Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
How to view traffic.
- Thread starter jason985
- Start date
Use this for starters....(on the cisco router, use the commands below......The options are just ways of minimizing traffic, via destination, etc... If you are wondering what traffic is going to a specific IP, then use it as the destination address......)
debug ip tcp packet ?
<0-22> Line number
aux Auxiliary line
console Primary terminal line
tty Terminal controller
vty Virtual terminal
<cr>
address IP address (source or destination)
in Incoming segments
out Outgoing segments
port Port number (source or destination)
-- or --
debug ip packet ?
<1-199> Access list
<1300-2699> Access list (expanded range)
detail Print more debugging detail
<cr>
The statment you will be looking for will have effects of the following
s=xxx.xxx.xxx.xxx d=xxx.xxx.xxx.xxx etc.......
The s= Source IP address (that's where it's coming from)
Just be careful how much debuggin you turn on as it's very CPU intensive to "report" all traffic to the console......
Good Luck
debug ip tcp packet ?
<0-22> Line number
aux Auxiliary line
console Primary terminal line
tty Terminal controller
vty Virtual terminal
<cr>
address IP address (source or destination)
in Incoming segments
out Outgoing segments
port Port number (source or destination)
-- or --
debug ip packet ?
<1-199> Access list
<1300-2699> Access list (expanded range)
detail Print more debugging detail
<cr>
The statment you will be looking for will have effects of the following
s=xxx.xxx.xxx.xxx d=xxx.xxx.xxx.xxx etc.......
The s= Source IP address (that's where it's coming from)
Just be careful how much debuggin you turn on as it's very CPU intensive to "report" all traffic to the console......
Good Luck
Sounded to me like there was something discovered, reproducable and you wanted to know where it came from.
In that instance I would turn on debugging. If there is loggin on the network at the present moment, I doubted this question would have been asked.
NetFlow is good for extended monitoring. As I mentioned before, debuggin will use the CPU available. I hope I didn't confuse you into debuggin all day...
In that instance I would turn on debugging. If there is loggin on the network at the present moment, I doubted this question would have been asked.
NetFlow is good for extended monitoring. As I mentioned before, debuggin will use the CPU available. I hope I didn't confuse you into debuggin all day...
- Thread starter
- #5
If you want to get an idea of how much traffic a particular circuit is utilizing there a few tools that can help (PTRG, MTRG and cricket). They all are freeware, PTRG is a 30day trial and is a windows based app, but it's handy if you just want to do a little trouble shooting. MTRG and Cricket are freeware tools used to graphing over time. Good for trend analysis, but they require a fair bit of time configuring.
I found this white paper on Netflow, it looks like it's a monitoring software, but I haven't finished reading it. Here's the link.
Netflow is a method of seeing the source and destination info for packets on specific interfaces. I use 2600s as terminal servers and they will run netflow:
Router>sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-I-M), Version 12.2(5d), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Sat 02-Feb-02 03:36 by kellythw
Image text-base: 0x80008088, data-base: 0x80989870
ROM: System Bootstrap, Version 12.2(10r)1, RELEASE SOFTWARE (fc1)
Router uptime is 50 weeks, 13 minutes
System returned to ROM by reload
System image file is "flash:c2600-i-mz.122-5d.bin"
cisco 2610 (MPC860) processor (revision 0x00) with 28672K/4096K bytes of memory.
Processor board ID JAD064509YW (3156047969)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
1 Ethernet/IEEE 802.3 interface(s)
32 terminal line(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
Router>
Router#sh ip int br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 205.207.237.30 YES NVRAM up up
Async33 unassigned YES NVRAM down down
Async34 unassigned YES NVRAM down down
Async35 unassigned YES NVRAM down down
Async36 unassigned YES NVRAM down down
Async37 unassigned YES NVRAM down down
Async38 unassigned YES NVRAM down down
Async39 unassigned YES NVRAM administratively down down
Async40 unassigned YES NVRAM administratively down down
Async41 unassigned YES NVRAM administratively down down
Async42 unassigned YES NVRAM administratively down down
Async43 unassigned YES NVRAM administratively down down
Async44 unassigned YES NVRAM administratively down down
Async45 unassigned YES NVRAM administratively down down
Async46 unassigned YES NVRAM administratively down down
Async47 unassigned YES NVRAM down down
Async48 unassigned YES NVRAM down down
Group-Async1 10.0.0.1 YES unset down down
Loopback0 10.0.0.1 YES NVRAM up up
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int e0/0
Router(config-if)#ip route-cache flow
Router(config-if)#end
Router#sh ip cache flow
IP packet size distribution (78 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 1.00 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
1 active, 4095 inactive, 1 added
19 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Et0/0 207.61.30.41 Local 205.207.237.30 06 EDA9 0017 78
Router#
Try it and let us know if that is what you were looking for.
Routerboy!
Router>sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-I-M), Version 12.2(5d), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Sat 02-Feb-02 03:36 by kellythw
Image text-base: 0x80008088, data-base: 0x80989870
ROM: System Bootstrap, Version 12.2(10r)1, RELEASE SOFTWARE (fc1)
Router uptime is 50 weeks, 13 minutes
System returned to ROM by reload
System image file is "flash:c2600-i-mz.122-5d.bin"
cisco 2610 (MPC860) processor (revision 0x00) with 28672K/4096K bytes of memory.
Processor board ID JAD064509YW (3156047969)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
1 Ethernet/IEEE 802.3 interface(s)
32 terminal line(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
Router>
Router#sh ip int br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 205.207.237.30 YES NVRAM up up
Async33 unassigned YES NVRAM down down
Async34 unassigned YES NVRAM down down
Async35 unassigned YES NVRAM down down
Async36 unassigned YES NVRAM down down
Async37 unassigned YES NVRAM down down
Async38 unassigned YES NVRAM down down
Async39 unassigned YES NVRAM administratively down down
Async40 unassigned YES NVRAM administratively down down
Async41 unassigned YES NVRAM administratively down down
Async42 unassigned YES NVRAM administratively down down
Async43 unassigned YES NVRAM administratively down down
Async44 unassigned YES NVRAM administratively down down
Async45 unassigned YES NVRAM administratively down down
Async46 unassigned YES NVRAM administratively down down
Async47 unassigned YES NVRAM down down
Async48 unassigned YES NVRAM down down
Group-Async1 10.0.0.1 YES unset down down
Loopback0 10.0.0.1 YES NVRAM up up
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int e0/0
Router(config-if)#ip route-cache flow
Router(config-if)#end
Router#sh ip cache flow
IP packet size distribution (78 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 1.00 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
1 active, 4095 inactive, 1 added
19 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Et0/0 207.61.30.41 Local 205.207.237.30 06 EDA9 0017 78
Router#
Try it and let us know if that is what you were looking for.
Routerboy!
- Thread starter
- #10
labsonline
MIS
Nicole,
Just turn on IP accounting on the interface that traffic leaves through. Turning on debugging for any type of packet is processor intensive. You can turn on debugging and match an access-list to be more specigic, but if you make a mistake, you can bring down the router. To turn on ip accounting do the following:
interface <interface>
ip accounting output-packets
This will tell you where packets are sourced from and where they are going, no matter where they come from in your network. If it leaves this interface, it will be logged.
To view the info, issue the "show ip accounting" command.
The size of the buffer is limited so new traffic overwrites older traffic, but the size can be changed to accomodate what you need.
HTH
Just turn on IP accounting on the interface that traffic leaves through. Turning on debugging for any type of packet is processor intensive. You can turn on debugging and match an access-list to be more specigic, but if you make a mistake, you can bring down the router. To turn on ip accounting do the following:
interface <interface>
ip accounting output-packets
This will tell you where packets are sourced from and where they are going, no matter where they come from in your network. If it leaves this interface, it will be logged.
To view the info, issue the "show ip accounting" command.
The size of the buffer is limited so new traffic overwrites older traffic, but the size can be changed to accomodate what you need.
HTH
Nicole,
Look in the Designing Cisco Networks, Cisco Press book for more information on NetFlow. It will specifically discuss scenarios with which NetFlow should be utilized.
Obviously with a little creative thinking it can be expanded for use, but this is a start.
Good Luck
Syty
Look in the Designing Cisco Networks, Cisco Press book for more information on NetFlow. It will specifically discuss scenarios with which NetFlow should be utilized.
Obviously with a little creative thinking it can be expanded for use, but this is a start.
Good Luck
Syty
Hi, to all,
I`m new in all this of routers, and i want to try those lines in my cisco 1600, (refer to lines of SyTy put here),i was wonderinf if that lines work for my to view traffic on a especific ip inside my NAT.
Any help, be apreciate !
I`m new in all this of routers, and i want to try those lines in my cisco 1600, (refer to lines of SyTy put here),i was wonderinf if that lines work for my to view traffic on a especific ip inside my NAT.
Any help, be apreciate !
If you are using a hub on your network, you will be just fine.
If you are using a switch, you will not see the traffic taht is put off of another switchport due to separate Collision Domains Interconnecting Cisco Network Devices ISBN: 1-57870-111-2.
Read about Broadcast Domains and Collision Domains if you are having trouble with your monitoring.
Still confused, let us know.
A little self research goes a long way...[i/]
If you are using a switch, you will not see the traffic taht is put off of another switchport due to separate Collision Domains Interconnecting Cisco Network Devices ISBN: 1-57870-111-2.
Read about Broadcast Domains and Collision Domains if you are having trouble with your monitoring.
Still confused, let us know.
A little self research goes a long way...[i/]
On a cisco router you can use the debug ip packet <access-list #>
it's alittle cumbersome, but for specific tracking (not to be left on all day) you can assing an implicit permit access list for any given IP and then debug that Access list. You can use extended access lists to watch someone on just a specific port. One word of caution. If the user you are watching is doing some malicious or suspicious behavior and it hitting other machines on the switch, the router will not see the traffic. The switch will simply "switch" the traffic by MAC. The router will not be used. Basically meaning that anything the user does on their local subnet will never be seen by the router and you will not find anything.
by using a packet sniffer you are using out-of-band monitoring from a dedicated administrative workstation and can watch all information going to and from any given IP address or subnet without affecting the users or your Router CPU (as it's not used.)
Good Luck.
it's alittle cumbersome, but for specific tracking (not to be left on all day) you can assing an implicit permit access list for any given IP and then debug that Access list. You can use extended access lists to watch someone on just a specific port. One word of caution. If the user you are watching is doing some malicious or suspicious behavior and it hitting other machines on the switch, the router will not see the traffic. The switch will simply "switch" the traffic by MAC. The router will not be used. Basically meaning that anything the user does on their local subnet will never be seen by the router and you will not find anything.
by using a packet sniffer you are using out-of-band monitoring from a dedicated administrative workstation and can watch all information going to and from any given IP address or subnet without affecting the users or your Router CPU (as it's not used.)
Good Luck.
- Status
