akshay67

Can one monitor the data content passing through a Cisco router much in the same way you'd SPAN a port on a Cisco switch?

If so, how is this done? Just a high-level outline will be fine.

Cheers!

BazH

Turn on netflow and get yourself some software to read it

akshay67

Does Netflow allow you to read the packet payload?

BazH

Not as far as i'm aware, but if someone can enlighten me qoute "it resorts to compromises and heuristics"

Jeff Wiltshire

http://www.cisco.com/univercd/cc/td/...ol/nfwhite.htm

dsmith

Netflow is used mainly as it implies for monitoring flows. Source/Destination and Bandwidth. Often by Subnet rather than host addresses - for example for monitoring traffic usage between large parts of a company, between ISPs etc etc.

If you want to look in more detail at individual packets careful use of debug ip packet and access lists can help. It is extremely easy to overwhelm the router though. Some platforms (e.g. Cat 6K/MSFCs) hardware switch all but the initial packets so the routing engine wont see them. Forcing it to software switch every packet, so they can be inspected, can result in huge performance hits (to the point the network becomes unusable). Of course on low-use networks you may be get what you need this way

In short there is no way to "span" a router interface like you would a swicth port and copy all packets to a sniffer. If its a LAN port the best route is to simply span the source switch port if possible. In-line probes are also available for most LAN types. For true sniffing of a WAN port you'll need either a suitable in-line probe or something like the Agilent Advisor with relevant interfaces. Not Cheap, though I believe they can be hired.

Deano

[Edited by dsmith - 6/23/2003 9:45:18 PM]

David_Wallis

or just cheat and shove a hub and crossover cable in?

We do this when having to use our fluke to sniff packets on our routers.. (ok well our networks team do..)

David

carl

Assuming it's an Ethernet network you're trying to sniff. Would be a bit more difficult (and expensive) if you're trying to sniff an STM-64 POS interface.

dsmith -- I'm sure you know, but lots of Cisco boxes fall over due to the performance hit when you attempt to fast switch (route first packet, switch the rest). In fact if you want to get close to rated capacity then dCEF is the only way to do it -- it maintains a separate set of CEF tables that are populated from the routing table. IIRC the only CEF that GSRs do is dCEF.

[Edited by carl - 6/23/2003 11:05:23 PM]

SiCotty

Cat 6k now uses CEF switching as well.

Si

dsmith

I was indeed generalising fast switching with all other hardware switching types as getting in the way if your attempting to debug packets.

Cat6k pushes it so far into hardware that snmp stats for vlan interfaces are woefully inaccurate.

Deano