copy packets

Discussion in 'Cisco' started by David Hill, Jul 21, 2003.

  1. David Hill

    David Hill Guest

    Hello -
    Is there a way to copy packets between interfaces down a third interface for packet analysis?

    For example, I have a router with Eth1, Eth0, and a VPN tunnel tun0. I want to copy all packets between eth1 and eth0 down tun0, where I have an IDS running...

    Thanks
    David
     
    David Hill, Jul 21, 2003
    #1
    1. Advertisements

  2. David Hill

    fugi Guest

    port monitor
     
    fugi, Jul 21, 2003
    #2
    1. Advertisements

  3. :Is there a way to copy packets between interfaces down a third interface for packet analysis?

    :For example, I have a router with Eth1, Eth0, and a VPN tunnel tun0. I want to copy all packets between eth1 and eth0 down tun0, where I have an IDS running...

    This feature is usually called "port span" or "port mirroring".
    In Cisco parlance, the feature is SPAN or RSPAN, and it
    is more associated with switches than with routers.

    about:http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/121_8aex/swconfig/span.htm#xtocid1

    I believe that this may be one of the rare instances in which
    the Feature Navigator is wrong: it indicates support only on the
    2600 and 3600 and 3700 series, but I find a large number of pages
    describing configuring it for other models such as the 2950, 4000,
    and 6000.

    You might not be able to configure mirroring of just traffic
    between two specified interfaces: normally you span a specific
    interface, or span a VLAN, not traffic -between- two interfaces.
     
    Walter Roberson, Jul 21, 2003
    #3
  4. David Hill

    Rik Bain Guest

    probably due to 2600/3600/3700 being routers,
    while 2950/4000/6000 are switches.
     
    Rik Bain, Jul 22, 2003
    #4
  5. David Hill

    Rik Bain Guest


    PBR
     
    Rik Bain, Jul 22, 2003
    #5
  6. :> Is there a way to copy packets between interfaces down a third interface for packet analysis?

    :pBR

    Rik, how would you use Policy Based Routing to take copies of data?

    http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt1/qcfpbr.htm

    says that "All packets arriving on the specified interface matching the
    match clauses will be subject to PBR" and that "Once the local router
    finds a next hop and a usable interface, it routes the packet."

    In other words, you can only send any particular packet to -one- interface
    with PBR.
     
    Walter Roberson, Jul 22, 2003
    #6
  7. David Hill

    Rik Bain Guest

    Right on, then the other router will route it back. Reference Phrack
    56, "things to do in ciscoland when you are dead". Not a good solution
    IMO, but accomplishes the task at hand.
     
    Rik Bain, Jul 22, 2003
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.