cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4961
Views
12
Helpful
13
Replies

Capture QoS Traffic

Joe Lee
Level 1
Level 1

Attached is the network diagram.

We are running the QoS on the WAN. We want to test the WAN QoS to make sure the class map/policy are properly configured on the router. We installed the Wireshark on the computer and want to capture the real time QoS traffic in the WAN interface on the router. We tried few times and it looks the Wireshark only captured the LAN trafffic and we couldn't capture any QoS traffic. Please advise.

Joe

13 Replies 13

John Peek
Level 1
Level 1

You're not going to be able to capture WAN QoS traffic with wireshark.

Might I suggest running this command

show policy-map interface (interface the qos policy is applied on)

Also if your policy map uses access lists. You can do a show access-lists and it will display hits against the access list.

Thank you John. This command only shows the statistic, and we want to capture the real time WAN QoS traffic. If the Wireshark doesn't work with this case, any recommendation? or because I didn't do the right way with the Wireshark?

Ok gotcha. I don't know of anything exactly real time. But that doesn't mean it doesn't exist. What we use that is near real time, is a netflow analyzer. There is a small delay between when traffic is being pushed through and when it shows up in the analyzer. Hope this helps.

Hi Joe,

you have couple options that I know of   :-

1> Use the in built packet capture utility on your IOS device ( depends on your router if avaiable or not ).

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps9913/datasheet_c78-502727.html

2> In your senarios , you can place a configurable L2 switch between the Feed and your router , enable Span on that switch , which will then copy all traffic on the Feed to your switchport where you can have a device running wireshark or tcpdump etc

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml

There could be more technologies that can help you sniff the traffic but these are the most common, I have seen.

Manish

Thanks John. Is the Netflow Analyzer connected to LAN switch or the router to pull out the data?

Hi,

There is no such thing as QoS traffic, there is traffic marked with QoS settings and if you want to capture WAN traffic on a router you can use RITE or EPC:

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_rawip.html

http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_packet_capture_ps6441_TSD_Products_Configuration_Guide_Chapter.html

Regards.

Alain.

Don't forget to rate helpful posts.

It's an application that runs on a server or computer. I recommend a server just because it will be easier to have a constant monitor running.

And then it's only a few commands to enable netflow.

ip flow-export version 5
ip flow-export destination x.x.x.x 9996

LAN Interface

ip flow ingress

Wan interface

ip flow ingress

x.x.x.x - IP address of the device with the netflow analyzer installed.

There are a bunch of free analyzers out there.

I attached a screen shot of my analyzer. I can then click on each queue and see what traffic is in that queue. Is there traffic in my default queue I want to tag, well I look at the Default and it will show me traffic by source and destination IP address along with port numbers.

Take some time and do a bit of research, there is plenty of documentation out there on this subject.

l33tlinux wrote:

It's an application that runs on a server or computer. I recommend a server just because it will be easier to have a constant monitor running.

And then it's only a few commands to enable netflow.

ip flow-export version 5
ip flow-export destination x.x.x.x 9996

LAN Interface

ip flow ingress

Wan interface

ip flow ingress

x.x.x.x - IP address of the device with the netflow analyzer installed.

There are a bunch of free analyzers out there.

I attached a screen shot of my analyzer. I can then click on each queue and see what traffic is in that queue. Is there traffic in my default queue I want to tag, well I look at the Default and it will show me traffic by source and destination IP address along with port numbers.

Take some time and do a bit of research, there is plenty of documentation out there on this subject.

Hi mate,

Can you share with us a good/nice to work with Netflow App?

Manage Engine and Solar Winds both create products targeted for this. I don't know the strengths and weeknesses of either of these pieces of software. So I wouldn't be the best to ask about which one is better. Google both of their names with netflow analyzer and you will see their product offering.

lgijssel
Level 9
Level 9

This can work. The main gotcha is the switches must be set to trust qos or have qos disabled completely.

Otherwise, they will remark all traffic to cos0/dscp0.

Another thing to note is that you must also verify the sending PC is actually marking the traffic.

This is not as easy as it may seem for windows boxes.

In fact, you need to have the qos policy manager in place (and configured) or a registry setting is required.

Search for: “Microsoft Knowledge Base Article - 248611”
http://support.microsoft.com/Default.aspx?scid=kb;ENUS;q248611;

(Link is very old and may not work)

regards,

Leo

Hi, I can pull out the file from tcpdump and import to wireshark. Can I verify the traffic will be maked by QoS from the wireshark? Please advise.

In the Internet Protocol Section, there is a subsection called Differentiated Services Field. That's what you are looking for. DSCP 0x00

Hieu Cao
Level 4
Level 4

As John Peek suggested to use Manage Engine or SolarWinds to see QoS markings in your WAN traffic.  I am using both of these products to manage my WAN, and Manage Engine is much easier to install (light install, uses mysl databse) and does not require superior hardware/mem to get the app going.  You can get it going easiy on a Windows XP workstaiton, and it'll take you about 5 minutes to install it and enable netflow on your router to point to the workstation running Manag Engine NetFlow Analyzer.  You will see the QoS marking, say EF for VoIP, then you know for sure that the packets were marked correctly exiting the router.

With SolarsWinds, it requires a really a couple of decent servers and one of that server will house a MS SQL database.  It has detailed info and fancy graphs,but it allows you to do alot more stuff with your network besides monitoring the WAN traffic comparing to ManageEngine Netflow Analysis.

-Hieu

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: