[c-nsp] tcpdump on ios?
Will Hargrave
will at harg.net
Fri Jan 11 20:55:51 EST 2008
Kim Onnel wrote:
> if we are talking about hardware switching platforms then i believe it makes
> sense that it will only sniff process switched traffic, so why is it useless
> then?
In this case, they are talking about fast-switched and so forth on the
software routing platforms. Because the traffic isn't process switched,
it doesn't go through the same code.
> IMHO, it is very difficult to design a router that will capture traffic
> being hardware switched, am i correct?
Not really...
If it's being hardware (i.e. ASIC) switched you can use a hardware
replication engine (as used for multicast, etherchannels...) to
duplicate packets as required. i.e. - port mirroring. Push those packets
inside a vlan (RSPAN) or GRE tunnel (ERSPAN) and you have a fairly
flexible way to monitor traffic as required. This is, of course,
available on Cisco 6500/7600 platforms (ERSPAN requires PFC3B or greater).
On Juniper, you can match a firewall filter rule with an action
port-mirror. That can be a tunnel also (if you have M7i/Tunnel Services
PIC etc) for similar functionality. You can just log too.
All very handy - having the actual packet beats some vendor-specific
decoded output.
Will
More information about the cisco-nsp
mailing list