configure an ACL with the adresses/subnets you want to capture
i.e.
ip access-list extended BUF-FILTER
permit ip host <HOST-1> host <HOST-2>
permit ip host <HOST-2> host <HOST-1>
Create a buffer with total size and packetsize
monitor capture buffer BUFFER size 2048 max-size 1518 linear
Associate ACL with BUFFER
monitor capture buffer BUFFER filter access-list BUF-FILTER
Define a capture point
monitor capture point ip cef POINT GigabitEthernet0/1 both
If you want to capture traffic on an interface and not through an interface
monitor capture point ip process-switched POINT both
Attach buffer to capture point
monitor capture point associate POINT BUFFER
Start capture
monitor capture point start POINT
Stop capture
monitor capture point stop POINT
See content of capture
show monitor capture buffer BUFFER dump
Export capture
monitor capture buffer BUFFER export tftp://<tftp_server>/BUFFER.pcap
Remove capture point, buffer and ACL
- no monitor capture point ip cef POINT GigabitEthernet0/1 both
- no monitor capture buffer BUFFER
- no ip access-list extended BUF-FILTER