11-09-2010 04:36 AM - edited 03-06-2019 01:57 PM
Hi there,
I have a remote Cisco 2811 router running IOS 12.3(8r)T7 with an HWIC-D-9ESW Fast Ethernet switch module in slot 3. All ports are configured as switchport access VLANs.
I need to capture http and https traffic originating from vlan105 and getting switched out vlan106.
When I create an access list and debug the access list, I only see my ssh session packets on the vlan through which I am connected. How do I get a packet dump of traffic to and from other VLANs?
Thanks,
David
11-09-2010 09:07 AM
You could try the mirroring functionality if you would like to use an application such as Wireshark with a Cisco switch you have the option to “mirror” a port and I believe a VLAN (but I could be wrong). This functions the same as a network tap.
Type the following commands on your switch to enable this option:
Switch> en
Switch# conf t
Switch(config)# monitor session # source interface InterfaceName#/#
Switch(config)# monitor session # destination interface InterfaceName#/#
Session # (can be a numeric value such as 1, 2, 20, etc...)
Source or Destination Interface is the name of the interface followed by its number. Example: FastEthernet3/12
Source refers to the device you wish to monitor and destination is the device that is running applications such as Ethereal
To terminate the monitoring type:
Switch> en
Switch# conf t
Switch# no monitor session #
To view the current monitored sessions type:
Switch> en
Switch# show monitor session all
11-09-2010 09:32 AM
Thanks ngthen,
The router is remote (in another Country) but I have SSH access to privileged exec.
Can I specify the logging buffer as the destination?
I'll have a look at the IOS commands you mentioned overnight.
Thanks again,
Dave.
11-09-2010 10:57 AM
do you really need to capture the router? Or is it OK to get the IP addresses of the HTTP and HTTPS session?
Not sure if you can use the feature Router IP Traffic Export Packet Capture Enhancements:
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_rawip.html
If you do not need the actual packet, you can use Netflow to collect the stats
Alternatiely, ACL with log option; so that the 2811 generates a syslog message.
If none of the above works, I think that you have to configure monitor session as suggested previously.
11-10-2010 02:08 AM
Hi, and thanks for the replies.
I need to prove that a user's HTTP request (VLAN106) is being forwarded by our router to a VPLS circuit (VLAN105). The VPLS is maintained by a third party and I would like to prove that the packet is leaving our router OK.
Thanks,
Dave.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide