|
HTML rendering created 2025-09-06 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH. |
|
|
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | KNOWN ISSUES | SEE ALSO | NOTES | AUTHORS |
|
|
|
CISCODUMP(1) CISCODUMP(1)
ciscodump - Provide interfaces to capture from a remote Cisco
device through SSH.
ciscodump [ --help ] [ --version ] [ --extcap-interfaces ] [
--extcap-dlts ] [ --extcap-interface=<interface> ] [
--extcap-config ] [ --extcap-capture-filter=<capture filter> ] [
--capture ] [ --fifo=<path to file or pipe> ] [ --remote-host=<IP
address> ] [ --remote-port=<TCP port> ] [
--remote-username=<username> ] [ --remote-password=<password> ] [
--remote-filter=<filter> ] [ --sshkey=<public key path> ] [
--remote-interface=<interface> ] [ --remote-count=<count> ]
ciscodump --extcap-interfaces
ciscodump --extcap-interface=ciscodump --extcap-dlts
ciscodump --extcap-interface=ciscodump --extcap-config
ciscodump --extcap-interface=ciscodump --fifo=<path to file or
pipe> --capture --remote-host=remotedevice --remote-port=22
--remote-username=user --remote-interface=<the device interface>
--remote-count=<count>
Ciscodump is an extcap tool that relies on Cisco EPC to allow a
user to run a remote capture on a Cisco device in a SSH
connection. It supports IOS, IOS-XE based device and ASA devices.
The tool configures capture on the device, reads data and removes
configuration from the device. Provided credentials must allow the
tool to configure the device.
When capture is started, packets are provided as they are received
from the device. Capture stops when:
• requested count of packets is reached (--remote-count is
mandatory)
• when capture finishes on the device (e.g. capture buffer is
full)
• the capture is stopped by the user
Capture performance depends on a device type. The tool tries to
read packets as soon as they received, but is usually slower than
capturing device captures packets. Therefore packets are read in
batches.
IOS/IOS-XE provides only access to all captured packets from the
top. Therefore reading of second batch means to read all packets
from first batch, but ignore them and then read new packets in
second batch.
ASA provides access to specific packet so tool reads every packet
just once.
SUPPORTED CISCO SOFTWARE
The application supports IOS version is 12.4 and higher. The IOS
version supporting capture feature is 12.4(20)T and higher. More
details can be found here:
https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-embedded-packet-capture/datasheet_c78-502727.html
The application supports IOS-XE version 16.1 and higher. Search
for "Embedded Packet Capture Configuration Guide, Cisco IOS XE" to
get more details.
The application supports ASA version 8.4 and higher. More details
can be found here:
https://community.cisco.com/t5/security-documents/asa-using-packet-capture-to-troubleshoot-asa-firewall/ta-p/3129889
--help
Print program arguments.
--version
Print program version.
--extcap-interfaces
List available interfaces.
--extcap-interface=<interface>
Use specified interfaces.
--extcap-dlts
List DLTs of specified interface.
--extcap-config
List configuration options of specified interface.
--capture
Start capturing from specified interface and save it in place
specified by --fifo.
--fifo=<path to file or pipe>
Save captured packet to file or send it through pipe.
--remote-host=<remote host>
The address of the remote host for capture.
--remote-port=<remote port>
The SSH port of the remote host.
--remote-username=<username>
The username for ssh authentication.
--remote-password=<password>
The password to use (if not ssh-agent and pubkey are used).
WARNING: the passwords are stored in plaintext and visible to
all users on this system. It is recommended to use keyfiles
with a SSH agent.
--remote-filter=<filter>
The remote filter on the device. This is a capture filter that
follows the Cisco standards.
For IOS/IOS-XE see
https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html.
For ASA see
https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/access-acls.html.
Multiple filters can be specified using a comma between them.
BEWARE: when using a filter, the default behavior is to drop
all the packets except the ones that fall into the filter.
Examples for IOS/IOS-XE:
permit ip host MYHOST any, permit ip any host MYHOST (capture the traffic for MYHOST)
deny ip host MYHOST any, deny ip any host MYHOST, permit ip any any (capture all the traffic except MYHOST)
Examples for ASA:
permit any4 host MYHOST, permit host MYHOST any4 (capture IPv4 traffic for MYHOST)
Note
Different capture types support or do not support specific
ACL keywords. The tool is not able to check it, just tries
to configure it. If error occurs, the tool just reports it
and terminates. Debris are left in configuration in this
case.
--sshkey=<SSH private key path>
The path to a private key for authentication.
--remote-interface=<remote interface>
The remote network interface to capture from. One interface or
list of interface names can be used. Interfaces are separated
by comma. Interface names must be supported by the device.
There are interface names causing different capture types.
They are specific to used Cisco software.
IOS special names
• process-switched - capture process switched packets in
both directions
• from-us - capture process switched packets originating at
the device
IOS-XE special names
• control-plane - captures in/out packets touching control
plane
ASA special names
• asp-drop - capture packets dropped by all asp categories
• TYPE---ifname - syntax to refer ASA capture types, see
https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/A-H/asa-command-ref-A-H/ca-cld-commands.html#wp2435483314
• isakmp---ifname - capture isakmp packets
• lacp---ifname - capture lacp packets (just physical
interfaces are supported)
• tls-proxy---ifname - capture tls-proxy packets
• inline-tag---ifname - capture all SGT tagged packets
• raw-data---ifname - same as ifname
• syntax to capture decrypted traffic for some of capture
types:
• isakmp/decrypted---ifname - capture isakmp packets
including decrypted payload
• tls-proxy/decrypted---ifname - capture tls-proxy
packets including decrypted payload
• inline-tag/decrypted---ifname - capture inline-tag
packets including decrypted payload
• raw-data/decrypted---ifname - capture raw-data packets
including decrypted payload
Use e. g. isakmp/decrypted---outside to capture encrypted and
decrypted isakmp traffic on outside interface.
--remote-count=<count>
Count of packets to capture. Capture is stopped when count is
reached.
--extcap-capture-filter=<capture filter>
Unused (compatibility only).
To see program arguments:
ciscodump --help
To see program version:
ciscodump --version
To see interfaces:
ciscodump --extcap-interfaces
Only one interface (ciscodump) is supported.
Example output
interface {value=ciscodump}{display=SSH remote capture}
To see interface DLTs:
ciscodump --extcap-interface=ciscodump --extcap-dlts
Example output
dlt {number=147}{name=ciscodump}{display=Remote capture dependent DLT}
To see interface configuration options:
ciscodump --extcap-interface=ciscodump --extcap-config
Example output
ciscodump --extcap-interface=ciscodump --extcap-config
arg {number=0}{call=--remote-host}{display=Remote SSH server address}
{type=string}{tooltip=The remote SSH host. It can be both an IP address or a hostname}
{required=true}{group=Server}
arg {number=1}{call=--remote-port}{display=Remote SSH server port}
{type=unsigned}{default=22}{tooltip=The remote SSH host port (1-65535)}
{range=1,65535}{group=Server}
arg {number=2}{call=--remote-username}{display=Remote SSH server username}
{type=string}{default=<current user>}{tooltip=The remote SSH username. If not provided, the current user will be used}
{group=Authentication}
arg {number=3}{call=--remote-password}{display=Remote SSH server password}
{type=password}{tooltip=The SSH password, used when other methods (SSH agent or key files) are unavailable.}
{group=Authentication}
arg {number=4}{call=--sshkey}{display=Path to SSH private key}
{type=fileselect}{tooltip=The path on the local filesystem of the private ssh key}
{group=Authentication}
arg {number=5}{call=--proxycommand}{display=ProxyCommand}
{type=string}{tooltip=The command to use as proxy for the SSH connection}{group=Authentication}
arg {number=6}{call--sshkey-passphrase}{display=SSH key passphrase}
{type=password}{tooltip=Passphrase to unlock the SSH private key}{group=Authentication
arg {number=7}{call=--remote-interface}{display=Remote interface}
{type=string}{tooltip=The remote network interface used for capture}
{required=true}{group=Capture}
arg {number=8}{call=--remote-filter}{display=Remote capture filter}
{type=string}{tooltip=The remote capture filter}{default=<filter to exclude current host>}
{group=Capture}
arg {number=9}{call=--remote-count}{display=Packets to capture}
{type=unsigned}{tooltip=The number of remote packets to capture.}
{required=true}{group=Capture}
arg {number=10}{call=--debug}{display=Run in debug mode}
{type=boolflag}{default=false}{tooltip=Print debug messages}
{required=false}{group=Debug}
arg {number=11}{call=--debug-file}{display=Use a file for debug}
{type=string}{tooltip=Set a file where the debug messages are written}
{required=false}{group=Debug}
To capture on IOS/IOS-XE:
ciscodump --extcap-interface ciscodump --fifo=/tmp/cisco.pcap --capture --remote-host 192.168.1.10
--remote-username user --remote-interface gigabit0/0,gigabit0/1
--remote-filter "permit ip host 192.168.1.1 any, permit ip any host 192.168.1.1"
--remote-count=10
To capture on IOS/IOS-XE:
ciscodump --extcap-interface ciscodump --fifo=/tmp/cisco.pcap --capture --remote-host 192.168.1.10
--remote-username user --remote-interface outside,dmz
--remote-filter "permit host 192.168.1.1 any4, permit any4 host 192.168.1.1"
--remote-count=10
ciscodump --extcap-interface ciscodump --fifo=/tmp/cisco.pcap --capture --remote-host 192.168.1.10
--remote-username user --remote-interface raw-data/decrypted---outside
--remote-filter "permit host 192.168.1.1 any4, permit any4 host 192.168.1.1"
When capture stopped by the user before it finishes on Windows
platform, configuration is not cleared on the device. Next run
will probably fails because parts of configuration already exists
on the device.
Reading performance on IOS/IOS-XE is poor because re-reading of
capture buffer over and over.
The configuration of the capture on the device is a multi-step
process. If the SSH connection is interrupted during it, the
configuration can be in an inconsistent state. That can happen
also if the capture is stopped and ciscodump can’t clean the
configuration up. In this case it is necessary to log into the
device and manually clean the configuration, removing
configuration elements:
• IOS
• capture points WSC_P_<number> (depends on count of capture
interfaces)
• the capture buffer WSC_B
• the capture capture acl WSC_ACL (if filter was used)
• IOS-XE
• the capture WSC
• the capture capture acl WSC_ACL (if filter was used)
• ASA
• the capture WSC
• the capture capture acl WSC_ACL (if filter was used)
On IOS platforms, only IPv4 commands issued and only IPv4 packets
are captured.
wireshark(1), tshark(1), dumpcap(1), extcap(4), sshdump(1)
ciscodump is part of the Wireshark distribution. The latest
version of Wireshark can be found at https://www.wireshark.org.
HTML versions of the Wireshark project man pages are available at
https://www.wireshark.org/docs/man-pages.
Original Author
Dario Lombardo <lomato[AT]gmail.com>.SH COLOPHON This page is part
of the wireshark (Interactively dump and analyze network traffic)
project. Information about the project can be found at
⟨https://www.wireshark.org/⟩. If you have a bug report for this
manual page, see
⟨https://gitlab.com/wireshark/wireshark/-/issues⟩. This page was
obtained from the project's upstream Git repository
⟨https://gitlab.com/wireshark/wireshark.git⟩ on 2025-08-11. (At
that time, the date of the most recent commit that was found in
the repository was 2025-08-11.) If you discover any rendering
problems in this HTML version of the page, or you believe there is
a better or more up-to-date source for the page, or you have
corrections or improvements to the information in this COLOPHON
(which is not part of the original manual page), send a mail to
[email protected]
2025-08-09 CISCODUMP(1)
|
HTML rendering created 2025-09-06 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH. |
|