Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Cisco: NSP

tcpdump on ios?

 

 

Cisco nsp RSS feed   Index | Next | Previous | View Threaded


mrz at velvet

Jan 11, 2008, 1:05 PM

Post #1 of 25 (12870 views)
Permalink
tcpdump on ios?

I'm trying to track down an issue and recall some method to watch
traffic going through a router based on an ACL. Can't recall the syntax
though.

help?
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


mcgrath at fas

Jan 11, 2008, 1:14 PM

Post #2 of 25 (12779 views)
Permalink
Re: tcpdump on ios? [In reply to]

debug ip packet - BE VERY CAREFUL with this one

matthew zeier wrote:
> I'm trying to track down an issue and recall some method to watch
> traffic going through a router based on an ACL. Can't recall the syntax
> though.
>
> help?
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


dcp at dcptech

Jan 11, 2008, 1:18 PM

Post #3 of 25 (12785 views)
Permalink
Re: tcpdump on ios? [In reply to]

Either Router IP Traffic Export (RITE)
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c
/part30/h_rawip.htm

Or debug condition ? then the appropriate debugs such as debug ip packet or
interface.

David

--
http://dcp.dcptech.com


> -----Original Message-----
> From: cisco-nsp-bounces [at] puck
> [mailto:cisco-nsp-bounces [at] puck] On Behalf Of matthew zeier
> Sent: Friday, January 11, 2008 4:05 PM
> To: cisco-nsp [at] puck
> Subject: [c-nsp] tcpdump on ios?
>
>
> I'm trying to track down an issue and recall some method to watch
> traffic going through a router based on an ACL. Can't recall
> the syntax
> though.
>
> help?
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


masood at nexlinx

Jan 11, 2008, 1:19 PM

Post #4 of 25 (12788 views)
Permalink
Re: tcpdump on ios? [In reply to]

On juniper router you can use " monitor traffic interface ". AFAK with Cisco
you need to mirror a port and put it to some linux or windows box along with
packet sniffer tools ether-real, tcpdump so and so...

Regards,
Masood Ahmad Shah


-----Original Message-----
From: cisco-nsp-bounces [at] puck
[mailto:cisco-nsp-bounces [at] puck] On Behalf Of matthew zeier
Sent: Saturday, January 12, 2008 2:05 AM
To: cisco-nsp [at] puck
Subject: [c-nsp] tcpdump on ios?


I'm trying to track down an issue and recall some method to watch
traffic going through a router based on an ACL. Can't recall the syntax
though.

help?
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


masood at nexlinx

Jan 11, 2008, 1:21 PM

Post #5 of 25 (12788 views)
Permalink
Re: tcpdump on ios? [In reply to]

Oh, don't use it on production router with high number of packets.

-----Original Message-----
From: cisco-nsp-bounces [at] puck
[mailto:cisco-nsp-bounces [at] puck] On Behalf Of Scott McGrath
Sent: Saturday, January 12, 2008 2:14 AM
To: matthew zeier
Cc: cisco-nsp [at] puck
Subject: Re: [c-nsp] tcpdump on ios?

debug ip packet - BE VERY CAREFUL with this one

matthew zeier wrote:
> I'm trying to track down an issue and recall some method to watch
> traffic going through a router based on an ACL. Can't recall the syntax
> though.
>
> help?
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


jason.plank at comcast

Jan 11, 2008, 1:32 PM

Post #6 of 25 (12787 views)
Permalink
Re: tcpdump on ios? [In reply to]

You can use debug ip packet and tie it to an access-list.

rtr-1-minn#debug ip packet ?
<1-199> Access list
<1300-2699> Access list (expanded range)
detail Print more debugging detail
<cr>


--
Regards,

Jason Plank
CCIE #16560
e: jason.plank [at] comcast

-------------- Original message --------------
From: matthew zeier <mrz [at] velvet>

>
> I'm trying to track down an issue and recall some method to watch
> traffic going through a router based on an ACL. Can't recall the syntax
> though.
>
> help?
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


jason.plank at comcast

Jan 11, 2008, 1:33 PM

Post #7 of 25 (12773 views)
Permalink
Re: tcpdump on ios? [In reply to]

who asked for help with juniper? :)

--
Regards,

Jason Plank
CCIE #16560
e: jason.plank [at] comcast

-------------- Original message --------------
From: "Masood Ahmad Shah" <masood [at] nexlinx>

> On juniper router you can use " monitor traffic interface ". AFAK with Cisco
> you need to mirror a port and put it to some linux or windows box along with
> packet sniffer tools ether-real, tcpdump so and so...
>
> Regards,
> Masood Ahmad Shah
>
>
> -----Original Message-----
> From: cisco-nsp-bounces [at] puck
> [mailto:cisco-nsp-bounces [at] puck] On Behalf Of matthew zeier
> Sent: Saturday, January 12, 2008 2:05 AM
> To: cisco-nsp [at] puck
> Subject: [c-nsp] tcpdump on ios?
>
>
> I'm trying to track down an issue and recall some method to watch
> traffic going through a router based on an ACL. Can't recall the syntax
> though.
>
> help?
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


sthaug at nethelp

Jan 11, 2008, 1:38 PM

Post #8 of 25 (12775 views)
Permalink
Re: tcpdump on ios? [In reply to]

> On juniper router you can use " monitor traffic interface ". AFAK with Cisco
> you need to mirror a port and put it to some linux or windows box along with
> packet sniffer tools ether-real, tcpdump so and so...

"monitor traffic interface" will *not* show you traffic going through
the router, only traffic to and from the RE via that interface.

Steinar Haug, Nethelp consulting, sthaug [at] nethelp
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


masood at nexlinx

Jan 11, 2008, 1:59 PM

Post #9 of 25 (12787 views)
Permalink
Re: tcpdump on ios? [In reply to]

Ruter IP Traffic Export can be used only on switching platform, you can't
use with distributed platform; sniffing machine must be on same LAN and
should be in router arp table. Debug ip packet even using access-list
sometime sucks. I strongly suggest, free up a switch port and attach a
machine to it the one running packet sniffer tool. Mirror router switch port
to sniffer machine and sniff whatever you want t.

Oh sorry for writing about Juniper; I was just working on it a while ago :)

Regards,
Masood Ahmad Shah

-----Original Message-----
From: cisco-nsp-bounces [at] puck
[mailto:cisco-nsp-bounces [at] puck] On Behalf Of David Prall
Sent: Saturday, January 12, 2008 2:19 AM
To: 'matthew zeier'; cisco-nsp [at] puck
Subject: Re: [c-nsp] tcpdump on ios?

Either Router IP Traffic Export (RITE)
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c
/part30/h_rawip.htm

Or debug condition ? then the appropriate debugs such as debug ip packet or
interface.

David

--
http://dcp.dcptech.com


> -----Original Message-----
> From: cisco-nsp-bounces [at] puck
> [mailto:cisco-nsp-bounces [at] puck] On Behalf Of matthew zeier
> Sent: Friday, January 11, 2008 4:05 PM
> To: cisco-nsp [at] puck
> Subject: [c-nsp] tcpdump on ios?
>
>
> I'm trying to track down an issue and recall some method to watch
> traffic going through a router based on an ACL. Can't recall
> the syntax
> though.
>
> help?
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


gert at greenie

Jan 11, 2008, 2:16 PM

Post #10 of 25 (12780 views)
Permalink
Re: tcpdump on ios? [In reply to]

Hi,

On Fri, Jan 11, 2008 at 09:32:59PM +0000, jason.plank [at] comcast wrote:
> You can use debug ip packet and tie it to an access-list.
>
> rtr-1-minn#debug ip packet ?
> <1-199> Access list
> <1300-2699> Access list (expanded range)
> detail Print more debugging detail
> <cr>

Which is close to useless, as it will only show process switched traffic.

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert [at] greenie
fax: +49-89-35655025 gert [at] net


jason.plank at comcast

Jan 11, 2008, 2:24 PM

Post #11 of 25 (12777 views)
Permalink
Re: tcpdump on ios? [In reply to]

Thanks for the commentary.

--
Regards,

Jason Plank
CCIE #16560
e: jason.plank [at] comcast

-------------- Original message --------------
From: Gert Doering <gert [at] greenie>
Attachments: message-rfc822.eml (1.61 KB)


aaronis at people

Jan 11, 2008, 3:45 PM

Post #12 of 25 (12770 views)
Permalink
Re: tcpdump on ios? [In reply to]

Yes you will need to disable fast switching.

-----Original Message-----
From: cisco-nsp-bounces [at] puck
[mailto:cisco-nsp-bounces [at] puck] On Behalf Of Gert Doering
Sent: Saturday, January 12, 2008 7:17 AM
To: jason.plank [at] comcast
Cc: cisco-nsp [at] puck
Subject: Re: [c-nsp] tcpdump on ios?

Hi,

On Fri, Jan 11, 2008 at 09:32:59PM +0000, jason.plank [at] comcast wrote:
> You can use debug ip packet and tie it to an access-list.
>
> rtr-1-minn#debug ip packet ?
> <1-199> Access list
> <1300-2699> Access list (expanded range)
> detail Print more debugging detail
> <cr>

Which is close to useless, as it will only show process switched traffic.

gert
--
USENET is *not* the non-clickable part of WWW!

//www.muc.de/~gert/
Gert Doering - Munich, Germany
gert [at] greenie
fax: +49-89-35655025
gert [at] net

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


richard.1.collins.ext at nsn

Jan 11, 2008, 3:54 PM

Post #13 of 25 (12765 views)
Permalink
Re: tcpdump on ios? [In reply to]

Isnt't there some trick around this like putting "no ip route-cache"
under the interface to force the process switching. I suppose you only
want to do this for the short debugging time window.

-Rich


>>
------------------------------------------------------------------------
--
Hi,

On Fri, Jan 11, 2008 at 09:32:59PM +0000, jason.plank [at] comcast wrote:
> You can use debug ip packet and tie it to an access-list.
>
> rtr-1-minn#debug ip packet ?
> <1-199> Access list
> <1300-2699> Access list (expanded range)
> detail Print more debugging detail
> <cr>

Which is close to useless, as it will only show process switched
traffic.

gert
--
USENET is *not* the non-clickable part of WWW!

//www.muc.de/~gert/
Gert Doering - Munich, Germany
gert [at] greenie
fax: +49-89-35655025
gert [at] net
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


karim.adel at gmail

Jan 11, 2008, 5:21 PM

Post #14 of 25 (12761 views)
Permalink
Re: tcpdump on ios? [In reply to]

if we are talking about hardware switching platforms then i believe it makes
sense that it will only sniff process switched traffic, so why is it useless
then?

IMHO, it is very difficult to design a router that will capture traffic
being hardware switched, am i correct?

On Jan 12, 2008 12:16 AM, Gert Doering <gert [at] greenie> wrote:

> Hi,
>
> On Fri, Jan 11, 2008 at 09:32:59PM +0000, jason.plank [at] comcast wrote:
> > You can use debug ip packet and tie it to an access-list.
> >
> > rtr-1-minn#debug ip packet ?
> > <1-199> Access list
> > <1300-2699> Access list (expanded range)
> > detail Print more debugging detail
> > <cr>
>
> Which is close to useless, as it will only show process switched traffic.
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany
> gert [at] greenie
> fax: +49-89-35655025
> gert [at] net
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


will at harg

Jan 11, 2008, 5:55 PM

Post #15 of 25 (12739 views)
Permalink
Re: tcpdump on ios? [In reply to]

Kim Onnel wrote:
> if we are talking about hardware switching platforms then i believe it makes
> sense that it will only sniff process switched traffic, so why is it useless
> then?

In this case, they are talking about fast-switched and so forth on the
software routing platforms. Because the traffic isn't process switched,
it doesn't go through the same code.

> IMHO, it is very difficult to design a router that will capture traffic
> being hardware switched, am i correct?

Not really...

If it's being hardware (i.e. ASIC) switched you can use a hardware
replication engine (as used for multicast, etherchannels...) to
duplicate packets as required. i.e. - port mirroring. Push those packets
inside a vlan (RSPAN) or GRE tunnel (ERSPAN) and you have a fairly
flexible way to monitor traffic as required. This is, of course,
available on Cisco 6500/7600 platforms (ERSPAN requires PFC3B or greater).

On Juniper, you can match a firewall filter rule with an action
port-mirror. That can be a tunnel also (if you have M7i/Tunnel Services
PIC etc) for similar functionality. You can just log too.

All very handy - having the actual packet beats some vendor-specific
decoded output.

Will
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


tli at cisco

Jan 11, 2008, 6:25 PM

Post #16 of 25 (12734 views)
Permalink
Re: tcpdump on ios? [In reply to]

On Jan 11, 2008, at 5:21 PM, Kim Onnel wrote:

> IMHO, it is very difficult to design a router that will capture
> traffic
> being hardware switched, am i correct?


This is correct. What do you do with the data? Without dedicated
high bandwidth storage, there's no place for it to go.

Alternately, you can look at Lawful Intercept approaches, where
traffic is duplicated and not captured.

Tony

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


rdobbins at cisco

Jan 11, 2008, 6:54 PM

Post #17 of 25 (12743 views)
Permalink
Re: tcpdump on ios? [In reply to]

On Jan 12, 2008, at 10:25 AM, Tony Li wrote:

> This is correct. What do you do with the data? Without dedicated
> high bandwidth storage, there's no place for it to go.

6500 and 7600 have SPAN/RSPAN and copy/capture VACLs which merely
replicate the traffic, the collection system has to be directly
attached. There's also ERSPAN on Sup720 which can encapsulate the
sniffed traffic in GRE and ship out out layer-3, but one must be
careful to avoid the hall-of-mirrors effect (i.e., send it over the
DCN).

Flexible NetFlow, currently available in software-based routers
running T-train, allows one to grab header and/or payload data, and
then export it in NetFlow v9 format. I'm given to understand that the
major NetFlow analysis vendors are working to add support (no word yet
on open source tool support; anything which is v9-capable can collect
the flows, but then the tool must be able to interpret/sort on the
telemetry).

-----------------------------------------------------------------------
Roland Dobbins <rdobbins [at] cisco> // 408.527.6376 voice

Culture eats strategy for breakfast.

-- Ford Motor Company



_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


gert at greenie

Jan 12, 2008, 5:04 AM

Post #18 of 25 (12723 views)
Permalink
Re: tcpdump on ios? [In reply to]

Hi,

On Sat, Jan 12, 2008 at 03:21:09AM +0200, Kim Onnel wrote:
> if we are talking about hardware switching platforms then i believe it makes
> sense that it will only sniff process switched traffic, so why is it useless
> then?

If you have process switched traffic, something is wrong with your
network setup. Some features just plain do not work without CEF (like
"MPLS"), others are horribly slow or cause insane amount of CPU load.

> IMHO, it is very difficult to design a router that will capture traffic
> being hardware switched, am i correct?

SPAN/RSPAN/ERSPAN exit and work very well :-)

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert [at] greenie
fax: +49-89-35655025 gert [at] net


luan.m.nguyen at gmail

Jan 12, 2008, 7:42 AM

Post #19 of 25 (12735 views)
Permalink
Re: tcpdump on ios? [In reply to]

But on a simple router, to track down a problem for a few seconds...
no logging console
logging buffer xxxx debugging
no ip route-cache on interfaces
access-list to match or set interface condition
debug ip packet detail <access-list> (dump).

would do fine?

-lmn

On Jan 12, 2008 8:04 AM, Gert Doering <gert [at] greenie> wrote:

> Hi,
>
> On Sat, Jan 12, 2008 at 03:21:09AM +0200, Kim Onnel wrote:
> > if we are talking about hardware switching platforms then i believe it
> makes
> > sense that it will only sniff process switched traffic, so why is it
> useless
> > then?
>
> If you have process switched traffic, something is wrong with your
> network setup. Some features just plain do not work without CEF (like
> "MPLS"), others are horribly slow or cause insane amount of CPU load.
>
> > IMHO, it is very difficult to design a router that will capture traffic
> > being hardware switched, am i correct?
>
> SPAN/RSPAN/ERSPAN exit and work very well :-)
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany
> gert [at] greenie
> fax: +49-89-35655025
> gert [at] net
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


jason.plank at comcast

Jan 12, 2008, 10:09 AM

Post #20 of 25 (12746 views)
Permalink
Re: tcpdump on ios? [In reply to]

Kim,

Without a doubt a more practical way to capture traffic on a present day network would be by using one of the spanning technics mentioned.

The point here really though is that somebody asked for the syntax of a command, and they got the help they were looking for. in a production enviroment, you probably would not want to look towards implementing the process switching technique for multiple reasons, which i'm sure you can find on www.cisco.com :).
--
Regards,

Jason Plank
CCIE #16560
e: jason.plank [at] comcast

-------------- Original message ----------------------
From: Gert Doering <gert [at] greenie>



blah blah blah blah
Attachments: message-rfc822.eml (1.87 KB)


saku+cisco-nsp at ytti

Jan 12, 2008, 10:29 AM

Post #21 of 25 (12743 views)
Permalink
Re: tcpdump on ios? [In reply to]

On (2008-01-12 10:42 -0500), Luan Nguyen wrote:

> But on a simple router, to track down a problem for a few seconds...
> no logging console
> logging buffer xxxx debugging
> no ip route-cache on interfaces
> access-list to match or set interface condition
> debug ip packet detail <access-list> (dump).
>
> would do fine?

Since new CEF code in 12.2S, in software platforms using CEF
for switching you can debug CEF switched packets virtually
for free (as well as mirror, which was already mentioned
in the thread earlier). Debugging is not surprisingly 'debug ip cef packet
..'.

Thanks,
--
++ytti
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


aakhter at cisco

Jan 12, 2008, 12:30 PM

Post #22 of 25 (12725 views)
Permalink
Re: tcpdump on ios? [In reply to]

Hi Folks,

It really depends on what the intent is. If the intent is to track flows transiting the router, then these debug commands are (IMHO) not the best way. Eg, a problem with debug cef is going to be not all packets are CEF switched (eg PBR, MPLS). These are really meant to troubleshoot the specific switching/forwarding system(s)

I think the original poster was looking for only tracking of flows, not interested in payload gathering etc (so the tcpdump in the subject line might be conveying more than actually required). For that purpose, NetFlow should suffice.

For specifically creating pcap files on the router, IP router traffic export (RTE) has been mentioned. RTE can create pcap files on a remote tftp or locally (disk,usb etc). The limitation there is that it is only available on certain platforms and there it only captures TCP traffic. I'm trying to help prioritize the case for supporting non-TCP traffic so if there is solid interest please drop me an email.

SPAN and lawful intercept (LI) are also options providing you're on the right platform and an image that has LI.

Regards,

--
Aamer Akhter / aa [at] cisco
Ent & Commercial Systems, cisco Systems

> -----Original Message-----
> From: cisco-nsp-bounces [at] puck [mailto:cisco-nsp-
> bounces [at] puck] On Behalf Of Saku Ytti
> Sent: Saturday, January 12, 2008 1:30 PM
> To: cisco-nsp [at] puck
> Subject: Re: [c-nsp] tcpdump on ios?
>
> On (2008-01-12 10:42 -0500), Luan Nguyen wrote:
>
> > But on a simple router, to track down a problem for a few seconds...
> > no logging console
> > logging buffer xxxx debugging
> > no ip route-cache on interfaces
> > access-list to match or set interface condition
> > debug ip packet detail <access-list> (dump).
> >
> > would do fine?
>
> Since new CEF code in 12.2S, in software platforms using CEF
> for switching you can debug CEF switched packets virtually
> for free (as well as mirror, which was already mentioned
> in the thread earlier). Debugging is not surprisingly 'debug ip cef
> packet
> ..'.
>
> Thanks,
> --
> ++ytti
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


masood at nexlinx

Jan 13, 2008, 12:23 AM

Post #23 of 25 (12738 views)
Permalink
Re: tcpdump on ios? [In reply to]

Well, All in all Cisco needs to improve packet sniffing tools on their
platforms. What would you do if you come from juniper and used to use

jahil [at] jahi> monitor traffic detail interface em0 no-resolve print-ascii

Address resolution is OFF.
Listening on em0, capture size 1514 bytes

12:58:43.311620 In IP (tos 0x0, ttl 128, id 25379, offset 0, flags [none],
proto: UDP (17), length: 78) 192.168.10.101.137 > 192.168.10.255.137: UDP,
length 50
0x0000 ffff ffff ffff 0050 da36 e12f 0800 4500 .......P.6./..E.
0x0010 004e 6323 0000 8011 40c7 c0a8 0a65 c0a8 .Nc#....@....e..
0x0020 0aff 0089 0089 003a ec0a fc36 0110 0001 .......:...6....
0x0030 0000 0000 0000 2044 4244 4a44 4343 4f44 .......DBDJDCCOD
0x0040 4244 4744 4943 4f44 4244 4143 4f44 4244 BDGDICODBDACODBD
0x0050 4144 4443 4143 4100 0020 0001 ADDCACA.....


I strongly suggest an integrated tool to debug IP payloads (like tcpdump).
They also need to work on dependencies and only platform specific features,
why the heck I need to disable something to get another thing or I need to
buy a new router just for a feature :)

Also I suggest a feature such as "commit" and "rollback n" can really make
backing out of changes a no brainer.

Regards,
Masood Ahmad Shah



-----Original Message-----
From: cisco-nsp-bounces [at] puck
[mailto:cisco-nsp-bounces [at] puck] On Behalf Of Aamer Akhter
(aakhter)
Sent: Sunday, January 13, 2008 1:31 AM
To: Saku Ytti; cisco-nsp [at] puck
Subject: Re: [c-nsp] tcpdump on ios?

Hi Folks,

It really depends on what the intent is. If the intent is to track flows
transiting the router, then these debug commands are (IMHO) not the best
way. Eg, a problem with debug cef is going to be not all packets are CEF
switched (eg PBR, MPLS). These are really meant to troubleshoot the specific
switching/forwarding system(s)

I think the original poster was looking for only tracking of flows, not
interested in payload gathering etc (so the tcpdump in the subject line
might be conveying more than actually required). For that purpose, NetFlow
should suffice.

For specifically creating pcap files on the router, IP router traffic export
(RTE) has been mentioned. RTE can create pcap files on a remote tftp or
locally (disk,usb etc). The limitation there is that it is only available on
certain platforms and there it only captures TCP traffic. I'm trying to help
prioritize the case for supporting non-TCP traffic so if there is solid
interest please drop me an email.

SPAN and lawful intercept (LI) are also options providing you're on the
right platform and an image that has LI.

Regards,

--
Aamer Akhter / aa [at] cisco
Ent & Commercial Systems, cisco Systems

> -----Original Message-----
> From: cisco-nsp-bounces [at] puck [mailto:cisco-nsp-
> bounces [at] puck] On Behalf Of Saku Ytti
> Sent: Saturday, January 12, 2008 1:30 PM
> To: cisco-nsp [at] puck
> Subject: Re: [c-nsp] tcpdump on ios?
>
> On (2008-01-12 10:42 -0500), Luan Nguyen wrote:
>
> > But on a simple router, to track down a problem for a few seconds...
> > no logging console
> > logging buffer xxxx debugging
> > no ip route-cache on interfaces
> > access-list to match or set interface condition
> > debug ip packet detail <access-list> (dump).
> >
> > would do fine?
>
> Since new CEF code in 12.2S, in software platforms using CEF
> for switching you can debug CEF switched packets virtually
> for free (as well as mirror, which was already mentioned
> in the thread earlier). Debugging is not surprisingly 'debug ip cef
> packet
> ..'.
>
> Thanks,
> --
> ++ytti
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


karim.adel at gmail

Jan 13, 2008, 3:16 AM

Post #24 of 25 (12789 views)
Permalink
Re: tcpdump on ios? [In reply to]

Have you taken a look at IOS XR ? it has stuff similar to the commit and
rollback and more.

Regards,
Kim

On Jan 13, 2008 10:23 AM, Masood Ahmad Shah <masood [at] nexlinx> wrote:

> Well, All in all Cisco needs to improve packet sniffing tools on their
> platforms. What would you do if you come from juniper and used to use
>
> jahil [at] jahi> monitor traffic detail interface em0 no-resolve print-ascii
>
> Address resolution is OFF.
> Listening on em0, capture size 1514 bytes
>
> 12:58:43.311620 In IP (tos 0x0, ttl 128, id 25379, offset 0, flags
> [none],
> proto: UDP (17), length: 78) 192.168.10.101.137 > 192.168.10.255.137: UDP,
> length 50
> 0x0000 ffff ffff ffff 0050 da36 e12f 0800 4500 .......P.6./..E.
> 0x0010 004e 6323 0000 8011 40c7 c0a8 0a65 c0a8 .Nc#....@....e..
> 0x0020 0aff 0089 0089 003a ec0a fc36 0110 0001 .......:...6....
> 0x0030 0000 0000 0000 2044 4244 4a44 4343 4f44 .......DBDJDCCOD
> 0x0040 4244 4744 4943 4f44 4244 4143 4f44 4244 BDGDICODBDACODBD
> 0x0050 4144 4443 4143 4100 0020 0001 ADDCACA.....
>
>
> I strongly suggest an integrated tool to debug IP payloads (like tcpdump).
> They also need to work on dependencies and only platform specific
> features,
> why the heck I need to disable something to get another thing or I need to
> buy a new router just for a feature :)
>
> Also I suggest a feature such as "commit" and "rollback n" can really make
> backing out of changes a no brainer.
>
> Regards,
> Masood Ahmad Shah
>
>
>
> -----Original Message-----
> From: cisco-nsp-bounces [at] puck
> [mailto:cisco-nsp-bounces [at] puck] On Behalf Of Aamer Akhter
> (aakhter)
> Sent: Sunday, January 13, 2008 1:31 AM
> To: Saku Ytti; cisco-nsp [at] puck
> Subject: Re: [c-nsp] tcpdump on ios?
>
> Hi Folks,
>
> It really depends on what the intent is. If the intent is to track flows
> transiting the router, then these debug commands are (IMHO) not the best
> way. Eg, a problem with debug cef is going to be not all packets are CEF
> switched (eg PBR, MPLS). These are really meant to troubleshoot the
> specific
> switching/forwarding system(s)
>
> I think the original poster was looking for only tracking of flows, not
> interested in payload gathering etc (so the tcpdump in the subject line
> might be conveying more than actually required). For that purpose, NetFlow
> should suffice.
>
> For specifically creating pcap files on the router, IP router traffic
> export
> (RTE) has been mentioned. RTE can create pcap files on a remote tftp or
> locally (disk,usb etc). The limitation there is that it is only available
> on
> certain platforms and there it only captures TCP traffic. I'm trying to
> help
> prioritize the case for supporting non-TCP traffic so if there is solid
> interest please drop me an email.
>
> SPAN and lawful intercept (LI) are also options providing you're on the
> right platform and an image that has LI.
>
> Regards,
>
> --
> Aamer Akhter / aa [at] cisco
> Ent & Commercial Systems, cisco Systems
>
> > -----Original Message-----
> > From: cisco-nsp-bounces [at] puck [mailto:cisco-nsp-
> > bounces [at] puck] On Behalf Of Saku Ytti
> > Sent: Saturday, January 12, 2008 1:30 PM
> > To: cisco-nsp [at] puck
> > Subject: Re: [c-nsp] tcpdump on ios?
> >
> > On (2008-01-12 10:42 -0500), Luan Nguyen wrote:
> >
> > > But on a simple router, to track down a problem for a few seconds...
> > > no logging console
> > > logging buffer xxxx debugging
> > > no ip route-cache on interfaces
> > > access-list to match or set interface condition
> > > debug ip packet detail <access-list> (dump).
> > >
> > > would do fine?
> >
> > Since new CEF code in 12.2S, in software platforms using CEF
> > for switching you can debug CEF switched packets virtually
> > for free (as well as mirror, which was already mentioned
> > in the thread earlier). Debugging is not surprisingly 'debug ip cef
> > packet
> > ..'.
> >
> > Thanks,
> > --
> > ++ytti
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp [at] puck
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


eninja at gmail

Feb 28, 2008, 2:37 PM

Post #25 of 25 (12609 views)
Permalink
Re: tcpdump on ios? [In reply to]

Matthew,

In the light of the overwhelming responses to this thread, it would have
helped if you volunteered additional useful info about your needs e.g. your
platform type (the impact of monitoring traffic on a distributed platform eg
GSR/HFR differs tremendously from say a 2800), type of data you're looking
to track/capture/duplicate - IP header only or the full monty. All of these
would have helped keep this conversation on track, to the point and less of
a guesswork for everybody :-)

Either way, as you've seen below, your options are a function of your HW &
SW platform and they range from very simple eg "show buffers [.{address
hex-address | failures | pool pool-name | {all | assigned | free | old |
input-interface interface-type interface-number} [pool pool-name]} [dump |
header | packet]]" to netflow to the very complex like LI, in which case you
may be breaching your customers' right to privacy ;-)

/eninja








On Fri, Jan 11, 2008 at 1:05 PM, matthew zeier <mrz [at] velvet> wrote:

>
> I'm trying to track down an issue and recall some method to watch
> traffic going through a router based on an ACL. Can't recall the syntax
> though.
>
> help?
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Cisco nsp RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.