EEM script automatically captures packets on router switches

[TigerDao]

Use EEM script to automatically capture packets (CISCO)​

On the Cisco switch:

​

Packet capture command for the above model:


Monitoring session 1 source interface e0/0 both

Monitoring session 1 target interface e0/1

Show monitor session 1




Idea: We could use an EEM script so that when we enter a shorter command it automatically executes the above command, for example:

– Create loopback interface 100

– describe e0/0 to e0/1

– “Description” when EEM detects command mode e0/0 to e0/1” will execute the command to capture packets from e0/0 and export to e0/1 (the port the laptop is plugged into).



Event manager applet start_CAPTURE_TRAFFIC

event cli pattern “description(.*) to (.*)” sync yes

Action 1.0 Regular expression “describe (.*) to (.*)” “$_event_pub_time” match.match source interface target interface

Operation 2.0 cli command “enable”

Operation 3.0 cli command “conf t”

Operation 4.0 cli command “monitor session 1 source interface e0/0 both”

Operation 5.0 cli command “monitor session 1 target interface e0/1”





Event manager applet stop_CAPTURE_TRAFFIC

event-cli-mode” description Stop. Stop (.*) to (.*)” sync is

Action 1.0 Regular expression “describe stop(.*) to (.*)” “$_event_pub_time” match.match source interface target interface

Operation 2.0 cli command “enable”

Operation 3.0 cli command “conf t”

Operation 4.0 cli command “No monitor session 1”




On Cisco router IOS XE:

​

Packet capture command for the above model:


Monitor and capture CAP interface e0/0 both

Monitor capture CAP match ipv4 any any

Monitor capture CAP start

Monitor capture CAP stop

Monitor capture CAP export ftp://10.1.2.1/mypcap.pcap

No monitor capture CAP







EEM packet capture


Event manager applet start_CAPTURE_TRAFFIC

event cli mode “describe capture(.*)” sync yes

Action 1.0 Regular Expression “Describe Capture(.*)” “$_event_pub_time” match.match source interface

Operation 2.0 cli command “enable”

action 3.0 cli command “monitor capture CAP interface $ source interface Both”

Operation 4.0 cli command “monitor capture cap match ipv4 any any”

Operation 5.0 cli command “monitor capture CAP start”




EEM stopped and pushed to FTP server:


Event manager applet stop_CAPTURE_TRAFFIC

event-cli-mode” description Stop. Stop (.*)” Synchronization is

Action 1.0 Regular expression “describe stop(.*)” “$_event_pub_time” match.match source interface

Operation 2.0 cli command “enable”

Action 3.0 cli command “monitor capture cap stop”

Operation 4.0 cli command “monitor capture CAP export ftp://10.1.2.2/mypcap.pcap”

Operation 5.0 cli command “No monitor capture CAP”

Xem tiếp...