I have a remote Cisco 2811 router running IOS 12.3(8r)T7 with an HWIC-D-9ESW Fast Ethernet switch module in slot 3. All ports are configured as switchport access VLANs.
I need to capture http and https traffic originating from vlan105 and getting switched out vlan106.
When I create an access list and debug the access list, I only see my ssh session packets on the vlan through which I am connected. How do I get a packet dump of traffic to and from other VLANs?
You could try the mirroring functionality if you would like to use an application such as Wireshark with a Cisco switch you have the option to “mirror” a port and I believe a VLAN (but I could be wrong). This functions the same as a network tap.
Type the following commands on your switch to enable this option:
Switch# conf t
Switch(config)# monitor session # source interface InterfaceName#/#
Switch(config)# monitor session # destination interface InterfaceName#/#
Session # (can be a numeric value such as 1, 2, 20, etc...)
Source or Destination Interface is the name of the interface followed by its number. Example: FastEthernet3/12
Source refers to the device you wish to monitor and destination is the device that is running applications such as Ethereal
To terminate the monitoring type:
Switch# conf t
Switch# no monitor session #
To view the current monitored sessions type:
Switch# show monitor session all
The router is remote (in another Country) but I have SSH access to privileged exec.
Can I specify the logging buffer as the destination?
I'll have a look at the IOS commands you mentioned overnight.
do you really need to capture the router? Or is it OK to get the IP addresses of the HTTP and HTTPS session?
Not sure if you can use the feature Router IP Traffic Export Packet Capture Enhancements:
If you do not need the actual packet, you can use Netflow to collect the stats
Alternatiely, ACL with log option; so that the 2811 generates a syslog message.
If none of the above works, I think that you have to configure monitor session as suggested previously.
Hi, and thanks for the replies.
I need to prove that a user's HTTP request (VLAN106) is being forwarded by our router to a VPLS circuit (VLAN105). The VPLS is maintained by a third party and I would like to prove that the packet is leaving our router OK.