[c-nsp] finding unicast flooding in Wireshark sniff
Dennis
daodennis at gmail.com
Tue Jul 19 12:44:52 EDT 2011
On Mon, Jul 18, 2011 at 5:51 AM, Rogelio <scubacuda at gmail.com> wrote:
> I've got several L2TP tunnels hitting a Cisco 7201 and am trying to
> use Wireshark to determine what inside my tunnel responsible queue
> drops on one of interface responsible for the L2TP termination. I
> inserted a Wireshark laptop in a hub between the LAC and the LNS, and
> I got a good 24 hour sniff of L2TP traffic.
>
Are your tunnels IPSEC encrypted? If they are we'll have to do some
more work in wireshark to decrypt them.
> I'm hoping to narrow this down a bit more
> and find the smoking gun.
Been watching their videos on the home page I see :)
>
> Any ideas where to start? I feel like I'm poking around here and
> could use any pointers or suggestions others might have. Ideally, I
> could make one "find unidentified unicast" filter and scan a big file
> for that characteristic
I think they are encrypted tunnels, but let us know for sure then we can help.
Here is some info on ESP decryption info though for starters:
http://wiki.wireshark.org/ESP_Preferences you may need the HA page
too.
Wireshark has all sorts of wiki pages for protocols.
How to get IPSec encrytpion key for a specific session
This may also be relevant to your interests:
https://learningnetwork.cisco.com/thread/4654
Thanks,
Dennis O.
More information about the cisco-nsp
mailing list