CISCODUMP(1)   CISCODUMP(1)

ciscodump - Provide interfaces to capture from a remote Cisco device through SSH.

ciscodump--help ] [ --version ] [ --extcap-interfaces ] [ --extcap-dlts ] [ --extcap-interface=<interface> ] [ --extcap-config ] [ --extcap-capture-filter=<capture filter> ] [ --capture ] [ --fifo=<path to file or pipe> ] [ --remote-host=<IP address> ] [ --remote-port=<TCP port> ] [ --remote-username=<username> ] [ --remote-password=<password> ] [ --remote-filter=<filter> ] [ --sshkey=<public key path> ] [ --remote-interface=<interface> ] [ --remote-count=<count> ]

ciscodump --extcap-interfaces

ciscodump --extcap-interface=ciscodump --extcap-dlts

ciscodump --extcap-interface=ciscodump --extcap-config

ciscodump --extcap-interface=ciscodump --fifo=<path to file or pipe> --capture --remote-host=remotedevice --remote-port=22 --remote-username=user --remote-interface=<the device interface> --remote-count=<count>

Ciscodump is an extcap tool that relies on Cisco EPC to allow a user to run a remote capture on a Cisco device in a SSH connection. It supports IOS, IOS-XE based device and ASA devices.

The tool configures capture on the device, reads data and removes configuration from the device. Provided credentials must allow the tool to configure the device.

When capture is started, packets are provided as they are received from the device. Capture stops when:

•requested count of packets is reached (--remote-count is mandatory)
•when capture finishes on the device (e.g. capture buffer is full)
•the capture is stopped by the user

Capture performance depends on a device type. The tool tries to read packets as soon as they received, but is usually slower than capturing device captures packets. Therefore packets are read in batches.

IOS/IOS-XE provides only access to all captured packets from the top. Therefore reading of second batch means to read all packets from first batch, but ignore them and then read new packets in second batch.

ASA provides access to specific packet so tool reads every packet just once.

The application supports IOS version is 12.4 and higher. The IOS version supporting capture feature is 12.4(20)T and higher. More details can be found here: https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-embedded-packet-capture/datasheet_c78-502727.html

The application supports IOS-XE version 16.1 and higher. Search for "Embedded Packet Capture Configuration Guide, Cisco IOS XE" to get more details.

The application supports ASA version 8.4 and higher. More details can be found here: https://community.cisco.com/t5/security-documents/asa-using-packet-capture-to-troubleshoot-asa-firewall/ta-p/3129889

--help

Print program arguments.

--version

Print program version.

--extcap-interfaces

List available interfaces.

--extcap-interface=<interface>

Use specified interfaces.

--extcap-dlts

List DLTs of specified interface.

--extcap-config

List configuration options of specified interface.

--capture

Start capturing from specified interface and save it in place specified by --fifo.

--fifo=<path to file or pipe>

Save captured packet to file or send it through pipe.

--remote-host=<remote host>

The address of the remote host for capture.

--remote-port=<remote port>

The SSH port of the remote host.

--remote-username=<username>

The username for ssh authentication.

--remote-password=<password>

The password to use (if not ssh-agent and pubkey are used). WARNING: the passwords are stored in plaintext and visible to all users on this system. It is recommended to use keyfiles with a SSH agent.

--remote-filter=<filter>

The remote filter on the device. This is a capture filter that follows the Cisco standards.

For IOS/IOS-XE see https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html.

For ASA see https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/access-acls.html.

Multiple filters can be specified using a comma between them. BEWARE: when using a filter, the default behavior is to drop all the packets except the ones that fall into the filter.

Examples for IOS/IOS-XE:

permit ip host MYHOST any, permit ip any host MYHOST (capture the traffic for MYHOST)
deny ip host MYHOST any, deny ip any host MYHOST, permit ip any any (capture all the traffic except MYHOST)

Examples for ASA:

permit any4 host MYHOST, permit host MYHOST any4 (capture IPv4 traffic for MYHOST)

Note

Different capture types support or do not support specific ACL keywords. The tool is not able to check it, just tries to configure it. If error occurs, the tool just reports it and terminates. Debris are left in configuration in this case.

--sshkey=<SSH private key path>

The path to a private key for authentication.

--remote-interface=<remote interface>

The remote network interface to capture from. One interface or list of interface names can be used. Iterfaces are separated by comma. Interface names must be supported by the device.

There are interface names causing different capture types. They are specific to used Cisco software.

IOS special names

process-switched - capture process switched packets in both directions
from-us - capture process switched packets originating at the device

IOS-XE special names

control-plane - captures in/out packets touching control plane

ASA special names

asp-drop - capture packets dropped by all asp categories
TYPE---ifname - syntax to refer ASA capture types, see https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/A-H/asa-command-ref-A-H/ca-cld-commands.html#wp2435483314
isakmp---ifname - capture isakmp packets
lacp---ifname - capture lacp packets (just physical interfaces are supported)
tls-proxy---ifname - capture tls-proxy packets
inline-tag---ifname - capture all SGT tagget packets
raw-data---ifname - same as ifname
•syntax to capture decrypted traffic for some of capture types:
isakmp/decrypted---ifname - capture isakmp packets including decrypted payload
tls-proxy/decrypted---ifname - capture tls-proxy packets including decrypted payload
inline-tag/decrypted---ifname - capture inline-tag packets including decrypted payload
raw-data/decrypted---ifname - capture raw-data packets including decrypted payload

Use e. g. isakmp/decrypted---outside to capture encrypted and decrypted isakmp traffic on outside interface.

--remote-count=<count>

Count of packets to capture. Capture is stopped when count is reached.

--extcap-capture-filter=<capture filter>

Unused (compatibility only).

To see program arguments:

ciscodump --help

To see program version:

ciscodump --version

To see interfaces:

ciscodump --extcap-interfaces

Only one interface (ciscodump) is supported.

Example output

interface {value=ciscodump}{display=SSH remote capture}

To see interface DLTs:

ciscodump --extcap-interface=ciscodump --extcap-dlts

Example output

dlt {number=147}{name=ciscodump}{display=Remote capture dependent DLT}

To see interface configuration options:

ciscodump --extcap-interface=ciscodump --extcap-config

Example output

ciscodump --extcap-interface=ciscodump --extcap-config
arg {number=0}{call=--remote-host}{display=Remote SSH server address}

{type=string}{tooltip=The remote SSH host. It can be both an IP address or a hostname}
{required=true}{group=Server} arg {number=1}{call=--remote-port}{display=Remote SSH server port}
{type=unsigned}{default=22}{tooltip=The remote SSH host port (1-65535)}
{range=1,65535}{group=Server} arg {number=2}{call=--remote-username}{display=Remote SSH server username}
{type=string}{default=<current user>}{tooltip=The remote SSH username. If not provided, the current user will be used}
{group=Authentication} arg {number=3}{call=--remote-password}{display=Remote SSH server password}
{type=password}{tooltip=The SSH password, used when other methods (SSH agent or key files) are unavailable.}
{group=Authentication} arg {number=4}{call=--sshkey}{display=Path to SSH private key}
{type=fileselect}{tooltip=The path on the local filesystem of the private ssh key}
{group=Authentication} arg {number=5}{call=--proxycommand}{display=ProxyCommand}
{type=string}{tooltip=The command to use as proxy for the SSH connection}{group=Authentication} arg {number=6}{call--sshkey-passphrase}{display=SSH key passphrase}
{type=password}{tooltip=Passphrase to unlock the SSH private key}{group=Authentication arg {number=7}{call=--remote-interface}{display=Remote interface}
{type=string}{tooltip=The remote network interface used for capture}
{required=true}{group=Capture} arg {number=8}{call=--remote-filter}{display=Remote capture filter}
{type=string}{tooltip=The remote capture filter}{default=<filter to exclude current host>}
{group=Capture} arg {number=9}{call=--remote-count}{display=Packets to capture}
{type=unsigned}{tooltip=The number of remote packets to capture.}
{required=true}{group=Capture} arg {number=10}{call=--debug}{display=Run in debug mode}
{type=boolflag}{default=false}{tooltip=Print debug messages}
{required=false}{group=Debug} arg {number=11}{call=--debug-file}{display=Use a file for debug}
{type=string}{tooltip=Set a file where the debug messages are written}
{required=false}{group=Debug}

To capture on IOS/IOS-XE:

ciscodump --extcap-interface ciscodump --fifo=/tmp/cisco.pcap --capture --remote-host 192.168.1.10

--remote-username user --remote-interface gigabit0/0,gigiabit0/1
--remote-filter "permit ip host 192.168.1.1 any, permit ip any host 192.168.1.1"
--remote-count=10

To capture on IOS/IOS-XE:

ciscodump --extcap-interface ciscodump --fifo=/tmp/cisco.pcap --capture --remote-host 192.168.1.10

--remote-username user --remote-interface outside,dmz
--remote-filter "permit host 192.168.1.1 any4, permit any4 host 192.168.1.1"
--remote-count=10
ciscodump --extcap-interface ciscodump --fifo=/tmp/cisco.pcap --capture --remote-host 192.168.1.10

--remote-username user --remote-interface raw-data/decrypted---outside
--remote-filter "permit host 192.168.1.1 any4, permit any4 host 192.168.1.1"

When capture stopped by the user before it finishes on Windows platform, configuration is not cleared on the device. Next run will probably fails because parts of configuration already exists on the device.

Reading performance on IOS/IOS-XE is poor because re-reading of capture buffer over and over.

The configuration of the capture on the device is a multi-step process. If the SSH connection is interrupted during it, the configuration can be in an inconsistent state. That can happen also if the capture is stopped and ciscodump can’t clean the configuration up. In this case it is necessary to log into the device and manually clean the configuration, removing configuration elements:

•IOS
•capture points WSC_P_<number> (depends on count of capture interfaces)
•the capture buffer WSC_B
•the capture capture acl WSC_ACL (if filter was used)
•IOS-XE
•the capture WSC
•the capture capture acl WSC_ACL (if filter was used)
•ASA
•the capture WSC
•the capture capture acl WSC_ACL (if filter was used)

On IOS platforms, only IPv4 commands issued and only IPv4 packets are captured.

wireshark(1), tshark(1), dumpcap(1), extcap(4), sshdump(1)

ciscodump is part of the Wireshark distribution. The latest version of Wireshark can be found at https://www.wireshark.org.

HTML versions of the Wireshark project man pages are available at https://www.wireshark.org/docs/man-pages.

Original Author
Dario Lombardo <lomato[AT]gmail.com>

2023-01-18