ciscodump(1) — Linux manual page

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | KNOWN ISSUES | SEE ALSO | NOTES | AUTHORS

CISCODUMP(1)                                                 CISCODUMP(1)

NAME         top

       ciscodump - Provide interfaces to capture from a remote Cisco
       device through SSH.

SYNOPSIS         top

       ciscodump [ --help ] [ --version ] [ --extcap-interfaces ] [
       --extcap-dlts ] [ --extcap-interface=<interface> ] [
       --extcap-config ] [ --extcap-capture-filter=<capture filter> ] [
       --capture ] [ --fifo=<path to file or pipe> ] [ --remote-host=<IP
       address> ] [ --remote-port=<TCP port> ] [
       --remote-username=<username> ] [ --remote-password=<password> ] [
       --remote-filter=<filter> ] [ --sshkey=<public key path> ] [
       --remote-interface=<interface> ] [ --remote-count=<count> ]

       ciscodump --extcap-interfaces

       ciscodump --extcap-interface=ciscodump --extcap-dlts

       ciscodump --extcap-interface=ciscodump --extcap-config

       ciscodump --extcap-interface=ciscodump --fifo=<path to file or
       pipe> --capture --remote-host=remotedevice --remote-port=22
       --remote-username=user --remote-interface=<the device interface>
       --remote-count=<count>

DESCRIPTION         top

       Ciscodump is an extcap tool that relies on Cisco EPC to allow a
       user to run a remote capture on a Cisco device in a SSH
       connection. It supports IOS, IOS-XE based device and ASA devices.

       The tool configures capture on the device, reads data and removes
       configuration from the device. Provided credentials must allow the
       tool to configure the device.

       When capture is started, packets are provided as they are received
       from the device. Capture stops when:

       •   requested count of packets is reached (--remote-count is
           mandatory)

       •   when capture finishes on the device (e.g. capture buffer is
           full)

       •   the capture is stopped by the user

       Capture performance depends on a device type. The tool tries to
       read packets as soon as they received, but is usually slower than
       capturing device captures packets. Therefore packets are read in
       batches.

       IOS/IOS-XE provides only access to all captured packets from the
       top. Therefore reading of second batch means to read all packets
       from first batch, but ignore them and then read new packets in
       second batch.

       ASA provides access to specific packet so tool reads every packet
       just once.

   SUPPORTED CISCO SOFTWARE
       The application supports IOS version is 12.4 and higher. The IOS
       version supporting capture feature is 12.4(20)T and higher. More
       details can be found here:
       https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-embedded-packet-capture/datasheet_c78-502727.html

       The application supports IOS-XE version 16.1 and higher. Search
       for "Embedded Packet Capture Configuration Guide, Cisco IOS XE" to
       get more details.

       The application supports ASA version 8.4 and higher. More details
       can be found here:
       https://community.cisco.com/t5/security-documents/asa-using-packet-capture-to-troubleshoot-asa-firewall/ta-p/3129889

OPTIONS         top

       --help
           Print program arguments.

       --version
           Print program version.

       --extcap-interfaces
           List available interfaces.

       --extcap-interface=<interface>
           Use specified interfaces.

       --extcap-dlts
           List DLTs of specified interface.

       --extcap-config
           List configuration options of specified interface.

       --capture
           Start capturing from specified interface and save it in place
           specified by --fifo.

       --fifo=<path to file or pipe>
           Save captured packet to file or send it through pipe.

       --remote-host=<remote host>
           The address of the remote host for capture.

       --remote-port=<remote port>
           The SSH port of the remote host.

       --remote-username=<username>
           The username for ssh authentication.

       --remote-password=<password>
           The password to use (if not ssh-agent and pubkey are used).
           WARNING: the passwords are stored in plaintext and visible to
           all users on this system. It is recommended to use keyfiles
           with a SSH agent.

       --remote-filter=<filter>

           The remote filter on the device. This is a capture filter that
           follows the Cisco standards.

           For IOS/IOS-XE see
           https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html.

           For ASA see
           https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/access-acls.html.

           Multiple filters can be specified using a comma between them.
           BEWARE: when using a filter, the default behavior is to drop
           all the packets except the ones that fall into the filter.

           Examples for IOS/IOS-XE:

               permit ip host MYHOST any, permit ip any host MYHOST (capture the traffic for MYHOST)

               deny ip host MYHOST any, deny ip any host MYHOST, permit ip any any (capture all the traffic except MYHOST)

           Examples for ASA:

               permit any4 host MYHOST, permit host MYHOST any4 (capture IPv4 traffic for MYHOST)

               Note

               Different capture types support or do not support specific
               ACL keywords. The tool is not able to check it, just tries
               to configure it. If error occurs, the tool just reports it
               and terminates. Debris are left in configuration in this
               case.

       --sshkey=<SSH private key path>
           The path to a private key for authentication.

       --remote-interface=<remote interface>

           The remote network interface to capture from. One interface or
           list of interface names can be used. Interfaces are separated
           by comma. Interface names must be supported by the device.

           There are interface names causing different capture types.
           They are specific to used Cisco software.

           IOS special names

           •   process-switched - capture process switched packets in
               both directions

           •   from-us - capture process switched packets originating at
               the device

           IOS-XE special names

           •   control-plane - captures in/out packets touching control
               plane

           ASA special names

           •   asp-drop - capture packets dropped by all asp categories

           •   TYPE---ifname - syntax to refer ASA capture types, see
               https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/A-H/asa-command-ref-A-H/ca-cld-commands.html#wp2435483314

               •   isakmp---ifname - capture isakmp packets

               •   lacp---ifname - capture lacp packets (just physical
                   interfaces are supported)

               •   tls-proxy---ifname - capture tls-proxy packets

               •   inline-tag---ifname - capture all SGT tagged packets

               •   raw-data---ifname - same as ifname

           •   syntax to capture decrypted traffic for some of capture
               types:

               •   isakmp/decrypted---ifname - capture isakmp packets
                   including decrypted payload

               •   tls-proxy/decrypted---ifname - capture tls-proxy
                   packets including decrypted payload

               •   inline-tag/decrypted---ifname - capture inline-tag
                   packets including decrypted payload

               •   raw-data/decrypted---ifname - capture raw-data packets
                   including decrypted payload

           Use e. g. isakmp/decrypted---outside to capture encrypted and
           decrypted isakmp traffic on outside interface.

       --remote-count=<count>
           Count of packets to capture. Capture is stopped when count is
           reached.

       --extcap-capture-filter=<capture filter>
           Unused (compatibility only).

EXAMPLES         top

       To see program arguments:

           ciscodump --help

       To see program version:

           ciscodump --version

       To see interfaces:

           ciscodump --extcap-interfaces

       Only one interface (ciscodump) is supported.

       Example output

           interface {value=ciscodump}{display=SSH remote capture}

       To see interface DLTs:

           ciscodump --extcap-interface=ciscodump --extcap-dlts

       Example output

           dlt {number=147}{name=ciscodump}{display=Remote capture dependent DLT}

       To see interface configuration options:

           ciscodump --extcap-interface=ciscodump --extcap-config

       Example output

           ciscodump --extcap-interface=ciscodump --extcap-config
           arg {number=0}{call=--remote-host}{display=Remote SSH server address}
               {type=string}{tooltip=The remote SSH host. It can be both an IP address or a hostname}
               {required=true}{group=Server}
           arg {number=1}{call=--remote-port}{display=Remote SSH server port}
               {type=unsigned}{default=22}{tooltip=The remote SSH host port (1-65535)}
               {range=1,65535}{group=Server}
           arg {number=2}{call=--remote-username}{display=Remote SSH server username}
               {type=string}{default=<current user>}{tooltip=The remote SSH username. If not provided, the current user will be used}
               {group=Authentication}
           arg {number=3}{call=--remote-password}{display=Remote SSH server password}
               {type=password}{tooltip=The SSH password, used when other methods (SSH agent or key files) are unavailable.}
               {group=Authentication}
           arg {number=4}{call=--sshkey}{display=Path to SSH private key}
               {type=fileselect}{tooltip=The path on the local filesystem of the private ssh key}
               {group=Authentication}
           arg {number=5}{call=--proxycommand}{display=ProxyCommand}
               {type=string}{tooltip=The command to use as proxy for the SSH connection}{group=Authentication}
           arg {number=6}{call--sshkey-passphrase}{display=SSH key passphrase}
               {type=password}{tooltip=Passphrase to unlock the SSH private key}{group=Authentication
           arg {number=7}{call=--remote-interface}{display=Remote interface}
               {type=string}{tooltip=The remote network interface used for capture}
               {required=true}{group=Capture}
           arg {number=8}{call=--remote-filter}{display=Remote capture filter}
               {type=string}{tooltip=The remote capture filter}{default=<filter to exclude current host>}
               {group=Capture}
           arg {number=9}{call=--remote-count}{display=Packets to capture}
               {type=unsigned}{tooltip=The number of remote packets to capture.}
               {required=true}{group=Capture}
           arg {number=10}{call=--debug}{display=Run in debug mode}
               {type=boolflag}{default=false}{tooltip=Print debug messages}
               {required=false}{group=Debug}
           arg {number=11}{call=--debug-file}{display=Use a file for debug}
               {type=string}{tooltip=Set a file where the debug messages are written}
               {required=false}{group=Debug}

       To capture on IOS/IOS-XE:

           ciscodump --extcap-interface ciscodump --fifo=/tmp/cisco.pcap --capture --remote-host 192.168.1.10
               --remote-username user --remote-interface gigabit0/0,gigabit0/1
               --remote-filter "permit ip host 192.168.1.1 any, permit ip any host 192.168.1.1"
               --remote-count=10

       To capture on IOS/IOS-XE:

           ciscodump --extcap-interface ciscodump --fifo=/tmp/cisco.pcap --capture --remote-host 192.168.1.10
               --remote-username user --remote-interface outside,dmz
               --remote-filter "permit host 192.168.1.1 any4, permit any4 host 192.168.1.1"
               --remote-count=10

           ciscodump --extcap-interface ciscodump --fifo=/tmp/cisco.pcap --capture --remote-host 192.168.1.10
               --remote-username user --remote-interface raw-data/decrypted---outside
               --remote-filter "permit host 192.168.1.1 any4, permit any4 host 192.168.1.1"

KNOWN ISSUES         top

       When capture stopped by the user before it finishes on Windows
       platform, configuration is not cleared on the device. Next run
       will probably fails because parts of configuration already exists
       on the device.

       Reading performance on IOS/IOS-XE is poor because re-reading of
       capture buffer over and over.

       The configuration of the capture on the device is a multi-step
       process. If the SSH connection is interrupted during it, the
       configuration can be in an inconsistent state. That can happen
       also if the capture is stopped and ciscodump can’t clean the
       configuration up. In this case it is necessary to log into the
       device and manually clean the configuration, removing
       configuration elements:

       •   IOS

           •   capture points WSC_P_<number> (depends on count of capture
               interfaces)

           •   the capture buffer WSC_B

           •   the capture capture acl WSC_ACL (if filter was used)

       •   IOS-XE

           •   the capture WSC

           •   the capture capture acl WSC_ACL (if filter was used)

       •   ASA

           •   the capture WSC

           •   the capture capture acl WSC_ACL (if filter was used)

       On IOS platforms, only IPv4 commands issued and only IPv4 packets
       are captured.

SEE ALSO         top

       wireshark(1), tshark(1), dumpcap(1), extcap(4), sshdump(1)

NOTES         top

       ciscodump is part of the Wireshark distribution. The latest
       version of Wireshark can be found at https://www.wireshark.org.

       HTML versions of the Wireshark project man pages are available at
       https://www.wireshark.org/docs/man-pages.

AUTHORS         top

       Original Author
       Dario Lombardo <lomato[AT]gmail.com>.SH COLOPHON This page is part
       of the wireshark (Interactively dump and analyze network traffic)
       project. Information about the project can be found at 
       ⟨https://www.wireshark.org/⟩. If you have a bug report for this
       manual page, see
       ⟨https://gitlab.com/wireshark/wireshark/-/issues⟩. This page was
       obtained from the project's upstream Git repository
       ⟨https://gitlab.com/wireshark/wireshark.git⟩ on 2025-08-11. (At
       that time, the date of the most recent commit that was found in
       the repository was 2025-08-11.) If you discover any rendering
       problems in this HTML version of the page, or you believe there is
       a better or more up-to-date source for the page, or you have
       corrections or improvements to the information in this COLOPHON
       (which is not part of the original manual page), send a mail to
       [email protected]

                                2025-08-09                   CISCODUMP(1)