04-20-2011 10:41 AM - edited 03-06-2019 04:43 PM
Hi all,
I'm struggling to export traffic on an interface to a Linux box on LAN running tcpdump (later an IDS).
I'v been following instructions on http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_rawip.html but I get no traffic at all on the linux box.
This is my config:
#sh ip traffic-export
Router IP Traffic Export Parameters
Monitored Interface Vlan100
Export Interface GigabitEthernet0/0.5
Destination MAC address 0090.f584.33ad
bi-directional traffic export is on
Output IP Traffic Export Information Packets/Bytes Exported 21227/16802202
Packets Dropped 0
Sampling Rate one-in-every 1 packets
No Access List configured
Input IP Traffic Export Information Packets/Bytes Exported 45807/7652637
Packets Dropped 0
Sampling Rate one-in-every 1 packets
No Access List configured
Profile PROFILE is Active
GigabitEthernet0/0.5 has encapsulation dot1q 5
Debugging with "debug ip traffic-export events" shows "exported input packet" and "exported output packet" correctly.
If I choose to capture traffic on the router and export the pcap file to a wireshark station I have no problem. But I'd like to live capture traffic directly on the IDS.
Thanks in advance.
Solved! Go to Solution.
04-21-2011 01:47 AM
Hi,
You should verify on each switch with SPAN if the traffic is correctly forwarded.
have you verified tcpdump has put NIC in promiscuious mode?
Regards.
Alain.
04-20-2011 12:23 PM
Hi,
Can you communicate with linux box from router?
Regards.
Alain.
04-20-2011 01:28 PM
Yes. I can ping router from linux and vice.
I've made a test, connecting the linux box directly to G0/1 of 3845 and export works as expected.
There is something else I should do to get that traffic from Vlan100 to vlan 5 through g0/0.5?
04-21-2011 01:47 AM
Hi,
You should verify on each switch with SPAN if the traffic is correctly forwarded.
have you verified tcpdump has put NIC in promiscuious mode?
Regards.
Alain.
04-22-2011 06:36 AM
OK, It worked.
I thought using traffic-monitor from router, RSPAN wasn't necessary.
From router I exported traffic toward mac-address of interface vlan 5 at first 3750 switch. Then configured RSPAN using vlan5 to second 3750 and finally I configured one Gigabit interface on 2960 as monitoring.
Thanks man.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide