monitor traffic on port 2600 router

Discussion in 'Cisco' started by tg, Sep 4, 2009.

  1. tg

    tg Guest

    cisco 2651XM router
    IOS: c2600-adventerprisek9-mz.124-15.T8.bin

    I want to monitor live traffic on a network port and output it to a tftp
    syslog. The port is FastEthernet 1/14 but I'm only having partial success.
    I did:
    #debug int f1/14
    which seemed to go fine, and then I did:
    #logging on
    #logging (ip address of the pc running TFTP32)
    #logging trap debugging
    but I'm not getting a proper report in the syslog of the TFTP program. I'm
    getting bits of info but not the full monte. What command should |I be
    thanks for any help.
    tg, Sep 4, 2009
    1. Advertisements

  2. tg

    tg Guest

    additional info:
    the device I want to monitor is set to (connected to port
    f1/14) so I tried:
    #debug ip tcp packet address
    and got a bit more action but it's still not 'all' traffic.
    tg, Sep 5, 2009
    1. Advertisements

  3. tg

    jimjim237 Guest

    debug ip packet [detail]
    Dumps packets to the logging system
    *however* fast switched packets are not noticed

    So if you want to see all traffic you need to
    switch the router to do process switching.

    int x
    no ip route-cache
    (On the *input* interfaces at least I think
    but I would just put it on all relevant interfaces for the

    Of course this may reduce the performance of the router
    by 90% or so. i.e. to 10% of previous forwarding rate,
    or even worse. Of course debug will affect it further.

    Prepare for the router ceasing to function
    with deb ip pack. Even hang completely.

    You can use an access list to restrict the traffic
    that is dumped.

    deb ip pac 199 [det] - I seem to recall.
    access-l 199 ........

    Remember to record the config and to put the
    interfaces back the way they were when you are done.

    ip route-cache cef ! for example

    The latest greatest IOS has a capture facility in it like
    tcpdump or the pix/asa.

    Maybe 12.4.20T - not sure and have never tried it
    but it looks good. Think it can sent traffic say via ftp
    to a server in pcap format, handy for wireshark:))
    All approximate.

    Good luck.
    jimjim237, Sep 5, 2009
  4. tg

    tg Guest

    thanks for your feedback and I'm making some progress.
    I tried the access-list thing by doing:
    #access-list 106 permit tcp any
    debug ip packet 106
    this produced a lot more action in the log but it seemed to include traffic
    from other ip's that had nothing to do with the device at What
    I ideally want is to see just traffic in and out of Perhaps
    I need to tweak the access-list but I'm not sure. Thanks for any further
    tg, Sep 6, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.