Before iOS revision 12.4 you were having access-lists and debug facility to get a clue about the packets passing through an interface. Now it is fairly easy to get packets and even export them as .pcap to analyse within a few easy steps.
First thing to do is, create an access-list based on your requirements:
conf t ip access-list extended HTTP_TEST permit tcp any any eq www end
Now on the enable mode “type en” type the following to create your capture related to the access-list you created
monitor capture buffer HTTP_BUFFER monitor capture buffer HTTP_BUFFER filter access-list HTTP_TEST
Select the desired interface you want your capture to collect packets
monitor capture point ip cef HTTP_POINT GigabitEthernet0/2 both
Now start collecting packets
monitor capture point associate HTTP_POINT HTTP_BUFFER monitor capture point start HTTP_POINT
Type “sh monitor capture buffer all parameters” to get if a packet collected or not
Capture buffer HTTP_BUFFER (linear buffer) Buffer Size : 1048576 bytes, Max Element Size : 68 bytes, Packets : 5 Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0 Associated Capture Points: Name : HTTP_POINT, Status : Inactive Configuration: monitor capture buffer HTTP_BUFFER monitor capture point associate HTTP_POINT HTTP_BUFFER monitor capture buffer HTTP_BUFFER filter access-list HTTP_TEST
don’t forget to stop the capture with the command:
monitor capture point stop HTTP_POINT
to export the packets type the following and don’t forget to delete the capture buffer, install a tftp server to your client and change the IP below to your client’s IP address.
monitor capture buffer HTTP_BUFFER export tftp://192.168.1.2/HTTP.pcap !and delete the capture buffer no monitor capture buffer HTTP_BUFFER
and as a summary of the commands all together:
conf t ip access-list extended HTTP_TEST permit tcp any any eq http end monitor capture buffer HTTP_BUFFER monitor capture buffer HTTP_BUFFER filter access-list HTTP_TEST monitor capture point ip cef HTTP_POINT GigabitEthernet0/2 both monitor capture point associate HTTP_POINT HTTP_BUFFER monitor capture point start HTTP_POINT sh monitor capture buffer all parameters monitor capture point stop HTTP_POINT monitor capture buffer HTTP_BUFFER export tftp://192.168.1.2/HTTP2.pcap no monitor capture buffer HTTP_BUFFER show monitor capture buffer HTTP_BUFFER dump