If you just want to see IP's and ports use debug ip packet detail with an access-list.
Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.IPexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: [email protected] [mailto:[email protected]] On Behalf Of Shawn H Mesiatowsky Sent: Thursday, June 11, 2009 4:27 PM To: [email protected] Subject: Re: [OSL | CCIE_Security] Packet capture on Router Monitor Capture, new to 12.4(20)T, that's pretty cool. very similar to ip traffic export. I noticed you cannot specify an interface when capturing process-switched packets. I assume that this captures any packets on any interface that is process switched? Also, this goes back to the same problem I had with traffic-export. When viewing the capture, it is displayed in hex. 5#show monitor capture buffer test dump 20:02:25.899 UTC Jun 11 2009 : IPv4 Process : None Fa0/0 6566F690: 01005E00 00050014 69D87950 ..^.....iXyP 6566F6A0: 080045C0 004C0131 00000159 C651AC10 [email protected],. 6566F6B0: 6501E000 00050201 002C0505 05050000 e.`......,...... 6566F6C0: 0000D182 00000000 00000000 0000FFFF ..Q............. 6566F6D0: FF00000A 12010000 FD ........} 20:02:26.127 UTC Jun 11 2009 : IPv4 Process : None Fa0/1 6566F690: 01005E00 00050014 69D87951 ..^.....iXyQ 6566F6A0: 080045C0 00500132 00000159 09279632 [email protected].'.2 6566F6B0: 3805E000 00050201 00300505 05050000 8.`......0...... 6566F6C0: 00003A14 00000000 00000000 0000FFFF ..:............. 6566F6D0: FF00000A 12010000 FD ........} 20:02:32.835 UTC Jun 11 2009 : IPv4 Process : Fa0/1 None 6566F690: 01005E00 00050011 200ABD01 ..^..... .=. 6566F6A0: 080045C0 00501291 00000159 F7C69632 [email protected] 6566F6B0: 3806E000 00050201 00300606 06060000 8.`......0...... 6566F6C0: 00003A14 00000000 00000000 0000FFFF ..:............. 6566F6D0: FF00000A 12010000 FD ........} Is there no other way to display a capture on a router. As an example, displaying a capture on a firewall displays the following: 20:21:44.954464 001e.7a5c.7fc0 0015.634a.cfb9 0x0800 126: 1.1.26.164.27059 > 7.7.233.150.10001: udp 84 (ttl 127, id 19814) 20:21:45.014769 001e.7a5c.7fc0 0015.634a.cfb9 0x0800 174: 1.1.26.164.39385 > 5.5.184.244.4500: udp 132 (ttl 127, id 20502) 20:21:45.144630 0015.634a.cfb9 0012.d909.8750 0x0800 174: 5.5.184.244.4500 > 1.1.26.164.39385: [no cksum] udp 132 (ttl 110, id 13269) 20:21:45.227298 001e.7a5c.7fc0 0015.634a.cfb9 0x0800 222: 1.1.26.164.39385 > 5.5.184.244.4500: udp 180 (ttl 127, id 20504) 20:21:45.358303 0015.634a.cfb9 0012.d909.8750 0x0800 206: 5.5.184.244.4500 > 1.1.26.164.39385: [no cksum] udp 164 (ttl 110, id 13597) 20:21:45.359341 001e.7a5c.7fc0 0015.634a.cfb9 0x0800 254: 1.1.26.164.39385 > 5.5.184.244.4500: udp 212 (ttl 127, id 20506) 20:21:45.399072 001e.7a5c.7fc0 0015.634a.cfb9 0x0800 92: 1.1.26.164.142 > 4.4.4.4.137: udp 50 (ttl 127, id 3854) I can easily see ip's and port numbers. _____ From: Tyson Scott [mailto:[email protected]] Sent: Thursday, June 11, 2009 11:11 AM To: 'Shawn H Mesiatowsky'; [email protected] Subject: RE: [OSL | CCIE_Security] Packet capture on Router Here is an example configuration monitor capture buffer pktrace1 size 256 max-size 128 circular monitor capture point ip process-switched ipsfa0/0 both monitor capture point associate ipsfa0/0 pktrace1 monitor capture point start ipsfa0/0 To look at the packet capture on the router issue the command Show monitor capture buffer pktrace1 dump Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.IPexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: [email protected] [mailto:[email protected]] On Behalf Of Shawn H Mesiatowsky Sent: Thursday, June 11, 2009 12:25 PM To: [email protected] Subject: [OSL | CCIE_Security] Packet capture on Router Is there a way to view a packet capture that was performed on a router using the ip traffic export command? The only way I have been able to view the trace is by uploading to a tftp server and viewing in wireshark. If I use the following commands: traffic-export interface fa0/1 copy flash:test.pcap more test.pcap I can see the contents of the pcap file, but it is a binary file, so I just see the hex code for the file. Is there a command to export captured data into a text format? Will I be able to copy to a tftp server and view with wireshark in the actual lab? Is there a computer in the lab hooked up to the 3560 to perform a span in the lab and capture with wireshark? I love the capture functionality on the firewalls, as you can view the contents of the capture right on the firewall itself. I guess you can also use a debug ip packet ACL command in the lab, or use net flow or ip accounting for troubleshooting, but nothing beats a packet capture! Maybe my strategy is wrong as well. In the real world, I use captures to verify that packets are getting to where they are supposed to go. This is always my second step (first being to look at logs, especially on firewalls for denies). Should a train myself to rely less on captures? Thanks for any advice!
