Remote Packet Capture Using Cisco IOS w/ Conversion to .pcap

Version 1

    I'm purposely put a .txt extension on these files for upload, and have not included any executables... the executable being a compiled form of the perl script, that runs independently of requirements to run perl. I just don't know if executables are allowed here.

     I am going to include an archive "Rawpcap-withExecutables.zip" just in case that is allowed. You'll be able to extract the "Capture" folder from there, place it in c:\, and it'll work.

     I'll explain how to make it work from scratch.

    Here I have include a perl script called "dump.pl.txt", a batch file called "Dump2PCAP.bat.txt", "Folder.txt" and several commands that help when collecting the debug logs from the router.

    dump.pl - I compiled this with 'TinyPerl' so the whole setup can easily be shared and run on other PCs. You see this in the batch file called RAW2TEXT.exe. Which again I haven't included here since I don't know the rules on uploading executables. If it is ok to do so, I will upload in the future if requested... but you can make the same thing with TinyPerl

    Folder.txt - I just included this to show how the folder structure and files are laid out with the batch file. You see dump.txt in the root of the folders. That is the actually debug logs copied from the router via TFTP. Placing that raw content there and running Dump2PCAP out puts Capture.pcap in the root, which is then ready to be opened with Wireshark.

    Dump2PCAP.bat - Just an example of how I automated the process.

    Commands.txt - Commands to include so you don't end up killing the router. Shows insure you have a clean log, and how to TFTP it to your computer.

    You'll have to grab text2pcap.exe from the root of your wireshark directory. It's in there.

    *NOTE: Sometimes the entire packet won't get logged, and get recorded in the middle somewhere. When this happens the perl script won't notice, but when you go to convert to .pcap you will see some packets not getting written. Those are corrupt captures at the beginning and the end of the capture.

    If it ends up being ok to just zip all of it, including executables I'll just do that to make it easier setup.