I want to monitor live traffic on a network port and output it to a tftp syslog. The port is FastEthernet 1/14 but I'm only having partial success. I did: #debug int f1/14 which seemed to go fine, and then I did: #logging on #logging 172.16.1.14 (ip address of the pc running TFTP32) #logging trap debugging but I'm not getting a proper report in the syslog of the TFTP program. I'm getting bits of info but not the full monte. What command should |I be using? thanks for any help.
additional info: the device I want to monitor is set to 172.16.1.36 (connected to port f1/14) so I tried: #debug ip tcp packet address 172.16.1.36 and got a bit more action but it's still not 'all' traffic.
debug ip packet [detail] Dumps packets to the logging system
*however* fast switched packets are not noticed
So if you want to see all traffic you need to switch the router to do process switching.
int x no ip route-cache (On the *input* interfaces at least I think but I would just put it on all relevant interfaces for the traffic)
Of course this may reduce the performance of the router by 90% or so. i.e. to 10% of previous forwarding rate, or even worse. Of course debug will affect it further.
Prepare for the router ceasing to function with deb ip pack. Even hang completely.
You can use an access list to restrict the traffic that is dumped.
deb ip pac 199 [det] - I seem to recall. access-l 199 ........
Remember to record the config and to put the interfaces back the way they were when you are done.
ip route-cache cef ! for example
The latest greatest IOS has a capture facility in it like tcpdump or the pix/asa.
Maybe 12.4.20T - not sure and have never tried it but it looks good. Think it can sent traffic say via ftp to a server in pcap format, handy for wireshark:)) All approximate.
"jimjim237" wrote in message news: snipped-for-privacy@g23g2000yqh.googlegroups.com...
thanks for your feedback and I'm making some progress. I tried the access-list thing by doing: #access-list 106 permit tcp 172.16.1.36 255.255.255.255 any debug ip packet 106 this produced a lot more action in the log but it seemed to include traffic from other ip's that had nothing to do with the device at 172.16.1.36. What I ideally want is to see just traffic in and out of 172.16.1.36. Perhaps I need to tweak the access-list but I'm not sure. Thanks for any further ideas.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.