Debugging to see traffic? 2

[CorbinMyMan]

I'm somewhat new to the cisco scene, but I can move my way around the IOS command interface. I'm have a question about debuggin: I want to go in and see the traffic coming into and out of the router. Mainly because we use to have a machine outside the network act as an outside dns server, but it is no longer required, but I'm still having traffic (not sure if its incoming or outgoing) looking for that dns servers' ip, even though every thing shouldn't. I realized this when the internet on this network would get really slow, and everytime it did i did a SHOW IP ARP in the console, and it shows the cisco waiting for a reply from the old DNS server's ip address. Here's the SHOW IP ARP results:

Protocol Address Age (min) Hardware Addr Type Interface
Internet x.x.x.209 - mac.address.1 ARPA FastEthernet0/0
Internet x.x.x.211 233 mac.address.2 ARPA FastEthernet0/0
Internet x.x.x.210 0 mac.address.2 ARPA FastEthernet0/0
Internet x.x.x.213 0 Incomplete ARPA

the .213 address is the old DNS server that I shut down because we don't need it anymore.

I just need to setup debugging so I can see where this traffic is coming from, whether it be a workstation inside the network, or an address outside.

I searched for the topic, but i coudln't find anything that monitors traffic.

Thanks guys!!

 

[CorbinMyMan]

By the way, i'm using a cisco 2600

 

[jneiberger]

First of all, you have to be careful turning on debugging on a router. Routers tend to place a pretty high priority on debugging and can easily decide to stop doing other things, like routing, if they get too busy.

First, create a access list that will match the traffic you're looking for (access-list 101 ip permit any host <dns_server_ip> eq dns)

Next, turn off logging to the console. At the config prompt, type "no logging console". Debugging to the console is especially cpu-intensive. Avoid it.

Now make sure your router is actually logging those debug messages. At the config prompt, type "logging buffered debug". You also want to make sure you have a lot of buffer in which to store all those messages, so bump up the buffer space. At the config prompt, type "logging buffered 10000".

Now, at main prompt you need to turn on debugging with the command "debug ip packet 101". That will only log matches to access list 101. You can additionally add the "detail" keyword at the end if you need more information.

You can see the results of the debugging by typing "show log". Be sure to turn off debugging when you're done by typing "undebug all".

HTH,
John

 

[CorbinMyMan]

awesome!! i have a second router on another circuit with nothing behind it that i'll test on

I'm gonna follow your suggestions... thanks!!

 

[jneiberger]

It should be noted that I made a typo in my sample access list, but you get the idea.

 

[CorbinMyMan]

i'm kind of confused what the line

access-list 101 ip permit any host <dns_server_ip> eq dns

means... what does the 101 mean?

 

[CorbinMyMan]

also if i'm not debugging to the console, where do i find the debug results??

 

[CorbinMyMan]

ok
show logging

here's the access list i made

access-list 101 permit ip any host xxx.xxx.xxx.212

is that right? and why do i pick access-list 101? i noticed there were LOTS of them to pick
it it just an identifier used to pick what to log?

 

[CorbinMyMan]

ok i got a log but i'm not sure what its saying, there a few ip's trying to hit .212 it seems. here's some of the log lines:

00:49:12: IP: tableid=0, s=209.200.168.66 (Serial0/0:0), d=x.x.x.212 (FastEt
hernet0/0), routed via RIB
00:49:12: IP: s=209.200.168.66 (Serial0/0:0), d=x.x.x.212 (FastEthernet0/0),
g=x.x.x.212, len 60, forward
00:49:12: IP: s=209.200.168.66 (Serial0/0:0), d=x.x.x.212 (FastEthernet0/0),
len 60, encapsulation failed
00:51:11: IP: tableid=0, s=193.170.12.208 (Serial0/0:0), d=x.x.x.212 (FastEt
hernet0/0), routed via RIB
00:51:11: IP: s=193.170.12.208 (Serial0/0:0), d=x.x.x.212 (FastEthernet0/0),
g=x.x.x.212, len 908, forward
00:51:11: IP: s=193.170.12.208 (Serial0/0:0), d=x.x.x.212 (FastEthernet0/0),
len 908, encapsulation failed
00:53:30: IP: tableid=0, s=x.x.x.x (Serial0/0:0), d=x.x.x.212 (FastEt
hernet0/0), routed via RIB


I'm not familiar with any of these ip's

 

[jneiberger]

The "101" is just an identifier for your access list. It has no significance beyond that.

In the debugs, "s=" is the source of a packet, and "d=" is the destination, but I think you figured that out. Perhaps you should try adding the "detail" keyword and see if it shows you a bit more. Right now, all you know is that those particular IP addresses are trying to access x.x.x.212, but you don't know what port they're trying to access, in particular.

 

[CorbinMyMan]

how cna i clear the current log ? not disable debugging, just clear the log?

 

[CorbinMyMan]

clear logging

shoudl have used TAB more before i asked

 

[CorbinMyMan]

with details on i get this..
what is the g, type and code?

01:19:32: IP: s=64.231.129.221 (Serial0/0:0), d=x.x.x.212 (FastEthernet0/0),
g=x.x.x.212, len 60, forward
01:19:32: ICMP type=8, code=0
01:19:32: IP: s=64.231.129.221 (Serial0/0:0), d=x.x.x.212 (FastEthernet0/0),
len 60, encapsulation failed
01:19:32: ICMP type=8, code=0
01:19:33: IP: tableid=0, s=64.231.129.221 (Serial0/0:0), d=x.x.x.212 (FastEt
hernet0/0), routed via RIB

 

[jneiberger]

http://www.faqs.org/docs/iptables/icmptypes.html

ICMP 8/0 is an Echo Request, a ping. This snippet of your debugging indicates that your server is being pinged.

 

[CorbinMyMan]

ahh well thats a start... so something is pinging my old dns server... hmmm

isn't there a way to block any requests to .212 and any other ip i specify?

everything is appreciated! i've learned alot about this router tonight, two weeks ago i never touched one

 

[jneiberger]

Sure, it's pretty simple to block ICMP using an access list. Do a quick search on Cisco's website for "configuring access lists" for a good run-down of topic. They're easy to use but it's easy to block more traffic than you intended and it pays to know a bit about them.

 

[CorbinMyMan]

great! i'll do that first thing in the morning

that will be a great thing to learn until i can narrow down who's pinging that old dns server. I have a feeling i already know.

Thanks for all your help! Hope you're around the next time i need help!

 

[CorbinMyMan]

Ok i've read the access-list information on cisco's website and I think i've put together one i'll need. A clarification would be greatly appreciated though!

access-list 101 deny ip any host xxx.xxx.xxx.212

This should block anything from trying to be routed to 212 correct? and once I make it and it shows up in the SHOW ACCESS-LIST that means its running right?

THANKS!

 

[jneiberger]

You need to apply it to an interface to make it active. Another VERY important thing to know about access lists is that there is an implicit "deny all" at the end of the list. If you were to apply your access list as written to an interface, it would deny all traffic. Add "access-list 101 permit ip any any" at the end of the list to allow all the other traffic, then apply it to an interface.

For example, if you wanted to apply it on the FastEthernet interface facing that host:

interface FastEthernet0/0
access-group 101 out

 

[CorbinMyMan]

i'm glad you told me to add the access-list rule to the access-list, thats logical.

and i've been reading about applying it to an interface, but i'm confused which one to apply it to... do i apply it to the serial or FastEthernet? The fastethernet is the one going OUT to my firewall (isn't it?).