Debug ip traffic on 1801 with vlan switch module

ilrobby00 · ‎02-17-2015

Hello everybody,

I need to show, not capture, all connections from "host A" and "any", on any tcp ports.

Router is a 1801 with "c180x-adventerprisek9-mz.151-4.M8".

Host A (172.16.2.13/28) doesn’t make a lot of traffic and it's linked to fa2, and fa2 it's a switchport of VLAN2 (172.16.2.14/28);

I've an access-list extended that has 5 lines, and I've append the sixt like this:

.......

#60 ip permit tcp host 172.16.2.13 any

but, if I start to debug access-list 60

#debug ip packet 60 detail

I loose the connection to the Router because it becomes unstable... on the syslog server I can see debug output but it's a traffic debug of all router interfaces!!

What I'm doing wrong?

Help me please! Bye, Roberto.

Michal Bruncko · ‎02-17-2015

> I've an access-list extended that has 5 lines, and I've append the sixt like this

please can you show us complete access list 60?

> I can see debug output but it's a traffic debug of all router interfaces!!

possibly it is caused by rules on first five positions...

> #debug ip packet 60 detail

this means you are capturing traffic matching all six lines of your "ip access list 60"

ilrobby00 · ‎02-18-2015

Hi Michal,

thanks for your reply!

Yes, probably i've captured all lines of access-list... but I've to change my approach because my access-list is a extended "named" access-list and, on other post, I've read that "named" access-list cannot be debugged...

Now i've deleted all access-lists entries that refer to vlan2 and I've created new one "numerical":

#ip access-list extended 100

#10 ip permit 172.16.2.0 0.0.0.15 any log

In this mode the debug shows only access-list 100 traffic + bcast + mcast.

:)

But, the strange thing is another one now...

I've bought a multifunction printer, that send scanned document to a email account, the printer haven't internal smtp, it makes a connection to hp servers that forward scans to real destination address...

I was curious to find out how this connection works because, my private/confidential documents are send on internet and, i would hope that hp use a secure connection from my printer to its server...

Well, if I add "log" switch command at the end of access-list, or I enable access-list debug, the printer stop to comunicate to hp services/server... if I turn off debug or rewrite access-list without "log" feature, incredibly the printer re-start to comunicate with hp...

Have you any idea that explain that? I'm going crazy...

Michal Bruncko · ‎02-18-2015

> Well, if I add "log" switch command at the end of access-list, or I enable access-list debug, the printer stop to comunicate to hp services/server...

this is very strange. didn't you use same access list applied anywhere else? (as VLAN or port access-list). this makes no any sense as printer have no possibilities to determine if someone is trying to capture its traffic.

you can use two more options in order to have full picture about printer traffic details:

configure another port as mirroring port, connect computer to it with installed packet capturing software like wireshark or MS Network monitor
if you have any other internet gateway under your responsibility, you can try to make capture on it as well

Just for curiosity - about what HP printer model are you talking?

ilrobby00 · ‎02-18-2015

These are the access-list on the router:

#sh run | inc permit
permit ip 10.10.10.0 0.0.0.63 any
permit ip 192.168.168.0 0.0.0.15 any
permit ip 192.168.169.0 0.0.0.63 any
permit ip 172.16.4.0 0.0.0.63 any

access-list 100 permit ip 172.16.2.0 0.0.0.15 any

I think that if I start to debug access-list 100, I've to get only and all the vlan2 traffic, right?

I really don't know but, the printer, or any another devices, cannot determine if a switch port or a nic is in "promiscuous mode"?

Yes, good idea Michal, I don't know if my 1801 has the mirror port feature on the switch module, but I can do that with an old hub and wireshark!

The printer is a officejet 5740, that probably will be back soon on the store shelf..!