copy packets

Discussion in 'Cisco' started by David Hill, Jul 21, 2003.

  1. David Hill

    David Hill Guest

    Hello -
    Is there a way to copy packets between interfaces down a third interface for packet analysis?

    For example, I have a router with Eth1, Eth0, and a VPN tunnel tun0. I want to copy all packets between eth1 and eth0 down tun0, where I have an IDS running...

    Thanks
    David
     
    David Hill, Jul 21, 2003
    #1
    1. Advertising

  2. David Hill

    fugi Guest

    David Hill <> wrote:
    > Hello -
    > Is there a way to copy packets between interfaces down a third interface for packet analysis?


    > For example, I have a router with Eth1, Eth0, and a VPN tunnel tun0. I want to copy all packets between eth1 and eth0 down tun0, where I have an IDS running...


    > Thanks
    > David


    port monitor

    --
    The complexity of a weapon is inversely proportional to the IQ of
    the weapon's operator.
     
    fugi, Jul 21, 2003
    #2
    1. Advertising

  3. In article <>,
    David Hill <> wrote:
    :Is there a way to copy packets between interfaces down a third interface for packet analysis?

    :For example, I have a router with Eth1, Eth0, and a VPN tunnel tun0. I want to copy all packets between eth1 and eth0 down tun0, where I have an IDS running...

    This feature is usually called "port span" or "port mirroring".
    In Cisco parlance, the feature is SPAN or RSPAN, and it
    is more associated with switches than with routers.

    about:http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/121_8aex/swconfig/span.htm#xtocid1

    I believe that this may be one of the rare instances in which
    the Feature Navigator is wrong: it indicates support only on the
    2600 and 3600 and 3700 series, but I find a large number of pages
    describing configuring it for other models such as the 2950, 4000,
    and 6000.

    You might not be able to configure mirroring of just traffic
    between two specified interfaces: normally you span a specific
    interface, or span a VLAN, not traffic -between- two interfaces.
    --
    Live it up, rip it up, why so lazy?
    Give it out, dish it out, let's go crazy, yeah!
    -- Supertramp (The USENET Song)
     
    Walter Roberson, Jul 21, 2003
    #3
  4. David Hill

    Rik Bain Guest

    On Mon, 21 Jul 2003 15:44:15 +0000, Walter Roberson wrote:

    > I believe that this may be one of the rare instances in which
    > the Feature Navigator is wrong: it indicates support only on the
    > 2600 and 3600 and 3700 series, but I find a large number of pages
    > describing configuring it for other models such as the 2950, 4000,
    > and 6000.
    >


    probably due to 2600/3600/3700 being routers,
    while 2950/4000/6000 are switches.
     
    Rik Bain, Jul 22, 2003
    #4
  5. David Hill

    Rik Bain Guest

    On Mon, 21 Jul 2003 09:29:37 -0400, David Hill wrote:

    > Hello -
    > Is there a way to copy packets between interfaces down a third interface for packet analysis?
    >
    > For example, I have a router with Eth1, Eth0, and a VPN tunnel tun0. I want to copy all packets between eth1 and eth0 down tun0, where I have an IDS running...
    >
    > Thanks
    > David



    PBR
     
    Rik Bain, Jul 22, 2003
    #5
  6. In article <>,
    Rik Bain <> wrote:
    :On Mon, 21 Jul 2003 09:29:37 -0400, David Hill wrote:
    :> Is there a way to copy packets between interfaces down a third interface for packet analysis?

    :pBR

    Rik, how would you use Policy Based Routing to take copies of data?

    http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt1/qcfpbr.htm

    says that "All packets arriving on the specified interface matching the
    match clauses will be subject to PBR" and that "Once the local router
    finds a next hop and a usable interface, it routes the packet."

    In other words, you can only send any particular packet to -one- interface
    with PBR.
    --
    Scintillate, scintillate, globule vivific
    Fain would I fathom thy nature specific.
    Loftily poised on ether capacious
    Strongly resembling a gem carbonaceous. -- Anon
     
    Walter Roberson, Jul 22, 2003
    #6
  7. David Hill

    Rik Bain Guest

    Right on, then the other router will route it back. Reference Phrack
    56, "things to do in ciscoland when you are dead". Not a good solution
    IMO, but accomplishes the task at hand.

    On Tue, 22 Jul 2003 01:46:42 -0500, Walter Roberson wrote:

    > In article <>,
    > Rik Bain <> wrote:
    > :On Mon, 21 Jul 2003 09:29:37 -0400, David Hill wrote:
    > :> Is there a way to copy packets between interfaces down a third interface for packet analysis?
    >
    > :pBR
    >
    > Rik, how would you use Policy Based Routing to take copies of data?
    >
    > http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt1/qcfpbr.htm
    >
    > says that "All packets arriving on the specified interface matching the
    > match clauses will be subject to PBR" and that "Once the local router
    > finds a next hop and a usable interface, it routes the packet."
    >
    > In other words, you can only send any particular packet to -one- interface
    > with PBR.
     
    Rik Bain, Jul 22, 2003
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Arawak
    Replies:
    4
    Views:
    914
    samantha
    Jun 4, 2004
  2. heren
    Replies:
    4
    Views:
    729
    Impmon
    Oct 12, 2005
  3. SUMMONER

    FREE COPY OF EXCELL & FREE COPY OF LOTUS

    SUMMONER, Nov 21, 2005, in forum: Computer Support
    Replies:
    15
    Views:
    671
    Toolman Tim
    Nov 25, 2005
  4. DerbyDad03
    Replies:
    9
    Views:
    2,097
    RickMerrill
    Feb 20, 2009
  5. Mark C
    Replies:
    31
    Views:
    3,146
    Mark C
    May 15, 2009
Loading...

Share This Page