Use this for starters....(on the cisco router, use the commands below......The options are just ways of minimizing traffic, via destination, etc... If you are wondering what traffic is going to a specific IP, then use it as the destination address......)
debug ip tcp packet ?
<0-22> Line number
aux Auxiliary line
console Primary terminal line
tty Terminal controller
vty Virtual terminal
<cr>
address IP address (source or destination)
in Incoming segments
out Outgoing segments
port Port number (source or destination)
-- or --
debug ip packet ?
<1-199> Access list
<1300-2699> Access list (expanded range)
detail Print more debugging detail
<cr>
The statment you will be looking for will have effects of the following
s=xxx.xxx.xxx.xxx d=xxx.xxx.xxx.xxx etc.......
The s= Source IP address (that's where it's coming from)
Just be careful how much debuggin you turn on as it's very CPU intensive to "report" all traffic to the console......
You can turn on Netflow if you have the right series router. I would be leary about leaving a debug on for any length of time. Netflow is the way to go.
Sounded to me like there was something discovered, reproducable and you wanted to know where it came from.
In that instance I would turn on debugging. If there is loggin on the network at the present moment, I doubted this question would have been asked.
NetFlow is good for extended monitoring. As I mentioned before, debuggin will use the CPU available. I hope I didn't confuse you into debuggin all day...
If you want to get an idea of how much traffic a particular circuit is utilizing there a few tools that can help (PTRG, MTRG and cricket). They all are freeware, PTRG is a 30day trial and is a windows based app, but it's handy if you just want to do a little trouble shooting. MTRG and Cricket are freeware tools used to graphing over time. Good for trend analysis, but they require a fair bit of time configuring.
OK guys...I'm a little confused here. Is netflow an IOS command that's built in or it a monitoring software from Cisco? I have several routers running 12.2 and no netflow command.
Netflow is a method of seeing the source and destination info for packets on specific interfaces. I use 2600s as terminal servers and they will run netflow:
Router>sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-I-M), Version 12.2(5d), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Sat 02-Feb-02 03:36 by kellythw
Image text-base: 0x80008088, data-base: 0x80989870
ROM: System Bootstrap, Version 12.2(10r)1, RELEASE SOFTWARE (fc1)
Router uptime is 50 weeks, 13 minutes
System returned to ROM by reload
System image file is "flash:c2600-i-mz.122-5d.bin"
cisco 2610 (MPC860) processor (revision 0x00) with 28672K/4096K bytes of memory.
Processor board ID JAD064509YW (3156047969)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
1 Ethernet/IEEE 802.3 interface(s)
32 terminal line(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
Router>
Router#sh ip int br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 205.207.237.30 YES NVRAM up up
Async33 unassigned YES NVRAM down down
Async34 unassigned YES NVRAM down down
Async35 unassigned YES NVRAM down down
Async36 unassigned YES NVRAM down down
Async37 unassigned YES NVRAM down down
Async38 unassigned YES NVRAM down down
Async39 unassigned YES NVRAM administratively down down
Async40 unassigned YES NVRAM administratively down down
Async41 unassigned YES NVRAM administratively down down
Async42 unassigned YES NVRAM administratively down down
Async43 unassigned YES NVRAM administratively down down
Async44 unassigned YES NVRAM administratively down down
Async45 unassigned YES NVRAM administratively down down
Async46 unassigned YES NVRAM administratively down down
Async47 unassigned YES NVRAM down down
Async48 unassigned YES NVRAM down down
Group-Async1 10.0.0.1 YES unset down down
Loopback0 10.0.0.1 YES NVRAM up up
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int e0/0
Router(config-if)#ip route-cache flow
Router(config-if)#end
Router#sh ip cache flow
IP packet size distribution (78 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 1.00 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
Just turn on IP accounting on the interface that traffic leaves through. Turning on debugging for any type of packet is processor intensive. You can turn on debugging and match an access-list to be more specigic, but if you make a mistake, you can bring down the router. To turn on ip accounting do the following:
interface <interface>
ip accounting output-packets
This will tell you where packets are sourced from and where they are going, no matter where they come from in your network. If it leaves this interface, it will be logged.
To view the info, issue the "show ip accounting" command.
The size of the buffer is limited so new traffic overwrites older traffic, but the size can be changed to accomodate what you need.
Look in the Designing Cisco Networks, Cisco Press book for more information on NetFlow. It will specifically discuss scenarios with which NetFlow should be utilized.
Obviously with a little creative thinking it can be expanded for use, but this is a start.
I`m new in all this of routers, and i want to try those lines in my cisco 1600, (refer to lines of SyTy put here),i was wonderinf if that lines work for my to view traffic on a especific ip inside my NAT.
download a packet sniffer for that purpose. Most will allow you to track an IP or even a specific MAC as the source, or destination. I personally use EtherPeek for mine, but there are MANY
If you are using a hub on your network, you will be just fine.
If you are using a switch, you will not see the traffic taht is put off of another switchport due to separate Collision Domains Interconnecting Cisco Network Devices ISBN: 1-57870-111-2.
Read about Broadcast Domains and Collision Domains if you are having trouble with your monitoring.
On a cisco router you can use the debug ip packet <access-list #>
it's alittle cumbersome, but for specific tracking (not to be left on all day) you can assing an implicit permit access list for any given IP and then debug that Access list. You can use extended access lists to watch someone on just a specific port. One word of caution. If the user you are watching is doing some malicious or suspicious behavior and it hitting other machines on the switch, the router will not see the traffic. The switch will simply "switch" the traffic by MAC. The router will not be used. Basically meaning that anything the user does on their local subnet will never be seen by the router and you will not find anything.
by using a packet sniffer you are using out-of-band monitoring from a dedicated administrative workstation and can watch all information going to and from any given IP address or subnet without affecting the users or your Router CPU (as it's not used.)
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.