how to capture specific port traffic in router interface

r.docuyanan · ‎04-28-2004

Hi,

I have a router and I want to capture a specific application/port transaction coming in/out through its Serial0 interface.

What necessary debug commands do I need to capture such transactions say port 69. Also I wan't to limit the processor load of the router during the capture so as not to affect the production router.

Thanks!

r.docuyanan · ‎04-28-2004

Additionaly, I will just use the terminal monitor command and capture the screen output

Georg Pauwen · ‎04-28-2004

Hello,

an easy way would be to create access lists allowing port 69 and specifying the ´log´ option at the end of the access list. In your case (I assume you are referring to TCP/UDP port 69 for TFTP traffic), the access list would look like this:

access-list 101 permit tcp any any eq 69 log

access-list 101 permit udp any any eq 69 log

access-list 101 permit ip any any

Then apply the access list to the interface in both directions:

interface serial0

ip access-group 101 in

ip access-group 101 out

HTH,

Georg

r.docuyanan · ‎04-28-2004

Thanks Georg, I try it. Will I be able to see it using terminal monitor with debug?? no more debug commands associated with it?

ekhoo · ‎04-29-2004

Hi,

debug ip packet detail [ACL number] will show all the massages on your terminal monitor.. but if i were you.. i won't do that.. because you may get lots of message on your Terminal.

Use Georg suggestion.. log everything to you syslog server.

n2-goes · ‎04-30-2004

Hello,

You will need to disable fast switching to capture all traffic by issuing the following command 'no ip route-cache' under the interface. Do not forget to re-activate fast switching after your trace since all packets will use process switch during the trace.

Nadine.