10-12-2009 09:58 AM - edited 03-06-2019 08:05 AM
How can I leverage Cisco IOS to sniff traffic?
I can span a port and connect a sniffer.
What else? NetFlow? ACLs? have lost track of all the tools in IOS that one can use to sniff traffic.
I want to see if the 7609 router is receiving aaa traffic (UDP 1812 and 1813) and vise versa.
Thanks
10-12-2009 10:05 AM
netflow is not a sniffing tool. It's a tool to create statistics about protocol usage and source / dest ip addresses. There is also NBAR for protocol usage.
For sniffing, as you say you need a SPAN/ RSPAN session and have a sniffer on the other end.
Or you can use the NAM module or appliance.
What exactly are you trying to achieve?
10-12-2009 10:08 AM
Hello Victor,
the newest feature is the embedded packet capture that works only on ISR and C7200 VXR routers.
But you still need and external sniffer on the destination port.
see
http://www.cisco.com/en/US/products/ps9913/products_ios_protocol_group_home.html
depending on your needs netflow, ACLs or ip accounting can provide some feedback
Also NBAR could be used for flow classification on an interface.
Hope to help
Giuseppe
10-12-2009 10:58 AM
Debug.
10-12-2009 11:33 AM
Folks:
I have a situation in which I need to verify that my 7609 router is receiving aaa requests from a certain appliance, and then forwarding them to the AAA server.
So, I know I can configure an ACL that matches the source/destination addresses as well as UDP 1812 and 1813, and then apply the ACL inbound to the interface in question. That is a pretty crude way to do it. I may see hits, but if there are too many, the buffer will overflow and a 'sh access-list" may not give the kind of accurate numbers I would like to see.
I have used ip accounting before to identify flows - again its crude because it will not match application ports (at least I dont remember it doing so). Anyway I enabled it on the interface in question, yet it does not give me any statistics at all - for any flows. Not sure whats the story with that.
I am vaguely aware of Netlow, but I think one must have that feature set enbled in the IOS version, no? Or does it come with the ip adv services version by default?
Then I know of course about spanning the port and using a sniffer, but I am trying to avoid that since that would require someone being located at the site to plug the sniffer in.
Any ideas now given the dtailed information have given?
Thanks
10-12-2009 11:38 AM
Netflow will not be able to provide you that information.
What kind of aaa packets? You have many debug aaa options on the router to troubleshoot this.
10-12-2009 11:41 AM
debug aaa *
10-12-2009 02:46 PM
The router is neither generating nor terminating aaa traffic. ts just passing through like any other application traffic. So debug aaa authentication is worthless.
10-12-2009 03:07 PM
ACL matching can lead you to misleading information as you wont see the packet capture.
At this point, you dont have other options besides span the traffic to a sniffer.
10-13-2009 06:24 AM
Yeah, thats what I thought....thanks..
10-28-2009 03:32 PM
Hi Victor,
In your case the 7609 router wont be able to see the aaa traffic as you have an IPSEC tunnel that carries the traffic. So the only traffic you will see is the ESP or AH through your 7609 routers.
So you need to sniff or use ACL before or after the IPSEC encription. :-)
HTH
Ullas
10-28-2009 03:58 PM
If you want to see packets and you know the addresses you are looking for you can create a acl with said addreses . You then do a debug ip packet
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide