Skip to content
Adam Spera

Embedded Packet Capture (EPC)

Cisco Embedded Packet Capture (EPC) is a built-in IOS-XE feature that lets routers capture live traffic passing through their interfaces. It’s especially useful for debugging and protocol analysis without requiring external devices or taps.

Captures are stored in DRAM and are cleared on reload unless exported.

Use Cases

Section titled “Use Cases”
  • Troubleshooting NAT, routing, or ACL behavior
  • Capturing malformed packets
  • Verifying protocol behavior (DHCP, HSRP, etc.)
  • Capturing traffic during flaps or intermittent failures

Capture Workflow

Section titled “Capture Workflow”
  1. Create a capture buffer
  2. (Optional) Apply a filter using an ACL
  3. Create a capture point (interface + direction)
  4. Start the capture
  5. Stop and view/export the capture

Step 1: Create a Capture Buffer

Section titled “Step 1: Create a Capture Buffer”
monitor capture MYCAP buffer circular size 100
  • size: Total buffer size in MB
  • circular: Continues capturing and overwrites oldest data
  • Use linear instead of circular if you want capturing to stop when the buffer is full

Step 2: Filter with Match or ACL

Section titled “Step 2: Filter with Match or ACL”
ip access-list extended PACKET_FILTER
 permit ip host 192.168.12.1 host 192.168.23.3


monitor capture MYCAP access-list PACKET_FILTER


...or...


monitor capture MYCAP match any

Step 3: Create a Capture Point

Section titled “Step 3: Create a Capture Point”
monitor capture MYCAP interface FastEthernet0/1 both
  • both: Capture ingress and egress
  • Other options: in, out

Step 4: Start and Stop the Capture

Section titled “Step 4: Start and Stop the Capture”
monitor capture MYCAP start
...
monitor capture MYCAP stop

Step 5: View or Export

Section titled “Step 5: View or Export”

View packets directly on the router:

show monitor capture MYCAP buffer
show monitor capture MYCAP buffer brief
show monitor capture MYCAP buffer dump

Export to a TFTP server for Wireshark analysis:

monitor capture MYCAP export tftp://10.100.2.120/capture.pcap

Optional Combination

Section titled “Optional Combination”
monitor capture MYCAP buffer size 100 circular interface G1 both match any start

Notes

Section titled “Notes”
  • EPC captures are volatile; they are lost on reload.
  • Only one capture per interface/direction is supported at a time.
  • You must have CEF enabled on the target interfaces.
  • Capture can be done using L2, IP, or ACL filters.

Reference

Section titled “Reference”

Embedded Packet Capture Whitepaper