1CISCODUMP(1) CISCODUMP(1)
2
6 ciscodump - Provide interfaces to capture from a remote Cisco device
7 through SSH.
8
10 ciscodump [ --help ] [ --version ] [ --extcap-interfaces ]
11 [ --extcap-dlts ] [ --extcap-interface=<interface> ]
12 [ --extcap-config ] [ --extcap-capture-filter=<capture filter> ]
13 [ --capture ] [ --fifo=<path to file or pipe> ]
14 [ --remote-host=<IP address> ] [ --remote-port=<TCP port> ]
15 [ --remote-username=<username> ] [ --remote-password=<password> ]
16 [ --remote-filter=<filter> ] [ --sshkey=<public key path> ]
17 [ --remote-interface=<interface> ] [ --remote-count=<count> ]
18 ciscodump --extcap-interfaces
20 ciscodump --extcap-interface=ciscodump --extcap-dlts
22 ciscodump --extcap-interface=ciscodump --extcap-config
24 ciscodump --extcap-interface=ciscodump --fifo=<path to file or pipe>
26 --capture --remote-host=remotedevice --remote-port=22
27 --remote-username=user --remote-interface=<the device interface>
28 --remote-count=<count>
29
31 Ciscodump is an extcap tool that relies on Cisco EPC to allow a user to
32 run a remote capture on a Cisco device in a SSH connection. It supports
33 IOS, IOS-XE based device and ASA devices.
34 The tool configures capture on the device, reads data and removes
36 configuration from the device. Provided credentials must allow the tool
37 to configure the device.
38 When capture is started, packets are provided as they are received from
40 the device. Capture stops when:
41 • requested count of packets is reached (--remote-count is mandatory)
43 • when capture finishes on the device (e.g. capture buffer is full)
45 • the capture is stopped by the user
47 Capture performance depends on a device type. The tool tries to read
49 packets as soon as they received, but is usually slower than capturing
50 device captures packets. Therefore packets are read in batches.
51 IOS/IOS-XE provides only access to all captured packets from the top.
53 Therefore reading of second batch means to read all packets from first
54 batch, but ignore them and then read new packets in second batch.
55 ASA provides access to specific packet so tool reads every packet just
57 once.
58 SUPPORTED CISCO SOFTWARE
60 The application supports IOS version is 12.4 and higher. The IOS
61 version supporting capture feature is 12.4(20)T and higher. More
62 details can be found here:
63 https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-embedded-packet-capture/datasheet_c78-502727.html
64 The application supports IOS-XE version 16.1 and higher. Search for
66 "Embedded Packet Capture Configuration Guide, Cisco IOS XE" to get more
67 details.
68 The application supports ASA version 8.4 and higher. More details can
70 be found here:
71 https://community.cisco.com/t5/security-documents/asa-using-packet-capture-to-troubleshoot-asa-firewall/ta-p/3129889
72
74 --help
75 Print program arguments.
77 --version
79 Print program version.
81 --extcap-interfaces
83 List available interfaces.
85 --extcap-interface=<interface>
87 Use specified interfaces.
89 --extcap-dlts
91 List DLTs of specified interface.
93 --extcap-config
95 List configuration options of specified interface.
97 --capture
99 Start capturing from specified interface and save it in place
101 specified by --fifo.
102 --fifo=<path to file or pipe>
104 Save captured packet to file or send it through pipe.
106 --remote-host=<remote host>
108 The address of the remote host for capture.
110 --remote-port=<remote port>
112 The SSH port of the remote host.
114 --remote-username=<username>
116 The username for ssh authentication.
118 --remote-password=<password>
120 The password to use (if not ssh-agent and pubkey are used).
122 WARNING: the passwords are stored in plaintext and visible to all
123 users on this system. It is recommended to use keyfiles with a SSH
124 agent.
125 --remote-filter=<filter>
127 The remote filter on the device. This is a capture filter that
129 follows the Cisco standards.
130 For IOS/IOS-XE see
132 https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html.
133 For ASA see
135 https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/access-acls.html.
136 Multiple filters can be specified using a comma between them.
138 BEWARE: when using a filter, the default behavior is to drop all
139 the packets except the ones that fall into the filter.
140 Examples for IOS/IOS-XE:
142 permit ip host MYHOST any, permit ip any host MYHOST (capture the traffic for MYHOST)
144 deny ip host MYHOST any, deny ip any host MYHOST, permit ip any any (capture all the traffic except MYHOST)
146 Examples for ASA:
148 permit any4 host MYHOST, permit host MYHOST any4 (capture IPv4 traffic for MYHOST)
150 Note
152 Different capture types support or do not support specific ACL
153 keywords. The tool is not able to check it, just tries to
154 configure it. If error occurs, the tool just reports it and
155 terminates. Debris are left in configuration in this case.
156 --sshkey=<SSH private key path>
158 The path to a private key for authentication.
160 --remote-interface=<remote interface>
162 The remote network interface to capture from. One interface or list
164 of interface names can be used. Iterfaces are separated by comma.
165 Interface names must be supported by the device.
166 There are interface names causing different capture types. They are
168 specific to used Cisco software.
169 IOS special names
171 • process-switched - capture process switched packets in both
173 directions
174 • from-us - capture process switched packets originating at the
176 device
177 IOS-XE special names
179 • control-plane - captures in/out packets touching control plane
181 ASA special names
183 • asp-drop - capture packets dropped by all asp categories
185 • TYPE---ifname - syntax to refer ASA capture types, see
187 https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/A-H/asa-command-ref-A-H/ca-cld-commands.html#wp2435483314
188 • isakmp---ifname - capture isakmp packets
190 • lacp---ifname - capture lacp packets (just physical
192 interfaces are supported)
193 • tls-proxy---ifname - capture tls-proxy packets
195 • inline-tag---ifname - capture all SGT tagget packets
197 • raw-data---ifname - same as ifname
199 • syntax to capture decrypted traffic for some of capture types:
201 • isakmp/decrypted---ifname - capture isakmp packets
203 including decrypted payload
204 • tls-proxy/decrypted---ifname - capture tls-proxy packets
206 including decrypted payload
207 • inline-tag/decrypted---ifname - capture inline-tag packets
209 including decrypted payload
210 • raw-data/decrypted---ifname - capture raw-data packets
212 including decrypted payload
213 Use e. g. isakmp/decrypted---outside to capture encrypted and
215 decrypted isakmp traffic on outside interface.
216 --remote-count=<count>
218 Count of packets to capture. Capture is stopped when count is
220 reached.
221 --extcap-capture-filter=<capture filter>
223 Unused (compatibility only).
225
227 To see program arguments:
228 ciscodump --help
230 To see program version:
232 ciscodump --version
234 To see interfaces:
236 ciscodump --extcap-interfaces
238 Only one interface (ciscodump) is supported.
240 Example output
242 interface {value=ciscodump}{display=SSH remote capture}
244 To see interface DLTs:
246 ciscodump --extcap-interface=ciscodump --extcap-dlts
248 Example output
250 dlt {number=147}{name=ciscodump}{display=Remote capture dependent DLT}
252 To see interface configuration options:
254 ciscodump --extcap-interface=ciscodump --extcap-config
256 Example output
258 ciscodump --extcap-interface=ciscodump --extcap-config
260 arg {number=0}{call=--remote-host}{display=Remote SSH server address}
261 {type=string}{tooltip=The remote SSH host. It can be both an IP address or a hostname}
262 {required=true}{group=Server}
263 arg {number=1}{call=--remote-port}{display=Remote SSH server port}
264 {type=unsigned}{default=22}{tooltip=The remote SSH host port (1-65535)}
265 {range=1,65535}{group=Server}
266 arg {number=2}{call=--remote-username}{display=Remote SSH server username}
267 {type=string}{default=<current user>}{tooltip=The remote SSH username. If not provided, the current user will be used}
268 {group=Authentication}
269 arg {number=3}{call=--remote-password}{display=Remote SSH server password}
270 {type=password}{tooltip=The SSH password, used when other methods (SSH agent or key files) are unavailable.}
271 {group=Authentication}
272 arg {number=4}{call=--sshkey}{display=Path to SSH private key}
273 {type=fileselect}{tooltip=The path on the local filesystem of the private ssh key}
274 {group=Authentication}
275 arg {number=5}{call=--proxycommand}{display=ProxyCommand}
276 {type=string}{tooltip=The command to use as proxy for the SSH connection}{group=Authentication}
277 arg {number=6}{call--sshkey-passphrase}{display=SSH key passphrase}
278 {type=password}{tooltip=Passphrase to unlock the SSH private key}{group=Authentication
279 arg {number=7}{call=--remote-interface}{display=Remote interface}
280 {type=string}{tooltip=The remote network interface used for capture}
281 {required=true}{group=Capture}
282 arg {number=8}{call=--remote-filter}{display=Remote capture filter}
283 {type=string}{tooltip=The remote capture filter}{default=<filter to exclude current host>}
284 {group=Capture}
285 arg {number=9}{call=--remote-count}{display=Packets to capture}
286 {type=unsigned}{tooltip=The number of remote packets to capture.}
287 {required=true}{group=Capture}
288 arg {number=10}{call=--debug}{display=Run in debug mode}
289 {type=boolflag}{default=false}{tooltip=Print debug messages}
290 {required=false}{group=Debug}
291 arg {number=11}{call=--debug-file}{display=Use a file for debug}
292 {type=string}{tooltip=Set a file where the debug messages are written}
293 {required=false}{group=Debug}
294 To capture on IOS/IOS-XE:
296 ciscodump --extcap-interface ciscodump --fifo=/tmp/cisco.pcap --capture --remote-host 192.168.1.10
298 --remote-username user --remote-interface gigabit0/0,gigiabit0/1
299 --remote-filter "permit ip host 192.168.1.1 any, permit ip any host 192.168.1.1"
300 --remote-count=10
301 To capture on IOS/IOS-XE:
303 ciscodump --extcap-interface ciscodump --fifo=/tmp/cisco.pcap --capture --remote-host 192.168.1.10
305 --remote-username user --remote-interface outside,dmz
306 --remote-filter "permit host 192.168.1.1 any4, permit any4 host 192.168.1.1"
307 --remote-count=10
308 ciscodump --extcap-interface ciscodump --fifo=/tmp/cisco.pcap --capture --remote-host 192.168.1.10
310 --remote-username user --remote-interface raw-data/decrypted---outside
311 --remote-filter "permit host 192.168.1.1 any4, permit any4 host 192.168.1.1"
312
314 When capture stopped by the user before it finishes on Windows
315 platform, configuration is not cleared on the device. Next run will
316 probably fails because parts of configuration already exists on the
317 device.
318 Reading performance on IOS/IOS-XE is poor because re-reading of capture
320 buffer over and over.
321 The configuration of the capture on the device is a multi-step process.
323 If the SSH connection is interrupted during it, the configuration can
324 be in an inconsistent state. That can happen also if the capture is
325 stopped and ciscodump can’t clean the configuration up. In this case it
326 is necessary to log into the device and manually clean the
327 configuration, removing configuration elements:
328 • IOS
330 • capture points WSC_P_<number> (depends on count of capture
332 interfaces)
333 • the capture buffer WSC_B
335 • the capture capture acl WSC_ACL (if filter was used)
337 • IOS-XE
339 • the capture WSC
341 • the capture capture acl WSC_ACL (if filter was used)
343 • ASA
345 • the capture WSC
347 • the capture capture acl WSC_ACL (if filter was used)
349 On IOS platforms, only IPv4 commands issued and only IPv4 packets are
351 captured.
352
354 wireshark(1), tshark(1), dumpcap(1), extcap(4), sshdump(1)
355
357 ciscodump is part of the Wireshark distribution. The latest version of
358 Wireshark can be found at https://www.wireshark.org.
359 HTML versions of the Wireshark project man pages are available at
361 https://www.wireshark.org/docs/man-pages.
362
364 Original Author
365 Dario Lombardo <lomato[AT]gmail.com>
366 2022-12-08 CISCODUMP(1)