Re: Capture packets on router

wilson_1234_2 · ‎10-07-2007

I am trying to determine the source of traffic across a DS3 link.

I have applied an access-list inbound on the serial interface as shown:

access-list 102 permit tcp any any range 1 65535 log

access-list 102 permit udp any any range 1 65535 log

access-list 102 permit ip any any log

apply access-group 102 in s0/0

When viewing the log I am seeing this:

Oct 7 17:01:18.586: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 38401 packets

Is there a limit set on the router log buffer?

lgijssel · ‎10-07-2007

Using an acl with log like this is drawing heavy on the CPU because there are many cycles involved in handling a packet. Your DS3 will handle a lot more traffic than the CPU can handle. In this case I presume that subsequent packets are by-passed in one way or another and listed as "missed" i.e. not processed by the acl/logger.

It would be better to attempt to capture the traffic with an packet analyzer (wireshark) and get your information that way.

regards,

Leo

wilson_1234_2 · ‎10-08-2007

Thanks for the reply,

Is it possible to use ethereal or wireshark to capture packets passing through the serial interface of a router from a workstation?

Edison Ortiz · ‎10-08-2007

Any packet traversing the DS3 will go via the router's LAN interface, correct ?

If that's the case, SPAN the port where this LAN interface is connected with destination towards the workstation running Ethereal.

HTH,

wilson_1234_2 · ‎10-08-2007

Thanks for the reply.

I have no more configurable SPAN ports available for that switch, they are being used already.

Edison Ortiz · ‎10-08-2007

What kind of traffic are you looking for ?

You can configure netflow on the interfaces instead of tracking every single packet traversing the interface.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/honf_c/chap05/onf_bcf.htm