We have two 7204s that are plugged into a Nortel Passport (layer 3 switch). The port on the switch that the routers are connected to is taking InDiscards. I am trying to discover what traffic is being discarded and why. I have been working with Nortel and they have suggested checking for CDP, local multicast and/or broadcast traffic not destined for the switch. CDP is not enabled so it's not that. Is there any way to sniff the fast ethernet port on that router? I can port mirror the switch port, but the discards happen before port mirroring so it won't do me any good. Thanks!
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations John Tel on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Traffic sniffing on Cisco?
- Thread starter AyrishGrl
- Start date
GeneralDzur
Technical User
I'd recommend either
A) ManageEngine's NetFlow analyzer - for traffic/bandwidth monitoring
but more specifically
B) Hook a laptop directly into the switch and run Ethereal (latest ver. is 0.0.10.10 I think). It's a great packet-sniffer, and you can see what the problem is hopefully. Here's the link:
- stephan
A) ManageEngine's NetFlow analyzer - for traffic/bandwidth monitoring
but more specifically
B) Hook a laptop directly into the switch and run Ethereal (latest ver. is 0.0.10.10 I think). It's a great packet-sniffer, and you can see what the problem is hopefully. Here's the link:
- stephan
- Thread starter
- #5
Any sort of PCAP or traffic sniffing on the Passport will not work as the traffic is discarded before the traffic is mirrored (which is how you sniff traffic on that device). I need to be able to see the traffic from the Cisco before it hits the passport. Since the Cisco is plugged directly into the Passport I need to somehow sniff the traffic directly from the Cisco. Is this possible?
Hi,
its sounds like you need to capture the traffic "on the cable" there is a chance that if they are errored packets.
You could sniff on the cisco ( debug ip packet ) however it may not capture what you are looking for as the issue may have not been formed yet.
And as you say you could capture on the Nortel, however the switch has discarded these packets anyway.
If the connection is a 10/Half, then I would introduce a hub between the Nortel and cisco, then use as advised "etherreal" its a great tool, with the hub being passive it will just replicate all traffic ( errored too )
If you are using 100/FULL connections, then you could introduce a switch instead of a hub, however this switch may be intelligent enough to also discard packets, but you could sniff on a mirrored port on that.
We use Nortel 8600`s so Im not sure about your model, but cannot you debug on dropped packets, it must report on it.
LEEroy
MCNE6,CCNA2,CWNA, Project+
its sounds like you need to capture the traffic "on the cable" there is a chance that if they are errored packets.
You could sniff on the cisco ( debug ip packet ) however it may not capture what you are looking for as the issue may have not been formed yet.
And as you say you could capture on the Nortel, however the switch has discarded these packets anyway.
If the connection is a 10/Half, then I would introduce a hub between the Nortel and cisco, then use as advised "etherreal" its a great tool, with the hub being passive it will just replicate all traffic ( errored too )
If you are using 100/FULL connections, then you could introduce a switch instead of a hub, however this switch may be intelligent enough to also discard packets, but you could sniff on a mirrored port on that.
We use Nortel 8600`s so Im not sure about your model, but cannot you debug on dropped packets, it must report on it.
LEEroy
MCNE6,CCNA2,CWNA, Project+
- Thread starter
- #7
Hi,
Cannot find a way to check, however I dont think anything can be checked because after speaking with a contact these are normally errored frames.
Could you run the following commands on your nortel with the port connected to the cisco
show port error main <slot/port >
show port info all <slot/port>
On the ethernet port on your cisco can you run the following
show inter <interface> <slot/port> i.e show inter fastethernet 1/0
LEEroy
MCNE6,CCNA2,CWNA, Project+
Cannot find a way to check, however I dont think anything can be checked because after speaking with a contact these are normally errored frames.
Could you run the following commands on your nortel with the port connected to the cisco
show port error main <slot/port >
show port info all <slot/port>
On the ethernet port on your cisco can you run the following
show inter <interface> <slot/port> i.e show inter fastethernet 1/0
LEEroy
MCNE6,CCNA2,CWNA, Project+
- Thread starter
- #10
The link is hard coded to 100/full on both sides.
Passport-8610:5# show port error main 3/32
================================================================================
Port Ethernet Error
================================================================================
PORT ERROR ERROR FRAMES TOO LINK CARRIER CARRIER SQETEST
NUM ALIGN FCS LONG SHORT FAILURE SENSE ERRORS ERRORS
--------------------------------------------------------------------------------
3/32 0 0 0 56 1 0 0 0
I don't see anything in the show port info all that raises any flags.
show int on Cisco shows 0 errors as well.
Passport-8610:5# show port error main 3/32
================================================================================
Port Ethernet Error
================================================================================
PORT ERROR ERROR FRAMES TOO LINK CARRIER CARRIER SQETEST
NUM ALIGN FCS LONG SHORT FAILURE SENSE ERRORS ERRORS
--------------------------------------------------------------------------------
3/32 0 0 0 56 1 0 0 0
I don't see anything in the show port info all that raises any flags.
show int on Cisco shows 0 errors as well.
- Status
