how to monitor traffic going through a switch port
Al
I have been reading pages and pages of information on how to monitor
traffic on a cisco router, but it's all very confusing. Here is what I
am doing:
I telnet into my router
I enter privileged mode
I type "terminal monitor" so I can see the debug information
-- here's where I am stuck. I want to see all traffic that is exiting
port 24. I need to see source IP (which computer on my network sent
it) and Destination IP (wherever that is on the Web). Port 24 of my
router is connected to my firewall, and my firewall is connected to
the web. Port 24 does NOT have it's own IP address.
I create access-list 123: "access-list 123 permit ip 192.168.111.0
0.0.0.255 any" where 192.168.111.0 is the subnet of all my PCs on my
network.
I then enter the command "debug ip packet 123"
Now I see ALL traffic. entering and exiting the router. How do I limit
the traffic I see to Port 24 ONLY? In the outbound direction only?
Thanks.
Doug McIntyre
What hardware exactly do you have?
You say router, and then you say switch. Cisco makes both, and the
answer is different for a router vs. a switch. Also, each major switch
line is different from one another on its capabilities.
Let alone the cases where you get into with routers having switch
blades in them (but thankfully the category of switches with routers
blades is very small, and almost all gone by now).
Unfortunatly, you have to get the feel for where data is at, as some
commands act on things at layer-3 beyond the switch plane, and some
commands act on the switch plane before the routing/layer-3 level.
Ie. using access-lists on switch ports vary greately for what is
supported across the different switch lines, and is most likely going
to log you at the point where all the traffic is converted to layer-3
in your hardware, not necessarily at the port level, depending on what
hardware you have. You are probably better off if you have a switch
(which is likely with something like port24), to SPAN/RSPAN the
traffic off to a dedicated sniffer box.
Al
Hi Doug,
Al
Sorry for the ambiguity. I have a Cisco Layer 3 switch, serries
3550, IOS Version 12.1(22)EA1a
Al
Morph
<96cf1123-99bc-41f7...@c3g2000yqd.googlegroups.com> Al
wrote:
| Hi Doug
|
| Sorry for the ambiguity. I have a Cisco Layer 3 switch, serries
| 3550, IOS Version 12.1(22)EA1a
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml
Doug McIntyre
> Sorry for the ambiguity. I have a Cisco Layer 3 switch, serries
>3550, IOS Version 12.1(22)EA1a
As a pure switch, the 3550 debug ip packet is going to only be able to
monitor L3 packets going upstream through the 'router plane' of the software.
To monitor just port 24, you'll have to use SPAN which somebody else
posted the link to the docs on, as its not possible to debug packets
on a port-by-port basis on a switch (unlike a router).
Al
Thank you very much for the answer. If I could ask you one other
thing... It just so happens that port 24 is connected to my firewall,
and my firewall's IP is on a different subnet and Vlan:
L3 Switch
__________________
| |
| Vlan 111 ip |
| 192.168.111.1 |
| |
_________________Firewall____________WEB
| | IP
192.168.222.2
| Vlan 222 ip |
| 192.168.222.1 |
|_________________|
All my users are on the 111 Subnet. When they communicate with the
outside world, their packets are switched from the 111 Vlan to the 222
Vlan. If I understand you correctly, I should be able to see the
traffic as it is switched from the 111 to the 222 vlan, and vice
versa. Am I correct, and if so, how do I debug this info?
tweety
Hi, With rspan and span you can specify source vlan, traffic from vlan
111 can be lifted
Hope this helps
Andrew
tg
"Al" <ber...@gmail.com> wrote in message
news:263c5d94-150b-4f45...@l2g2000yqd.googlegroups.com...
al I am only a beginner/amateur with cisco routers but I had the same
problem some time back and solved it using two simple monitor session
commands eg:
router(config)# monitor session 1 source interface Fa(port number - this is
the port you want to monitor)
router(config)# monitor session 1 destination interface Fa(port number - to
this port you connect a PC running wireshark)
all data traffic on the source port will now be sent to the destination
port and you can watch and filter the traffic using wireshark on the PC
Al
Thanks for the reply, I'm going to try that out.
I'm surprised that an external PC is required to view traffic passing
through the switch. Surely, there is a DEBUG command that could do
what I need. That way, an admin can monitor traffic passing through a
router or switch at a different physical location. I find it hard to
believe that today's technology requires a physical connection to a
device to see what's going on inside.
Al
Doug McIntyre
Its really not needed that much, and it would require a huge number of
resources on a box that is hardware dedicated to getting traffic in
and switched through quickly.
If you had such a feature, you'd have to be prepared to reduce
throughput on the hardware by many factors of 10 so that it could keep up.
Al
I tried your commands, as soon as I type "monitor session 1
destination interface Fa0/8" that port shuts down. The PC (using
etherial) I have connected to port 8 therefore see no traffic at all.
Does Port 8 need to be configured in a specific way, i.e. spanning-
tree portfast, or switchport mode access, or some other command?
Al
alexd
tried and tested strategy of:
> I'm surprised that an external PC is required to view traffic passing
> through the switch.
Netflow can be used to see a summary of traffic [ie not each individual packet],
but you would have to check the Feature Navigator to see if it's supported on
your platform.
--
<http://ale.cx/> (AIM:troffasky) (UnSoEs...@ale.cx)
20:07:49 up 26 days, 3:27, 7 users, load average: 0.86, 0.98, 0.81
Plant food is a made up drug