What Cisco ISO Debug Commands to Use to Find Problem Packets MAC Address?

Hello,

I am in need of some help. I have been receiving conflicting
information between my ISP and a University network operations if
packet IP addresses are forged or not for teh GRE hits I am being DoS
hit like. Someone I spoke with suggested I use the Cisco debug
command to obtain the MAC address in the problem packets and then
trace back with the MAC address to find the real source of this GRE
attack I have had since 07 March 2005 at the rate of 6 hits a minute
since 07 March 2005.

An example of one of the hits I have been receiving since 07 March
2005 is:

Mar 26 03:23:28 192.168.1.21 235724: 310754: Mar 26 08:23:27.066 UTC:
%SEC-6-IPACCESSLOGRP: list inbound-external-interface-108 denied gre
xxx.xxx.xxx.xxx (Dialer1 ) -> yyy.yyy.yyy.yyy, 1 packet

I am not a Cisco nor networking person. I am a technical type IT
person. I have managed to learn what I needed of Cisco IOS on my own
and internet ports and protocols to be able to configure the C2612 I
have. The process was basically about 6 months in total.

I have been searching the internet for 2 days now and so far I cannot
find what IOS debug command to use to find the MAC address in the
xxx.xxx.xxx.xxx packets arriving at my C2612. I have tried a few
Cisco IOS commands and seen some strange IOS results as secondary
consequence to the "debug ip packet [access-list] detail dump" and
some related varients of this command.

Can someone advise me what degug command(s) I use to obtain the MAC
address for xxx.xxx.xxx.xxx packets arriving at my C2612? Can you
explain teh process with the commands step by step? Do I actually
have to permit the packets of the xxx.xxx.xxx.xxx IP Address to obtain
the MAC address in packets the C2612 is currently appearing to block?
I have searched the Cisco IOS Debug Command Reference - Release 12.3
to no avail to figure out what commands I need to do to effect finding
the MAC address for the
xxx.xxx.xxx.xxx IP Address packets arriving at my C2612.

Can someone explain, as well, once I have the MAC address how I trace
back to the source of the MAC address?

I given both the ISP and University since 07 March 2005 to address
this issue in a convincing manner. Both are saying technical things
that my non expert Cisco/Networking knowledge suggests is incomplete
or incorrect. During my two days of searching about for the debug
commands to use I discovered this GRE issue has more serious
implications that I was aware of prior to 2 days ago.

The "show version" of the router in case you need to know it is:


Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-ADVSECURITYK9-M), Version 12.3(6a),
RELEASE SOFTWARE (fc4)
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Fri 02-Apr-04 19:17 by kellythw
Image text-base: 0x80008098, data-base: 0x812D2F38

ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)

Daisy uptime is 2 weeks, 4 days, 18 hours, 37 minutes
System returned to ROM by power-on
System restarted at 12:21:06 est Mon Mar 7 2005
System image file is "flash:c2600-advsecurityk9-mz.123-6a.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are
unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be
found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email
to
.

cisco 2612 (MPC860) processor (revision 0x102) with 61440K/4096K bytes
of memory.
Processor board ID sssssssssss (nnnnnnnnnn)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
2 Ethernet/IEEE 802.3 interface(s)
1 Token Ring/IEEE 802.5 interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)

Configuration register is 0x3922


Any assistance would be most apprecaited.


Regards,

John L. Males
Willowdale, Ontario
26 March 2005 07:59
mailto:

==================================================================


***** Please BCC me in on any reply, not CC me.
Two reasons, I am not on the Mailing List,
and second I am suffering BIG time with SPAM
from posting to mailing lists/Newsgroups.
Instructions on real address at bottom.
Thanks in advance. *****


Please BCC me by replacing after the "@" as follows:
TLD = The last three letters of the word "internet"
Domain name = The first four letters of the word "software",
followed by the first four letters of the word
"homeless".
My appologies in advance for the jumbled eMail address
and request to BCC me, but SPAM has become a very serious
problem. The eMail address in my header information is
not a valid eMail address for me. I needed to use a valid
domain due to ISP SMTP screen rules.


"Boooomer ... Boom Boom, how are you Boom Boom"
"Meoaaaawwwww, meoaaaaaawwww" as Boomer loudly announces
intent Boomer is coming for attention
Loved to kneed arm and lick arm with Boomers very large
tongue
Able to catch, or at least hit, almost any object in flight
withing reach of front paws
Boomer 1985 (Born), Adopted 04 September 1991
04 September 1991 - 08 February 2000 18:50

"How are you Mr. Sylvester?"
"... Grunt Grunt" ... quick licks of nose
Rolls over for pet and stomac rub when Dad arrives home
and grunting
Runs back and forth from study, tilts head as glowing green
eyes stare for "attention please", grunts and meows,
repeats run, tilt head and stare few times for good
measure, grunts and meows
Lays on floor just outside study to guard Dad
Loved to groom Miss Mahogany, and let Mahogany cuddle beside
Sylvester 1989 (estimated Born)
Found in building mail area noon hour 09 Feburary 1992
09 February 1992 - 19 January 2003 23:25

"Hello Miss Chicago 'White Sox', how are you 'Chico'?"
"Grunt" (thank you) ... as put out food for Chicago
"MEEEEEOOOOWWWW" So loud the world stops
A very determined Miss "White Sox"
AKA "Chico" ... Cheryl Crawford used as nickname
Loved to chase kibble slid down hall floor,
bat about and then eat
Loved to hook paw in dish to toss out a single kibble
at time, dart at as moved, then eat ... "Crunches"
Chicago "White Sox", "Chico" August 1989 (born),
adopted 04 February 1991
05 October 2004 06:52 Quite "Grunts" ....
as lay Chicago on bed for last time
04 February 1991 - 05 October 2004 07:32


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFCRVzLsrsjS27q9xYRArAxAJoCsGbgNqttgOOnx5ID8kHKQzdBrgCgnmaT
QttHHNlfJjQd01bb/gt0aQ0=
=8HCK
-----END PGP SIGNATURE-----

 

MAC addresses are only locally significant as they will change from
network to network as the traffic crosses the Internet. Unless the
source of the packets is directly connected the MAC address will be of
limited help.

debug arp should provide you with what you need.

WARNING: Be very careful in using debug commands on a critical router
as they can produce a lot of output and the debug process runs with a
high-priortiy PID.

 

Hello Brad,

Tnaks for your reply.

The "debug arp" was one of the commmands I tried yesterday. It did
not seem to produce any output. I had debug level logging on. I
assume if my logging is to syslog I should see the results of the
"debug arp" in my syslog entries. I believe no entries arrived in the
syslog re the "debug arp". Would the "debug arp" log information for
blocked addresses as well?


Regards,

John L. Males
Willowdale, Ontario
Canada
26 March 2005 09:59


********** Reply Seperator **********

On (Sat) 2005-03-26 06:44:04 -0800
Brad wrote in Message-ID:


To: (none)
From: "Brad" <>
Cc: (none)
Subject: Re: What Cisco ISO Debug Commands to Use to Find Problem
Packets MAC Address?
Date: 26 Mar 2005 06:44:04 -0800
Newsgroup Reference: comp.dcom.sys.cisco

==================================================================


***** Please BCC me in on any reply, not CC me.
Two reasons, I am not on the Mailing List,
and second I am suffering BIG time with SPAM
from posting to mailing lists/Newsgroups.
Instructions on real address at bottom.
Thanks in advance. *****


Please BCC me by replacing after the "@" as follows:
TLD = The last three letters of the word "internet"
Domain name = The first four letters of the word "software",
followed by the first four letters of the word
"homeless".
My appologies in advance for the jumbled eMail address
and request to BCC me, but SPAM has become a very serious
problem. The eMail address in my header information is
not a valid eMail address for me. I needed to use a valid
domain due to ISP SMTP screen rules.


"Boooomer ... Boom Boom, how are you Boom Boom"
"Meoaaaawwwww, meoaaaaaawwww" as Boomer loudly announces
intent Boomer is coming for attention
Loved to kneed arm and lick arm with Boomers very large
tongue
Able to catch, or at least hit, almost any object in flight
withing reach of front paws
Boomer 1985 (Born), Adopted 04 September 1991
04 September 1991 - 08 February 2000 18:50

"How are you Mr. Sylvester?"
"... Grunt Grunt" ... quick licks of nose
Rolls over for pet and stomac rub when Dad arrives home
and grunting
Runs back and forth from study, tilts head as glowing green
eyes stare for "attention please", grunts and meows,
repeats run, tilt head and stare few times for good
measure, grunts and meows
Lays on floor just outside study to guard Dad
Loved to groom Miss Mahogany, and let Mahogany cuddle beside
Sylvester 1989 (estimated Born)
Found in building mail area noon hour 09 Feburary 1992
09 February 1992 - 19 January 2003 23:25

"Hello Miss Chicago 'White Sox', how are you 'Chico'?"
"Grunt" (thank you) ... as put out food for Chicago
"MEEEEEOOOOWWWW" So loud the world stops
A very determined Miss "White Sox"
AKA "Chico" ... Cheryl Crawford used as nickname
Loved to chase kibble slid down hall floor,
bat about and then eat
Loved to hook paw in dish to toss out a single kibble
at time, dart at as moved, then eat ... "Crunches"
Chicago "White Sox", "Chico" August 1989 (born),
adopted 04 February 1991
05 October 2004 06:52 Quite "Grunts" ....
as lay Chicago on bed for last time
04 February 1991 - 05 October 2004 07:32


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFCRXi9srsjS27q9xYRAsmqAJ9b41BTZgqCa0/0CrKgrtzhE0r07QCeKG6A
ZywRRb2F+DMftTRinh5Jkzs=
=WNW8
-----END PGP SIGNATURE-----

 

debug out is sent to the consoleby default. How were you connected to
the router telnet, aux, or the console?

 

Hi Brad,

Thanks for your reply.

I was connected via telnet. The output does not get routed to my
syslog? I was led to believe in the examples I had seen of sample
debug output that it was part of the message data, as in same data I
am used to having directed to syslog. Not possible to direct to the
syslog?


Regards,

John L. Males
Willowdale, Ontario
Canada
26 March 2005 11:20
mailto:


********** Reply Seperator **********

On (Sat) 2005-03-26 07:52:52 -0800
Brad wrote in Message-ID:


To: (none)
From: "Brad" <>
Cc: (none)
Subject: Re: What Cisco ISO Debug Commands to Use to Find Problem
Packets MAC Address?
Date: 26 Mar 2005 07:52:52 -0800
Newsgroup Reference: comp.dcom.sys.cisco

==================================================================


***** Please BCC me in on any reply, not CC me.
Two reasons, I am not on the Mailing List,
and second I am suffering BIG time with SPAM
from posting to mailing lists/Newsgroups.
Instructions on real address at bottom.
Thanks in advance. *****


Please BCC me by replacing after the "@" as follows:
TLD = The last three letters of the word "internet"
Domain name = The first four letters of the word "software",
followed by the first four letters of the word
"homeless".
My appologies in advance for the jumbled eMail address
and request to BCC me, but SPAM has become a very serious
problem. The eMail address in my header information is
not a valid eMail address for me. I needed to use a valid
domain due to ISP SMTP screen rules.


"Boooomer ... Boom Boom, how are you Boom Boom"
"Meoaaaawwwww, meoaaaaaawwww" as Boomer loudly announces
intent Boomer is coming for attention
Loved to kneed arm and lick arm with Boomers very large
tongue
Able to catch, or at least hit, almost any object in flight
withing reach of front paws
Boomer 1985 (Born), Adopted 04 September 1991
04 September 1991 - 08 February 2000 18:50

"How are you Mr. Sylvester?"
"... Grunt Grunt" ... quick licks of nose
Rolls over for pet and stomac rub when Dad arrives home
and grunting
Runs back and forth from study, tilts head as glowing green
eyes stare for "attention please", grunts and meows,
repeats run, tilt head and stare few times for good
measure, grunts and meows
Lays on floor just outside study to guard Dad
Loved to groom Miss Mahogany, and let Mahogany cuddle beside
Sylvester 1989 (estimated Born)
Found in building mail area noon hour 09 Feburary 1992
09 February 1992 - 19 January 2003 23:25

"Hello Miss Chicago 'White Sox', how are you 'Chico'?"
"Grunt" (thank you) ... as put out food for Chicago
"MEEEEEOOOOWWWW" So loud the world stops
A very determined Miss "White Sox"
AKA "Chico" ... Cheryl Crawford used as nickname
Loved to chase kibble slid down hall floor,
bat about and then eat
Loved to hook paw in dish to toss out a single kibble
at time, dart at as moved, then eat ... "Crunches"
Chicago "White Sox", "Chico" August 1989 (born),
adopted 04 February 1991
05 October 2004 06:52 Quite "Grunts" ....
as lay Chicago on bed for last time
04 February 1991 - 05 October 2004 07:32


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFCRYu7srsjS27q9xYRAgGmAKDIyq9J7HwLHOYmmIK9YavpLhyiKgCg5L9j
gfKcKic5aS4Uc4apLEdZNQc=
=E9HY
-----END PGP SIGNATURE-----

 

debug should only be used for short periods of time for troubleshooting
not on an extended basis so while syslog logging is possible it is not
recommended.

To get the debug output sent to your vty session instead of the console
use the command "terminal monitor" in global configuration mode. This
could produce a lot of debug output and may overwhelm your telnet
session so be careful.

 

Hi Brad,

Thanks for your reply.

Just to clarify I was not looking to run the dug for this a long or
ongoing basis. I wanted the debug output sent to syslog so all of teh
supporting information is in one place for later historical reference
if I need to reference the data again.

My standard IOS configuration for logging is:

logging exception 1024000
logging buffered 1024000 informational
logging limit 10000
no logging console
logging monitor informational
logging cns-events informational
logging trap informational

logging facility local7
logging host local.001.001.static
logging host local.001.002.static


I upped the exception and buffered to debug for this current IOS boot
time via a telnet config change that will not be saved so is not in
effect next IOS boot.


Regards,

John L. Males
Willowdale, Ontairo
Canada
26 March 2005 12:24
mailto:


********** Reply Seperator **********

On (Sat) 2005-03-26 08:45:26 -0800
Brad wrote in Message-ID:


To: (none)
From: "Brad" <>
Cc: (none)
Subject: Re: What Cisco ISO Debug Commands to Use to Find Problem
Packets MAC Address?
Date: 26 Mar 2005 08:45:26 -0800
Newsgroup Reference: comp.dcom.sys.cisco

==================================================================


***** Please BCC me in on any reply, not CC me.
Two reasons, I am not on the Mailing List,
and second I am suffering BIG time with SPAM
from posting to mailing lists/Newsgroups.
Instructions on real address at bottom.
Thanks in advance. *****


Please BCC me by replacing after the "@" as follows:
TLD = The last three letters of the word "internet"
Domain name = The first four letters of the word "software",
followed by the first four letters of the word
"homeless".
My appologies in advance for the jumbled eMail address
and request to BCC me, but SPAM has become a very serious
problem. The eMail address in my header information is
not a valid eMail address for me. I needed to use a valid
domain due to ISP SMTP screen rules.


"Boooomer ... Boom Boom, how are you Boom Boom"
"Meoaaaawwwww, meoaaaaaawwww" as Boomer loudly announces
intent Boomer is coming for attention
Loved to kneed arm and lick arm with Boomers very large
tongue
Able to catch, or at least hit, almost any object in flight
withing reach of front paws
Boomer 1985 (Born), Adopted 04 September 1991
04 September 1991 - 08 February 2000 18:50

"How are you Mr. Sylvester?"
"... Grunt Grunt" ... quick licks of nose
Rolls over for pet and stomac rub when Dad arrives home
and grunting
Runs back and forth from study, tilts head as glowing green
eyes stare for "attention please", grunts and meows,
repeats run, tilt head and stare few times for good
measure, grunts and meows
Lays on floor just outside study to guard Dad
Loved to groom Miss Mahogany, and let Mahogany cuddle beside
Sylvester 1989 (estimated Born)
Found in building mail area noon hour 09 Feburary 1992
09 February 1992 - 19 January 2003 23:25

"Hello Miss Chicago 'White Sox', how are you 'Chico'?"
"Grunt" (thank you) ... as put out food for Chicago
"MEEEEEOOOOWWWW" So loud the world stops
A very determined Miss "White Sox"
AKA "Chico" ... Cheryl Crawford used as nickname
Loved to chase kibble slid down hall floor,
bat about and then eat
Loved to hook paw in dish to toss out a single kibble
at time, dart at as moved, then eat ... "Crunches"
Chicago "White Sox", "Chico" August 1989 (born),
adopted 04 February 1991
05 October 2004 06:52 Quite "Grunts" ....
as lay Chicago on bed for last time
04 February 1991 - 05 October 2004 07:32


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFCRZrmsrsjS27q9xYRAkCbAKCIReaLlAXU+GHqAK4+tZA2QFSQWQCg50t4
FTro+kfR8L0R8xiz6oUESXU=
=Oo1J
-----END PGP SIGNATURE-----

 

To get the debug output sent to your syslog server use the command
"logging host" in global configuration
mode, where host is the name or ip address of the syslog server.