Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
700
Views
0
Helpful
6
Replies

traffic-export issues

danplacek
Level 4
Level 4

‎05-19-2011 08:48 AM - edited ‎03-21-2019 04:06 AM

I am trying to use traffic-export on a uc500 to troubleshoot some SIP issues. Using traffic-export in capture mode seems to work well -- but your limited by the amount of memory in the box; I would like to do some long-term logging.

To do this I set it up to export to a computer plugged into one of the switch ports. It seems to export all the traffic just fine... but my wireshark logs do not seem to have the correct IPs. (All RTP streams had the same IP even though there were multiple calls; and the IP in question doesn't even belong to our SIP carrier...)

Am I doing something wrong? Or does traffic-export tamper with the traffic before mirroring it?

config snippet below: (fa0/0 is WAN, fa0/1/2 is connected to my laptop)

ip traffic-export profile sw

  interface FastEthernet0/1/2

  bidirectional

  mac-address xxx.xxx.xxx.xxx

interface FastEthernet0/0

ip address 10.10.2.20 255.255.255.0

ip nat outside

ip virtual-reassembly in

ip traffic-export apply sw

load-interval 30

duplex auto

speed auto

EDIT:

Upon furthur analysis it appears that the traffic-export may not have even been working -- ALL of the RTP traffic was music on hold (though I'm not sure why this is being broadcast to the whole network nonstop???)

So I guess the real question is -- is it possible to export WAN traffic to a switch port? If it is, what is the proper method?

If it is NOT possible, what other solutions are there for more long term packet logging? (say a day or a weeks worth -- with the memory limitations you can really only capture a few minutes worth in capture mode)

Labels:
0 Helpful
6 Replies 6

danplacek
Level 4
Level 4

‎05-24-2011 06:14 AM

Any help?

SOMEONE has to have needed to do this before...

0 Helpful

Darren DeCroock
Level 4
Level 4
In response to danplacek

‎05-24-2011 07:46 AM

Daniel,

If you are troubleshooting SIP issues, you could enable the debugs you want, then send this information to a syslog server.  You will need to download a syslog server program, there are a few free ones out there.  Then configure the following on your UC500:

Router#configuration terminal
Router(config)#no logging console
Router(config)#no logging monitor
Router(config)#service timestamps log datetime msec localtime
Router(config)#service timestamps debug datetime msec localtime
Router(config)#service sequence-numbers
Router(config)#no logging rate-limit
Router(config)#no logging queue-limit
Router(config)#logging 192.168.10.88 
Router(config)#logging trap debug
Router(config)#exit

Router#write mem

Thank you,

Darren

0 Helpful

danplacek
Level 4
Level 4
In response to Darren DeCroock

‎05-24-2011 07:52 AM

Thanks for the info, unforunately I don't think it can really be applied to this issue. I am looking to do packet captures to troubleshoot SIP/RTP issues. As far as I know there aren't really any phone debug that give much useful information for that. I'm primarily interested in loss/jitter/delay type info.

I do packet captures quite regularly, however the problem is when an issue is intermittent. I can't sit around all day and babysit a capture -- I'd like to be able to just set it up and leave it for a day or more. When using traffic-export in "capture" mode you are limited by the amount of memory you have available on the system; but if I could get it to export to a switch port, I can log with a laptop and wireshark.

Thanks.

0 Helpful

Darren DeCroock
Level 4
Level 4
In response to danplacek

‎05-24-2011 07:58 AM

Daniel,

I don't know that I can help you with the "traffic-export" as I have not used that much.  But the easiest thing might be to just put a "dumb" hub right in front of the WAN interface on the UC500.  Connect your laptop to the hub, and capture the packets there...

Thank you,

Darren

0 Helpful

danplacek
Level 4
Level 4
In response to Darren DeCroock

‎05-24-2011 08:03 AM

While I agree that that would be the easiest solution -- taking down the customers WAN interface... twice -- isn't really acceptable.

While traffic-export is definitely more complicated -- it would be a very elegant way to do this. Thanks for your ideas though.

0 Helpful

Brandon Turpin
Cisco Employee
Cisco Employee
In response to danplacek

‎05-24-2011 08:43 AM

Hi Daniel,

While I typically use traffic-export in capture mode, it appears there is a way to forward the packets out an interface.  Here is a link that has information on configuing traffic-export to send traffic to an outgoing interface:


http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_rawip.html#wp105143http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_rawip.html#wp1051294

It looks like you configure the MAC address of the destination host and not ip address, so the 'collector' device probably should be local.  

Disclaimer:  I have not used traffic-export to forward traffic out, so am not familiar with how well it works.  It appears this is similar to mirroring a port 
and setting up a machine with Wireshark to capture the packets.

Thanks,

Brandon
0 Helpful
Customers Also Viewed These Support Documents