«

Hello -
Is there a way to copy packets between interfaces down a third interface for packet analysis?

For example, I have a router with Eth1, Eth0, and a VPN tunnel tun0. I want to copy all packets between eth1 and eth0 down tun0, where I have an IDS running...

Thanks
David

David Hill <> wrote:
> Hello -
> Is there a way to copy packets between interfaces down a third interface for packet analysis?

> For example, I have a router with Eth1, Eth0, and a VPN tunnel tun0. I want to copy all packets between eth1 and eth0 down tun0, where I have an IDS running...

> Thanks
> David

port monitor

--
The complexity of a weapon is inversely proportional to the IQ of
the weapon's operator.

In article <>,
David Hill <> wrote:
:Is there a way to copy packets between interfaces down a third interface for packet analysis?

:For example, I have a router with Eth1, Eth0, and a VPN tunnel tun0. I want to copy all packets between eth1 and eth0 down tun0, where I have an IDS running...

This feature is usually called "port span" or "port mirroring".
In Cisco parlance, the feature is SPAN or RSPAN, and it
is more associated with switches than with routers.

about:http://www.cisco.com/univercd/cc/td/...an.htm#xtocid1

I believe that this may be one of the rare instances in which
the Feature Navigator is wrong: it indicates support only on the
2600 and 3600 and 3700 series, but I find a large number of pages
describing configuring it for other models such as the 2950, 4000,
and 6000.

You might not be able to configure mirroring of just traffic
between two specified interfaces: normally you span a specific
interface, or span a VLAN, not traffic -between- two interfaces.
--
Live it up, rip it up, why so lazy?
Give it out, dish it out, let's go crazy, yeah!
-- Supertramp (The USENET Song)

On Mon, 21 Jul 2003 15:44:15 +0000, Walter Roberson wrote:

> I believe that this may be one of the rare instances in which
> the Feature Navigator is wrong: it indicates support only on the
> 2600 and 3600 and 3700 series, but I find a large number of pages
> describing configuring it for other models such as the 2950, 4000,
> and 6000.
>

probably due to 2600/3600/3700 being routers,
while 2950/4000/6000 are switches.

On Mon, 21 Jul 2003 09:29:37 -0400, David Hill wrote:

> Hello -
> Is there a way to copy packets between interfaces down a third interface for packet analysis?
>
> For example, I have a router with Eth1, Eth0, and a VPN tunnel tun0. I want to copy all packets between eth1 and eth0 down tun0, where I have an IDS running...
>
> Thanks
> David


PBR

In article < >,
Rik Bain <> wrote:
:On Mon, 21 Jul 2003 09:29:37 -0400, David Hill wrote:
:> Is there a way to copy packets between interfaces down a third interface for packet analysis?

BR

Rik, how would you use Policy Based Routing to take copies of data?

http://www.cisco.com/univercd/cc/td/...rt1/qcfpbr.htm

says that "All packets arriving on the specified interface matching the
match clauses will be subject to PBR" and that "Once the local router
finds a next hop and a usable interface, it routes the packet."

In other words, you can only send any particular packet to -one- interface
with PBR.
--
Scintillate, scintillate, globule vivific
Fain would I fathom thy nature specific.
Loftily poised on ether capacious
Strongly resembling a gem carbonaceous. -- Anon

Right on, then the other router will route it back. Reference Phrack
56, "things to do in ciscoland when you are dead". Not a good solution
IMO, but accomplishes the task at hand.

On Tue, 22 Jul 2003 01:46:42 -0500, Walter Roberson wrote:

> In article < >,
> Rik Bain <> wrote:
> :On Mon, 21 Jul 2003 09:29:37 -0400, David Hill wrote:
> :> Is there a way to copy packets between interfaces down a third interface for packet analysis?
>
> BR
>
> Rik, how would you use Policy Based Routing to take copies of data?
>
> http://www.cisco.com/univercd/cc/td/...rt1/qcfpbr.htm
>
> says that "All packets arriving on the specified interface matching the
> match clauses will be subject to PBR" and that "Once the local router
> finds a next hop and a usable interface, it routes the packet."
>
> In other words, you can only send any particular packet to -one- interface
> with PBR.