SNMP dest ip:port monitoring and alarm w/4000 router?

Discussion in 'Cisco' started by joeblow, Jun 8, 2004.

  1. joeblow

    joeblow Guest

    Is it possible (using snmp maybe?) to monitor traffic coming into a
    4000 router and to insure that traffic a for a certain ip address(es) and
    dest port(s) is present and to send an event, or
    make a syslog entry or something when that dest-ip:dest-port traffic
    ceases?

    thanks
    joeblow, Jun 8, 2004
    #1
    1. Advertising

  2. In article <>,
    joeblow <> wrote:
    :Is it possible (using snmp maybe?) to monitor traffic coming into a
    :4000 router and to insure that traffic a for a certain ip address(es) and
    :dest port(s) is present and to send an event, or
    :make a syslog entry or something when that dest-ip:dest-port traffic
    :ceases?

    I don't believe you can do that using SNMP.

    You might be able to work something out around analyzing netflow
    logs.

    You could put a 'permit...log' ACL entry in for the desired traffic,
    and have your syslog server generate an alarm if one of the
    regular traffic summaries for that entry did not show up. That could
    take 5 minutes (by default), but the timing is adjustable.

    What you -probably- should be doing is SPAN'ng the traffic
    to an IDS-type tool (even if only home grown). I do not know at
    the moment whether the 4000 supports SPAN.

    --
    The image data is transmitted back to Earth at the speed of light
    and usually at 12 bits per pixel.
    Walter Roberson, Jun 8, 2004
    #2
    1. Advertising

  3. joeblow

    AnyBody43 Guest

    -cnrc.gc.ca (Walter Roberson) wrote
    > In article <>,
    > joeblow <> wrote:
    > :Is it possible (using snmp maybe?) to monitor traffic coming into a
    > :4000 router and to insure that traffic a for a certain ip address(es) and
    > :dest port(s) is present and to send an event, or
    > :make a syslog entry or something when that dest-ip:dest-port traffic
    > :ceases?
    >
    > I don't believe you can do that using SNMP.
    >
    > You might be able to work something out around analyzing netflow
    > logs.
    >
    > You could put a 'permit...log' ACL entry in for the desired traffic,
    > and have your syslog server generate an alarm if one of the
    > regular traffic summaries for that entry did not show up. That could
    > take 5 minutes (by default), but the timing is adjustable.
    >
    > What you -probably- should be doing is SPAN'ng the traffic
    > to an IDS-type tool (even if only home grown). I do not know at
    > the moment whether the 4000 supports SPAN.


    A home grown monitor would most likely be easy in perl using
    windump (and winpcap).

    VBscript or any development system that allows external commands to
    be run and the output read by the program would be suitable.
    AnyBody43, Jun 10, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Captain
    Replies:
    11
    Views:
    743
    Barry Margolin
    May 11, 2004
  2. Sri
    Replies:
    0
    Views:
    664
  3. Sri
    Replies:
    0
    Views:
    521
  4. pawel
    Replies:
    2
    Views:
    470
    Walter Roberson
    Jan 7, 2005
  5. Replies:
    0
    Views:
    966
Loading...

Share This Page