[c-nsp] packet monitoring?

barney gumbo barney.gumbo at gmail.com
Thu Feb 23 12:52:13 EST 2006


I have a complicated problem.  I am trying to determine what src-ip/src-prt
and dst-ip/dst-prt I need to allow outbound on the inside interface of some
firewalls.  Writing ACL's to restrict and then fixing later is not an
option.

The firewalls are PIX 525 and 535.  The typical traffic throughput is
150-200 Mbps.  Using log X interval Y on the PIX ACL's killed our CPU.
We've tried exporting netflow data from a set of 6509's with mls flow cache
set to full and this is way to much data.  To the best of my knowledge,
ethereal and sniffer can do this to a certain extent however I'm not
interested in using system resources to capture the whole packet payload, I
just want to be able to sumarize layers 3 through 4 and if the app can break
this down into complete sockets or estimate the UDP flows that would be
great too.

I realize there may be a way to do this with the existing flow-tools apps
but I've read through the manuals and perhaps I'm missing something.  If I
could just see aggregates of src-ip/src-port and dst-ip/dst-prt I think this
will suit my needs well; I don't need to verify that the flow was part of a
particular data transfer session or anything along those lines.

Is there a tool that can listen passively (we would span the PIX inside
interface to this passive listener) and provide summarized data to meet
these requirements?


More information about the cisco-nsp mailing list