how to monitor traffic going through a switch port

Discussion in 'Cisco' started by Al, Nov 18, 2009.

  1. Al

    Al Guest

    Hi everyone,

    I have been reading pages and pages of information on how to monitor
    traffic on a cisco router, but it's all very confusing. Here is what I
    am doing:

    I telnet into my router
    I enter privileged mode
    I type "terminal monitor" so I can see the debug information

    -- here's where I am stuck. I want to see all traffic that is exiting
    port 24. I need to see source IP (which computer on my network sent
    it) and Destination IP (wherever that is on the Web). Port 24 of my
    router is connected to my firewall, and my firewall is connected to
    the web. Port 24 does NOT have it's own IP address.

    I create access-list 123: "access-list 123 permit ip 192.168.111.0
    0.0.0.255 any" where 192.168.111.0 is the subnet of all my PCs on my
    network.

    I then enter the command "debug ip packet 123"

    Now I see ALL traffic. entering and exiting the router. How do I limit
    the traffic I see to Port 24 ONLY? In the outbound direction only?

    Thanks.
     
    Al, Nov 18, 2009
    #1
    1. Advertising

  2. Al <> writes:
    >I have been reading pages and pages of information on how to monitor
    >traffic on a cisco router, but it's all very confusing. Here is what I
    >am doing:


    >I telnet into my router
    >I enter privileged mode
    >I type "terminal monitor" so I can see the debug information


    >-- here's where I am stuck. I want to see all traffic that is exiting
    >port 24. I need to see source IP (which computer on my network sent
    >it) and Destination IP (wherever that is on the Web). Port 24 of my
    >router is connected to my firewall, and my firewall is connected to
    >the web. Port 24 does NOT have it's own IP address.


    >I create access-list 123: "access-list 123 permit ip 192.168.111.0
    >0.0.0.255 any" where 192.168.111.0 is the subnet of all my PCs on my
    >network.


    >I then enter the command "debug ip packet 123"


    >Now I see ALL traffic. entering and exiting the router. How do I limit
    >the traffic I see to Port 24 ONLY? In the outbound direction only?



    What hardware exactly do you have?
    You say router, and then you say switch. Cisco makes both, and the
    answer is different for a router vs. a switch. Also, each major switch
    line is different from one another on its capabilities.

    Let alone the cases where you get into with routers having switch
    blades in them (but thankfully the category of switches with routers
    blades is very small, and almost all gone by now).

    Unfortunatly, you have to get the feel for where data is at, as some
    commands act on things at layer-3 beyond the switch plane, and some
    commands act on the switch plane before the routing/layer-3 level.


    Ie. using access-lists on switch ports vary greately for what is
    supported across the different switch lines, and is most likely going
    to log you at the point where all the traffic is converted to layer-3
    in your hardware, not necessarily at the port level, depending on what
    hardware you have. You are probably better off if you have a switch
    (which is likely with something like port24), to SPAN/RSPAN the
    traffic off to a dedicated sniffer box.
     
    Doug McIntyre, Nov 18, 2009
    #2
    1. Advertising

  3. Al

    Al Guest

    Hi Doug,
     
    Al, Nov 18, 2009
    #3
  4. Al

    Al Guest

    Hi Doug

    Sorry for the ambiguity. I have a Cisco Layer 3 switch, serries
    3550, IOS Version 12.1(22)EA1a

    Al
     
    Al, Nov 18, 2009
    #4
  5. Al

    Morph Guest

    Morph, Nov 18, 2009
    #5
  6. Al <> writes:
    > Sorry for the ambiguity. I have a Cisco Layer 3 switch, serries
    >3550, IOS Version 12.1(22)EA1a


    As a pure switch, the 3550 debug ip packet is going to only be able to
    monitor L3 packets going upstream through the 'router plane' of the software.

    To monitor just port 24, you'll have to use SPAN which somebody else
    posted the link to the docs on, as its not possible to debug packets
    on a port-by-port basis on a switch (unlike a router).
     
    Doug McIntyre, Nov 20, 2009
    #6
  7. Al

    Al Guest

    Doug,

    Thank you very much for the answer. If I could ask you one other
    thing... It just so happens that port 24 is connected to my firewall,
    and my firewall's IP is on a different subnet and Vlan:


    L3 Switch
    __________________
    | |
    | Vlan 111 ip |
    | 192.168.111.1 |
    | |
    _________________Firewall____________WEB
    | | IP
    192.168.222.2
    | Vlan 222 ip |
    | 192.168.222.1 |
    |_________________|

    All my users are on the 111 Subnet. When they communicate with the
    outside world, their packets are switched from the 111 Vlan to the 222
    Vlan. If I understand you correctly, I should be able to see the
    traffic as it is switched from the 111 to the 222 vlan, and vice
    versa. Am I correct, and if so, how do I debug this info?
     
    Al, Nov 20, 2009
    #7
  8. Al

    tweety Guest

    On Nov 20, 10:22 pm, Al <> wrote:
    > Doug,
    >
    >    Thank you very much for the answer. If I could ask you one other
    > thing... It just so happens that port 24 is connected to my firewall,
    > and my firewall's IP is on a different subnet and Vlan:
    >
    > L3 Switch
    > __________________
    > |                              |
    > |   Vlan 111 ip           |
    > |   192.168.111.1      |
    > |                              |
    > _________________Firewall____________WEB
    > |                              |                              IP
    > 192.168.222.2
    > |   Vlan 222 ip           |
    > |   192.168.222.1      |
    > |_________________|
    >
    > All my users are on the 111 Subnet. When they communicate with the
    > outside world, their packets are switched from the 111 Vlan to the 222
    > Vlan. If I understand you correctly, I should be able to see the
    > traffic as it is switched from the 111 to the 222 vlan, and vice
    > versa. Am I correct, and if so, how do I debug this info?


    Hi, With rspan and span you can specify source vlan, traffic from vlan
    111 can be lifted

    Hope this helps

    Andrew
     
    tweety, Nov 21, 2009
    #8
  9. Al

    tg Guest

    "Al" <> wrote in message
    news:...

    al I am only a beginner/amateur with cisco routers but I had the same
    problem some time back and solved it using two simple monitor session
    commands eg:
    router(config)# monitor session 1 source interface Fa(port number - this is
    the port you want to monitor)
    router(config)# monitor session 1 destination interface Fa(port number - to
    this port you connect a PC running wireshark)
    all data traffic on the source port will now be sent to the destination
    port and you can watch and filter the traffic using wireshark on the PC
     
    tg, Nov 21, 2009
    #9
  10. Al

    Al Guest

    tg,

    Thanks for the reply, I'm going to try that out.

    I'm surprised that an external PC is required to view traffic passing
    through the switch. Surely, there is a DEBUG command that could do
    what I need. That way, an admin can monitor traffic passing through a
    router or switch at a different physical location. I find it hard to
    believe that today's technology requires a physical connection to a
    device to see what's going on inside.

    Al
     
    Al, Nov 26, 2009
    #10
  11. Al <> writes:
    >tg,
    > Thanks for the reply, I'm going to try that out.


    >I'm surprised that an external PC is required to view traffic passing
    >through the switch. Surely, there is a DEBUG command that could do
    >what I need. That way, an admin can monitor traffic passing through a
    >router or switch at a different physical location. I find it hard to
    >believe that today's technology requires a physical connection to a
    >device to see what's going on inside.


    Its really not needed that much, and it would require a huge number of
    resources on a box that is hardware dedicated to getting traffic in
    and switched through quickly.

    If you had such a feature, you'd have to be prepared to reduce
    throughput on the hardware by many factors of 10 so that it could keep up.
     
    Doug McIntyre, Nov 26, 2009
    #11
  12. Al

    Al Guest

    tg,

    I tried your commands, as soon as I type "monitor session 1
    destination interface Fa0/8" that port shuts down. The PC (using
    etherial) I have connected to port 8 therefore see no traffic at all.
    Does Port 8 need to be configured in a specific way, i.e. spanning-
    tree portfast, or switchport mode access, or some other command?

    Al
     
    Al, Nov 26, 2009
    #12
  13. Al

    alexd Guest

    Meanwhile, at the comp.dcom.sys.cisco Job Justification Hearings, Al chose the
    tried and tested strategy of:

    > I'm surprised that an external PC is required to view traffic passing
    > through the switch.


    Netflow can be used to see a summary of traffic [ie not each individual packet],
    but you would have to check the Feature Navigator to see if it's supported on
    your platform.

    --
    <http://ale.cx/> (AIM:troffasky) ()
    20:07:49 up 26 days, 3:27, 7 users, load average: 0.86, 0.98, 0.81
    Plant food is a made up drug
     
    alexd, Nov 26, 2009
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. PLP
    Replies:
    1
    Views:
    5,263
  2. Ramon F Herrera
    Replies:
    1
    Views:
    511
  3. ejikn
    Replies:
    2
    Views:
    1,143
    Walter Roberson
    Apr 7, 2004
  4. Replies:
    0
    Views:
    2,709
  5. Replies:
    3
    Views:
    6,614
Loading...

Share This Page