Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1989
Views
0
Helpful
4
Replies

ip traffic-export - SOLVED

Go to solution
bistevins
Level 1
Level 1

‎04-20-2011 10:41 AM - edited ‎03-06-2019 04:43 PM

Hi all,

I'm struggling to export traffic on an interface to a Linux box on LAN running tcpdump (later an IDS).

I'v been following instructions on http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_rawip.html but I get no traffic at all on the linux box.

This is my config:

#sh ip traffic-export
Router IP Traffic Export Parameters
Monitored Interface             Vlan100
        Export Interface                GigabitEthernet0/0.5
        Destination MAC address 0090.f584.33ad
        bi-directional traffic export is on
Output IP Traffic Export Information    Packets/Bytes Exported    21227/16802202
        Packets Dropped           0
        Sampling Rate             one-in-every 1 packets
        No Access List configured
Input IP Traffic Export Information     Packets/Bytes Exported    45807/7652637
        Packets Dropped           0
        Sampling Rate             one-in-every 1 packets
        No Access List configured
        Profile PROFILE is Active

GigabitEthernet0/0.5 has encapsulation dot1q 5

Debugging with "debug ip traffic-export events" shows "exported input packet" and "exported output packet" correctly.

If I choose to capture traffic on the router and export the pcap file to a wireshark station I have no problem. But I'd like to live capture traffic directly on the IDS.

Thanks in advance.

Labels:
Preview file
53 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to bistevins

‎04-21-2011 01:47 AM

Hi,

You should verify on each switch with SPAN if the traffic is correctly forwarded.

have you verified tcpdump  has put NIC in promiscuious mode?

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎04-20-2011 12:23 PM

Hi,

Can you communicate with linux box from router?

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
bistevins
Level 1
Level 1
In response to cadet alain

‎04-20-2011 01:28 PM

Yes. I can ping router from linux and vice.

I've made a test, connecting the linux box directly to G0/1 of 3845 and export works as expected.

There is something else I should do to get that traffic from Vlan100 to vlan 5 through g0/0.5?

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to bistevins

‎04-21-2011 01:47 AM

Hi,

You should verify on each switch with SPAN if the traffic is correctly forwarded.

have you verified tcpdump  has put NIC in promiscuious mode?

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
bistevins
Level 1
Level 1
In response to bistevins

‎04-22-2011 06:36 AM

OK, It worked.

I thought using traffic-monitor from router, RSPAN wasn't necessary.

From router I exported traffic toward mac-address of interface vlan 5 at first 3750 switch. Then configured RSPAN using vlan5 to second 3750 and finally I configured one Gigabit interface on 2960 as monitoring.

Thanks man.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card