Re: Capture/Sniffer Tool for Router?

jason.drury · ‎03-24-2006

All,

Is there a capture tool, similar to the Pix has, for routers? I am trying to access a router via ssh, but I can't. I want to run a "capture" on the external interface to see if the packets are reaching the router or not and/or being NATed along the way. I wrote an ACL with the ip address I'm thinking it is suppose to be, but I'm not getting any hits against it. This traffic does not go through any firewalls along the way, that we manage, so I can't place the capture on them.

Thanks for any help.

wong34539 · ‎03-30-2006

Disable fast switching on the interfaces involved. You will only see the first packet if fast switching is not disabled.

config interface

no ip route-cache

To display debug command output and system error messages for the current terminal and session, use the terminal monitor command in enable mode.

Begin the debug process using the debug ip packet 101 or debug ip packet 101 detail command.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

Richard Burts · ‎03-30-2006

The advice about forcing process switching with no ip route-cache is true for running debug and not necessary if the diagnostic is an access list.

If you are trying to test whether the SSH packets get to the router and if so what address they have I would suggest that you try this:

access-list 199 permit tcp any any eq 22 log

access-list 199 permit ip any any

configure this access list as inbound access-group on the interface(s) where SSH might arrive. If SSH does get to the router there will be a hit in the access list and a log record which will have the source address of the packet.

This approach involves less overhead on the router than running debug does.

HTH

Rick

HTH

Rick