[c-nsp] tcpdump on ios?

Masood Ahmad Shah masood at nexlinx.net.pk
Sun Jan 13 03:23:39 EST 2008 

Well, All in all Cisco needs to improve packet sniffing tools on their
platforms. What would you do if you come from juniper and used to use 

jahil at jahil> monitor traffic detail interface em0 no-resolve print-ascii   

Address resolution is OFF.
Listening on em0, capture size 1514 bytes

12:58:43.311620  In IP (tos 0x0, ttl 128, id 25379, offset 0, flags [none],
proto: UDP (17), length: 78) 192.168.10.101.137 > 192.168.10.255.137: UDP,
length 50
0x0000   ffff ffff ffff 0050 da36 e12f 0800 4500        .......P.6./..E.
0x0010   004e 6323 0000 8011 40c7 c0a8 0a65 c0a8        .Nc#.... at ....e..
0x0020   0aff 0089 0089 003a ec0a fc36 0110 0001        .......:...6....
0x0030   0000 0000 0000 2044 4244 4a44 4343 4f44        .......DBDJDCCOD
0x0040   4244 4744 4943 4f44 4244 4143 4f44 4244        BDGDICODBDACODBD
0x0050   4144 4443 4143 4100 0020 0001                  ADDCACA.....


I strongly suggest an integrated tool to debug IP payloads (like tcpdump).
They also need to work on dependencies and only platform specific features,
why the heck I need to disable something to get another thing or I need to
buy a new router just for a feature :)

Also I suggest a feature such as "commit" and "rollback n" can really make
backing out of changes a no brainer.

Regards,
Masood Ahmad Shah



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Aamer Akhter
(aakhter)
Sent: Sunday, January 13, 2008 1:31 AM
To: Saku Ytti; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] tcpdump on ios?

Hi Folks,

It really depends on what the intent is. If the intent is to track flows
transiting the router, then these debug commands are (IMHO) not the best
way. Eg, a problem with debug cef is going to be not all packets are CEF
switched (eg PBR, MPLS). These are really meant to troubleshoot the specific
switching/forwarding system(s)

I think the original poster was looking for only tracking of flows, not
interested in payload gathering etc (so the tcpdump in the subject line
might be conveying more than actually required). For that purpose, NetFlow
should suffice.

For specifically creating pcap files on the router, IP router traffic export
(RTE) has been mentioned. RTE can create pcap files on a remote tftp or
locally (disk,usb etc). The limitation there is that it is only available on
certain platforms and there it only captures TCP traffic. I'm trying to help
prioritize the case for supporting non-TCP traffic so if there is solid
interest please drop me an email.

SPAN and lawful intercept (LI) are also options providing you're on the
right platform and an image that has LI.

Regards,

-- 
Aamer Akhter / aa at cisco.com
Ent & Commercial Systems, cisco Systems

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Saku Ytti
> Sent: Saturday, January 12, 2008 1:30 PM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] tcpdump on ios?
> 
> On (2008-01-12 10:42 -0500), Luan Nguyen wrote:
> 
> > But on a simple router, to track down a problem for a few seconds...
> > no logging console
> > logging buffer xxxx debugging
> > no ip route-cache on interfaces
> > access-list to match or set interface condition
> > debug ip packet detail <access-list> (dump).
> >
> > would do fine?
> 
> Since new CEF code in 12.2S, in software platforms using CEF
> for switching you can debug CEF switched packets virtually
> for free (as well as mirror, which was already mentioned
> in the thread earlier). Debugging is not surprisingly 'debug ip cef
> packet
> ..'.
> 
> Thanks,
> --
>   ++ytti
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list