Host-Based Protocol Analyzers
A protocol analyzer decodes the various protocol layers in a recorded frame and presents this information in a relatively easy to use format. The figure shows a screen capture of the Wireshark protocol analyzer. The information displayed by a protocol analyzer includes the physical, data link, protocol, and descriptions for each frame. Most protocol analyzers can filter traffic that meets certain criteria so that, for example, all traffic to and from a particular device can be captured. Protocol analyzers such as Wireshark can help troubleshoot network performance problems. It is important to have both a good understanding of how to use the protocol analyzer and TCP/IP. To become more knowledgeable and skillful using Wireshark, an excellent resource is http://www.wiresharkbook.com.
Cisco IOS Embedded Packet Capture
The Cisco IOS Embedded Packet Capture (EPC) delivers a powerful troubleshooting and tracing tool. The feature allows for network administrators to capture IPv4 and IPv6 packets flowing through, to, and from, a Cisco router. The Cisco IOS EPC function is mainly used in troubleshooting scenarios where it is helpful to see the actual data being sent through, from, or to the network device.
For example, support desk personnel need to determine why a particular device cannot access the network or some application. It might be necessary to capture IP data packets and examine the data to discover the problem. Another example would be, determining an attack signature for a network threat or server system security breach. The Cisco IOS EPC can help capture packets flowing into the network at the origin or perimeter.
The Cisco IOS EPC is useful whenever a network protocol analyzer might be useful in debugging a problem, but when it is not practical to install such a device.
For more information on using and configuring Cisco EPC, consult the Embedded Packet Capture Configuration Guide.