Hi Moooney, Mike and Schoenwaelder:
Thanks a lot for your kind information. I am able to classify traffic now. Regards, Saif On Tue, 19 Mar 2002, Mike Craik wrote: > > Date: Tue, 19 Mar 2002 22:40:10 +0000 > From: Mike Craik <[EMAIL PROTECTED]> > To: Mohd Saifullah <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Subject: Re: [tcpdump-workers] help > > Mohd Saifullah wrote: > > > > I am trying to classify traffic of a switch by its interface wise. This > > switch allows to monitor other ports by configuring it, i.e., the traffic > > of other interfaces is captured by the monitored port. But the problem is > > each packet is having actual source and destination hw addresses, not the > > interface hw address. So how can i say that this packet has come from this > > interface? > > > Hi, > You should be able to ascertain this information by examining the > switch's mac address table. > > For example, on a Cisco Cat2900 you could issue the following command - > > switchy#show mac-address-table > > Dynamic Address Count: 6 > Secure Address Count: 0 > Static Address (User-defined) Count: 0 > System Self Address Count: 49 > Total MAC addresses: 55 > Maximum MAC addresses: 8192 > Non-static Address Table: > Destination Address Address Type VLAN Destination Port > ------------------- ------------ ---- -------------------- > 0002.b34b.xxxx Dynamic 2 FastEthernet0/10 > 0050.dad5.xxxx Dynamic 1 FastEthernet0/24 > 0050.dade.xxxx Dynamic 1 FastEthernet0/17 > 0080.c7b1.xxxx Dynamic 1 FastEthernet0/5 > 0800.208e.xxxx Dynamic 1 FastEthernet0/1 > 0800.208e.xxxx Dynamic 2 FastEthernet0/9 > > > How you enumerate this information will depend on the make/model of you > switch. > > Cheers, > Mike. > On Tue, 19 Mar 2002, Ryan Mooney wrote: > > You cannot do this with tcpdump/libpcap. What you may be able to do is > to snarf the MAC address/port tables from the switch (most switches have > them), and setup a lookup table to cross reference the MAC addr to a port. > This probably wouldn't be to hard depending on your traffic rate. You can > usually lookup the MAC Addr table on the switch with SNMP, the exact MIB > entries may vary by vendor. If you cached them for about 5 minutes, thats > probably fairly safe and probably won't hammer your switch to bad. > > Probably the easiest way is to store the data by MAC Addr and then have a > continuous post process job classify the data by port. I'm thinking a two > part process to account for the latency created by the mac-port lookup. > On Wed, 20 Mar 2002, Juergen Schoenwaelder wrote: > > Date: Wed, 20 Mar 2002 09:15:21 +0100 > From: Juergen Schoenwaelder <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED], [EMAIL PROTECTED] > Subject: Re: [tcpdump-workers] help > > > >>>>> Mike Craik writes: > > Mike> switchy#show mac-address-table > > [...] > > Mike> How you enumerate this information will depend on the make/model > Mike> of you switch. > > You can also grab scli <http://www.ibr.cs.tu-bs.de/projects/scli/> > which supports the BRIDGE-MIB (which is supported by most bridges): > > $ scli -c "show bridge forwarding" myswitch > PORT STATUS ADDRESS NAME VENDOR > 1 learned 00:04:dc:xx:xx:xx > 1 learned 00:60:1d:xx:xx:xx foo > 1 learned 00:80:c8:xx:xx:xx bar > 2 learned 00:02:2d:xx:xx:xx > > Usually, the port number is the same as the interface number. There > are additional scli commands that let you dive deeper into the details > if you have to. > > /js > > -- > Juergen Schoenwaelder <http://www.informatik.uni-osnabrueck.de/schoenw/> > > - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
