Solved: traffic-export capturing only inbound traffic

colintaylor · ‎03-20-2013

Hi

We have a Cisco 2811 running ITP IOS. On that router we run the SMPP service. A client on the network connects to this service, and we need to capture the traffic for debug.

I've tried traffic-export, but I cannot see any outbound traffic.

I'm guessing that this is due to the fact that the outbound SMPP traffic is not transit traffic as it is generated by the router itself.

Is there any way to capture the outbound traffic?

Thanks

Colin

Bilal Nawaz · ‎03-20-2013

Hi Colin,

Please see below

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cfg/configuration/12-4/sec-ip-traff-export.html

Step 8

outgoing {access-list{standard | extended | named} | sample one-in-every packet-number}

Example:

Router(config-rite)# outgoing sample one-in-every 50

(Optional) Configures filtering for outgoing export traffic.

Note

If you issue this command, you must also issue the bidirectional command, which enables outgoing traffic to be exported. However, only routed traffic (such as passthrough traffic) is exported; that is, traffic that originates from the network device is not exported.

An option might be to plug in to a cisco switch and SPAN the port to an interface with a sniffer on it like wireshark?

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#topic4

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

Bilal Nawaz · ‎03-20-2013

Hi Colin,

Please see below

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cfg/configuration/12-4/sec-ip-traff-export.html

Step 8

outgoing {access-list{standard | extended | named} | sample one-in-every packet-number}

Example:

Router(config-rite)# outgoing sample one-in-every 50

(Optional) Configures filtering for outgoing export traffic.

Note

If you issue this command, you must also issue the bidirectional command, which enables outgoing traffic to be exported. However, only routed traffic (such as passthrough traffic) is exported; that is, traffic that originates from the network device is not exported.

An option might be to plug in to a cisco switch and SPAN the port to an interface with a sniffer on it like wireshark?

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#topic4

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

colintaylor · ‎03-20-2013

Thanks Bilal.

Capturing externally was something I had considered as a fallback for half the problem.

The other issue is that the SMPP service also connects to a supplier over IPSEC - and that traffic is what we expect to be wrong. We would have to export the traffic that was router-generated, but that doesn't look possible.

cadet alain · ‎03-20-2013

Hi,

it is possible to get router-generated traffic with enhanced packet capture.

https://supportforums.cisco.com/docs/DOC-5799

Regards

Alain

Don't forget to rate helpful posts.

colintaylor · ‎03-21-2013

Thanks Alain

I tried this out on my test 1841 running c1841-advipservicesk9-mz.151-2.T4.bin, and it seems to work, with the exception that I can only view the dumps on the console, the IOS doesn't seem to support copying to TFTP etc for viewing in wireshark.

Then I tried it on the production router, a 2811 running c2800nm-itpk9-mz.124-15.SW9.bin. the "monitor capture" command suite is not available on that ISO. D'Oh!

Thanks for the input though, I learnt something new.

Colin