ScoobyNet.com - Subaru Enthusiast Forum

ScoobyNet.com - Subaru Enthusiast Forum (https://www.scoobynet.com/)
-   Computer & Technology Related (https://www.scoobynet.com/computer-and-technology-related-34/)
-   -   Monitoring data passing through a Cisco router (https://www.scoobynet.com/computer-and-technology-related-34/222557-monitoring-data-passing-through-a-cisco-router.html)

akshay67 23 June 2003 10:54 AM
Can one monitor the data content passing through a Cisco router much in the same way you'd SPAN a port on a Cisco switch?

If so, how is this done? Just a high-level outline will be fine.

Cheers!

BazH 23 June 2003 12:17 PM
Turn on netflow and get yourself some software to read it :)

akshay67 23 June 2003 02:21 PM
Does Netflow allow you to read the packet payload?

BazH 23 June 2003 03:55 PM
Not as far as i'm aware, but if someone can enlighten me :) qoute "it resorts to compromises and heuristics"

Jeff Wiltshire 23 June 2003 04:30 PM
http://www.cisco.com/univercd/cc/td/...ol/nfwhite.htm

dsmith 23 June 2003 09:43 PM
Netflow is used mainly as it implies for monitoring flows. Source/Destination and Bandwidth. Often by Subnet rather than host addresses - for example for monitoring traffic usage between large parts of a company, between ISPs etc etc.

If you want to look in more detail at individual packets careful use of debug ip packet and access lists can help. It is extremely easy to overwhelm the router though. Some platforms (e.g. Cat 6K/MSFCs) hardware switch all but the initial packets so the routing engine wont see them. Forcing it to software switch every packet, so they can be inspected, can result in huge performance hits (to the point the network becomes unusable). Of course on low-use networks you may be get what you need this way

In short there is no way to "span" a router interface like you would a swicth port and copy all packets to a sniffer. If its a LAN port the best route is to simply span the source switch port if possible. In-line probes are also available for most LAN types. For true sniffing of a WAN port you'll need either a suitable in-line probe or something like the Agilent Advisor with relevant interfaces. Not Cheap, though I believe they can be hired.

Deano

[Edited by dsmith - 6/23/2003 9:45:18 PM]

David_Wallis 23 June 2003 09:50 PM
or just cheat and shove a hub and crossover cable in?

We do this when having to use our fluke to sniff packets on our routers.. (ok well our networks team do..)

David

carl 23 June 2003 11:02 PM
or just cheat and shove a hub and crossover cable in?
Assuming it's an Ethernet network you're trying to sniff. Would be a bit more difficult (and expensive) if you're trying to sniff an STM-64 POS interface.

dsmith -- I'm sure you know, but lots of Cisco boxes fall over due to the performance hit when you attempt to fast switch (route first packet, switch the rest). In fact if you want to get close to rated capacity then dCEF is the only way to do it -- it maintains a separate set of CEF tables that are populated from the routing table. IIRC the only CEF that GSRs do is dCEF.

[Edited by carl - 6/23/2003 11:05:23 PM]

SiCotty 24 June 2003 09:06 AM
Cat 6k now uses CEF switching as well.

Si

dsmith 24 June 2003 09:31 AM
I was indeed generalising fast switching with all other hardware switching types as getting in the way if your attempting to debug packets.

Cat6k pushes it so far into hardware that snmp stats for vlan interfaces are woefully inaccurate.

Deano


All times are GMT +1. The time now is 05:23 PM.


© 2024 MH Sub I, LLC dba Internet Brands