# traffic-exportinterfaceGigabitEthernet0/1copytftp://\u003cTFTP_Address\u003e/mypcap.pcap\r\n10. Once the necessary data has been collected, delete the profile.\r\nDevice(config)# no ip traffic-export profile mypcap\r\nIP Traffic Export Disadvantages\r\nIP Traffic Export has these disadvantages in comparison with EPC method:\r\nThe interface where captured traffic is exported must be an ethernet interface.\r\nNo IPv6 support.\r\nNo layer 2 information, only layer 3 and higher.\r\nCisco IOS XE Configuration Example\r\nThe Embedded Packet Capture feature was introduced in Cisco IOS XE Release 3.7 - 15.2(4)S. The configuration\r\nof the capture is different than Cisco IOS because it adds more features.\r\nBasic EPC Configuration\r\n1. Define the location where the capture occurs:\r\nmonitor capture CAP interface GigabitEthernet0/0/1 both\r\n2. Associate a filter. The filter is either specified inline, or an ACL or class-map can be referenced:\r\nmonitor capture CAP match ipv4 protocol tcp any any limit pps 1000000\r\nhttps://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html\r\nPage 4 of 6\n\n3. Start the capture:\r\nmonitor capture CAP start\r\n4. The capture is now active. Allow it to collect the necessary data.\r\n5. Stop the capture:\r\nmonitor capture CAP stop\r\n6. Examine the capture in a summary view:\r\nshow monitor capture CAP buffer brief\r\n7. Examine the capture in a detailed view:\r\nshow monitor capture CAP buffer detailed\r\n8. In addition, export the capture in PCAP format for further analysis:\r\nmonitor capture CAP export tftp://10.0.0.1/CAP.pcap\r\n9. Once the necessary data has been collected, remove the capture:\r\nno monitor capture CAP\r\nAdditional Information\r\nThe capture is performed on physical interfaces, sub-interfaces, and tunnel interfaces.\r\nNetwork Based Application Recognition (NBAR) based filters (that use the match protocol command\r\nunder the class-map) are currently not supported.\r\nSee Best Practices for Search Commands for more information on the commands used in this section.\r\nVerify\r\nThere is currently no verification procedure available for this configuration.\r\nTroubleshoot\r\nFor EPC that runs on Cisco IOS XE®, this debug command is used to ensure EPC is set up properly:\r\ndebug epc provision\r\ndebug epc capture-point\r\nhttps://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html\r\nPage 5 of 6\n\nRelated Information\r\nEmbedded Packet Capture Configuration Guide, Cisco IOS XE Release 3S Save\r\nCisco IOS Network Management Configuration Guide\r\nCisco Technical Support \u0026 Downloads\r\nSource: https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html\r\nhttps://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html"
	],
	"report_names": [
		"116045-productconfig-epc-00.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434005,
	"ts_updated_at": 1775826693,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9a4c0a4186f5b0b0f920c4bcfa9f65a23f39824b.pdf",
		"text": "https://archive.orkl.eu/9a4c0a4186f5b0b0f920c4bcfa9f65a23f39824b.txt",
		"img": "https://archive.orkl.eu/9a4c0a4186f5b0b0f920c4bcfa9f65a23f39824b.jpg"
	}
}