how to monitor traffic going through a switch port

Hi everyone,

I have been reading pages and pages of information on how to monitor traffic on a cisco router, but it's all very confusing. Here is what I am doing:

I telnet into my router I enter privileged mode I type "terminal monitor" so I can see the debug information

-- here's where I am stuck. I want to see all traffic that is exiting port 24. I need to see source IP (which computer on my network sent it) and Destination IP (wherever that is on the Web). Port 24 of my router is connected to my firewall, and my firewall is connected to the web. Port 24 does NOT have it's own IP address.

I create access-list 123: "access-list 123 permit ip 192.168.111.0

0.0.0.255 any" where 192.168.111.0 is the subnet of all my PCs on my network.

I then enter the command "debug ip packet 123"

Now I see ALL traffic. entering and exiting the router. How do I limit the traffic I see to Port 24 ONLY? In the outbound direction only?

Thanks.

Reply to
Al
Loading thread data ...

What hardware exactly do you have? You say router, and then you say switch. Cisco makes both, and the answer is different for a router vs. a switch. Also, each major switch line is different from one another on its capabilities.

Let alone the cases where you get into with routers having switch blades in them (but thankfully the category of switches with routers blades is very small, and almost all gone by now).

Unfortunatly, you have to get the feel for where data is at, as some commands act on things at layer-3 beyond the switch plane, and some commands act on the switch plane before the routing/layer-3 level.

Ie. using access-lists on switch ports vary greately for what is supported across the different switch lines, and is most likely going to log you at the point where all the traffic is converted to layer-3 in your hardware, not necessarily at the port level, depending on what hardware you have. You are probably better off if you have a switch (which is likely with something like port24), to SPAN/RSPAN the traffic off to a dedicated sniffer box.

Reply to
Doug McIntyre

Hi Doug

Sorry for the ambiguity. I have a Cisco Layer 3 switch, serries

3550, IOS Version 12.1(22)EA1a

Al

Reply to
Al

| Hi Doug | | Sorry for the ambiguity. I have a Cisco Layer 3 switch, serries | 3550, IOS Version 12.1(22)EA1a

formatting link

Reply to
Morph

As a pure switch, the 3550 debug ip packet is going to only be able to monitor L3 packets going upstream through the 'router plane' of the software.

To monitor just port 24, you'll have to use SPAN which somebody else posted the link to the docs on, as its not possible to debug packets on a port-by-port basis on a switch (unlike a router).

Reply to
Doug McIntyre

Doug,

Thank you very much for the answer. If I could ask you one other thing... It just so happens that port 24 is connected to my firewall, and my firewall's IP is on a different subnet and Vlan:

L3 Switch __________________ | | | Vlan 111 ip | | 192.168.111.1 | | | _________________Firewall____________WEB | | IP

192.168.222.2 | Vlan 222 ip | | 192.168.222.1 | |_________________|

All my users are on the 111 Subnet. When they communicate with the outside world, their packets are switched from the 111 Vlan to the 222 Vlan. If I understand you correctly, I should be able to see the traffic as it is switched from the 111 to the 222 vlan, and vice versa. Am I correct, and if so, how do I debug this info?

Reply to
Al

=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0IP

Hi, With rspan and span you can specify source vlan, traffic from vlan

111 can be lifted

Hope this helps

Andrew

Reply to
tweety

al I am only a beginner/amateur with cisco routers but I had the same problem some time back and solved it using two simple monitor session commands eg: router(config)# monitor session 1 source interface Fa(port number - this is the port you want to monitor) router(config)# monitor session 1 destination interface Fa(port number - to this port you connect a PC running wireshark) all data traffic on the source port will now be sent to the destination port and you can watch and filter the traffic using wireshark on the PC

Reply to
tg

tg,

Thanks for the reply, I'm going to try that out.

I'm surprised that an external PC is required to view traffic passing through the switch. Surely, there is a DEBUG command that could do what I need. That way, an admin can monitor traffic passing through a router or switch at a different physical location. I find it hard to believe that today's technology requires a physical connection to a device to see what's going on inside.

Al

Reply to
Al

Its really not needed that much, and it would require a huge number of resources on a box that is hardware dedicated to getting traffic in and switched through quickly.

If you had such a feature, you'd have to be prepared to reduce throughput on the hardware by many factors of 10 so that it could keep up.

Reply to
Doug McIntyre

tg,

I tried your commands, as soon as I type "monitor session 1 destination interface Fa0/8" that port shuts down. The PC (using etherial) I have connected to port 8 therefore see no traffic at all. Does Port 8 need to be configured in a specific way, i.e. spanning- tree portfast, or switchport mode access, or some other command?

Al

Reply to
Al

Meanwhile, at the comp.dcom.sys.cisco Job Justification Hearings, Al chose the tried and tested strategy of:

Netflow can be used to see a summary of traffic [ie not each individual packet], but you would have to check the Feature Navigator to see if it's supported on your platform.

Reply to
alexd

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.