I am working on determining a possibility of sending the output of the command "show buffers input-interface vlan 4 header" to the syslog server. The problem we are experiencing is with some multicast applications in our network that send packets with TTL of 1. We use 2 6509 as our core devices on which put the critical multicast servers. When these servers send packets with TTL of 1, those packets get process switched and cause HIGH CPU usage (over 99%). Everytime we have this problem, we make the developers change the TTL to higher than 16 and problem is resolved. But the problem re-occurs with the introduction of a new application without proper tuning of the TTL field. The workaround we use is to rate-limit the ttl.failure packets using the "mls rate-limit all ttl-failure 1000 10" command.
I want to enable some kind of monitoring on the network which will alert us anytime the developers make changes in the TTL field to 1 and cause network problems. One way is to SPAN the CPU packets using sniffer and check the ip.ttl==1 packets. This cannot be done automatically. If there is a way to debug or send packets to the SYSLOG, that will be the ideal solution. I appreciate any suggestions or recommendations.
Thanks in advance.