Logging all traffic, finding "top users"

[daShader]

Is there any way to log all passing packets from Cisco 2600?

Ideally I would get a log file that looks like

src -> dest PROTOCOL, PORT, SIZE of packet

for example

10.10.1.1 192.168.1.1 TCP 80 243

I know it's possible to log the number of packets passed in 5 minutes using access lists. But is there a way to log the ammount of data for each sender/receiver ip.

Sorry for broken english

Reards,
Mick

 

[marsd]

Sure , You could use an access list like:
access-list 104 deny tcp any host $routerip eq www
access-list 104 permit ip any any

#apply the access-list
int e1
ip access-group 104 in

#apply the accounting rule
int e1
ip accounting access-violation

Or to see all traffic :
int e1
ip accounting output-packets

You can also just log this traffic:
access-list 104 permit tcp any any eq

http://www log

logging buffered *could be hazardous:fair warning.
int e1
ip access-group 104 in

Now the command: show logging will give you your
info.

Also if it is specific users you want to keep track of:
You need an AA model and some form of auth, or maybe just
logging on your vty lines, depends.

My .02 , I'll probably be crucified for details here..

 

[wybnormal]

Just remember that all this data takes room.. adjust the log file size AND if you dump to syslog, it's gonna to suck up bandwidth to send to the syslog server.

MikeS Find me at

http://www.packetattack.com

"The trouble with giving up civil rights is that you never get them back"

 

[daShader]

Thanks a lot for tips guys, will try that today!

 

[daShader]

the log I get is

19:30:28: %SEC-6-IPACCESSLOGP: list 104 permitted tcp 10.10.99.12(0) -> 207.46.182.140(0), 3 packets

so it logs only the # packets passed.. but not the actual ammount of data.

Is there a way to make it store the size of packets or volume of data to?