Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > how to monitor traffic going through a switch port

Reply
Thread Tools

how to monitor traffic going through a switch port

 
 
Al
Guest
Posts: n/a
 
      11-18-2009
Hi everyone,

I have been reading pages and pages of information on how to monitor
traffic on a cisco router, but it's all very confusing. Here is what I
am doing:

I telnet into my router
I enter privileged mode
I type "terminal monitor" so I can see the debug information

-- here's where I am stuck. I want to see all traffic that is exiting
port 24. I need to see source IP (which computer on my network sent
it) and Destination IP (wherever that is on the Web). Port 24 of my
router is connected to my firewall, and my firewall is connected to
the web. Port 24 does NOT have it's own IP address.

I create access-list 123: "access-list 123 permit ip 192.168.111.0
0.0.0.255 any" where 192.168.111.0 is the subnet of all my PCs on my
network.

I then enter the command "debug ip packet 123"

Now I see ALL traffic. entering and exiting the router. How do I limit
the traffic I see to Port 24 ONLY? In the outbound direction only?

Thanks.
 
Reply With Quote
 
 
 
 
Doug McIntyre
Guest
Posts: n/a
 
      11-18-2009
Al <(E-Mail Removed)> writes:
>I have been reading pages and pages of information on how to monitor
>traffic on a cisco router, but it's all very confusing. Here is what I
>am doing:


>I telnet into my router
>I enter privileged mode
>I type "terminal monitor" so I can see the debug information


>-- here's where I am stuck. I want to see all traffic that is exiting
>port 24. I need to see source IP (which computer on my network sent
>it) and Destination IP (wherever that is on the Web). Port 24 of my
>router is connected to my firewall, and my firewall is connected to
>the web. Port 24 does NOT have it's own IP address.


>I create access-list 123: "access-list 123 permit ip 192.168.111.0
>0.0.0.255 any" where 192.168.111.0 is the subnet of all my PCs on my
>network.


>I then enter the command "debug ip packet 123"


>Now I see ALL traffic. entering and exiting the router. How do I limit
>the traffic I see to Port 24 ONLY? In the outbound direction only?



What hardware exactly do you have?
You say router, and then you say switch. Cisco makes both, and the
answer is different for a router vs. a switch. Also, each major switch
line is different from one another on its capabilities.

Let alone the cases where you get into with routers having switch
blades in them (but thankfully the category of switches with routers
blades is very small, and almost all gone by now).

Unfortunatly, you have to get the feel for where data is at, as some
commands act on things at layer-3 beyond the switch plane, and some
commands act on the switch plane before the routing/layer-3 level.


Ie. using access-lists on switch ports vary greately for what is
supported across the different switch lines, and is most likely going
to log you at the point where all the traffic is converted to layer-3
in your hardware, not necessarily at the port level, depending on what
hardware you have. You are probably better off if you have a switch
(which is likely with something like port24), to SPAN/RSPAN the
traffic off to a dedicated sniffer box.

 
Reply With Quote
 
 
 
 
Al
Guest
Posts: n/a
 
      11-18-2009

Hi Doug,


 
Reply With Quote
 
Al
Guest
Posts: n/a
 
      11-18-2009
Hi Doug

Sorry for the ambiguity. I have a Cisco Layer 3 switch, serries
3550, IOS Version 12.1(22)EA1a

Al
 
Reply With Quote
 
Morph
Guest
Posts: n/a
 
      11-18-2009
In the message
<(E-Mail Removed)> Al
wrote:

| Hi Doug
|
| Sorry for the ambiguity. I have a Cisco Layer 3 switch, serries
| 3550, IOS Version 12.1(22)EA1a

http://www.cisco.com/en/US/products/...8015c612.shtml
 
Reply With Quote
 
Doug McIntyre
Guest
Posts: n/a
 
      11-20-2009
Al <(E-Mail Removed)> writes:
> Sorry for the ambiguity. I have a Cisco Layer 3 switch, serries
>3550, IOS Version 12.1(22)EA1a


As a pure switch, the 3550 debug ip packet is going to only be able to
monitor L3 packets going upstream through the 'router plane' of the software.

To monitor just port 24, you'll have to use SPAN which somebody else
posted the link to the docs on, as its not possible to debug packets
on a port-by-port basis on a switch (unlike a router).

 
Reply With Quote
 
Al
Guest
Posts: n/a
 
      11-20-2009
Doug,

Thank you very much for the answer. If I could ask you one other
thing... It just so happens that port 24 is connected to my firewall,
and my firewall's IP is on a different subnet and Vlan:


L3 Switch
__________________
| |
| Vlan 111 ip |
| 192.168.111.1 |
| |
_________________Firewall____________WEB
| | IP
192.168.222.2
| Vlan 222 ip |
| 192.168.222.1 |
|_________________|

All my users are on the 111 Subnet. When they communicate with the
outside world, their packets are switched from the 111 Vlan to the 222
Vlan. If I understand you correctly, I should be able to see the
traffic as it is switched from the 111 to the 222 vlan, and vice
versa. Am I correct, and if so, how do I debug this info?
 
Reply With Quote
 
tweety
Guest
Posts: n/a
 
      11-21-2009
On Nov 20, 10:22*pm, Al <(E-Mail Removed)> wrote:
> Doug,
>
> * *Thank you very much for the answer. If I could ask you one other
> thing... It just so happens that port 24 is connected to my firewall,
> and my firewall's IP is on a different subnet and Vlan:
>
> L3 Switch
> __________________
> | * * * * * * * * * * * * * * *|
> | * Vlan 111 ip * * * * * |
> | * 192.168.111.1 * * *|
> | * * * * * * * * * * * * * * *|
> _________________Firewall____________WEB
> | * * * * * * * * * * * * * * *| * * * * * * * * * * * * * * *IP
> 192.168.222.2
> | * Vlan 222 ip * * * * * |
> | * 192.168.222.1 * * *|
> |_________________|
>
> All my users are on the 111 Subnet. When they communicate with the
> outside world, their packets are switched from the 111 Vlan to the 222
> Vlan. If I understand you correctly, I should be able to see the
> traffic as it is switched from the 111 to the 222 vlan, and vice
> versa. Am I correct, and if so, how do I debug this info?


Hi, With rspan and span you can specify source vlan, traffic from vlan
111 can be lifted

Hope this helps

Andrew
 
Reply With Quote
 
tg
Guest
Posts: n/a
 
      11-21-2009

"Al" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...

al I am only a beginner/amateur with cisco routers but I had the same
problem some time back and solved it using two simple monitor session
commands eg:
router(config)# monitor session 1 source interface Fa(port number - this is
the port you want to monitor)
router(config)# monitor session 1 destination interface Fa(port number - to
this port you connect a PC running wireshark)
all data traffic on the source port will now be sent to the destination
port and you can watch and filter the traffic using wireshark on the PC


 
Reply With Quote
 
Al
Guest
Posts: n/a
 
      11-26-2009
tg,

Thanks for the reply, I'm going to try that out.

I'm surprised that an external PC is required to view traffic passing
through the switch. Surely, there is a DEBUG command that could do
what I need. That way, an admin can monitor traffic passing through a
router or switch at a different physical location. I find it hard to
believe that today's technology requires a physical connection to a
device to see what's going on inside.

Al
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: How include a large array? Edward A. Falk C Programming 1 04-04-2013 08:07 PM
solution to "*some* return traffic not going through vpn tunnel (although not all)" b0rez@yahoo.co.uk Cisco 3 02-08-2006 11:55 AM
*some* return traffic not going through vpn tunnel (although not all) b0rez@yahoo.co.uk Cisco 0 12-20-2005 03:17 PM
How to capture internet traffic going through PIX 515? ejikn Cisco 2 04-07-2004 03:54 PM
VPN going up but traffic going one way PLP Cisco 1 07-11-2003 08:28 AM



Advertisments