Trying to determine where the traffic is coming from

Unanswered Question
Jul 11th, 2008

I have an Internet facing 3800 router and looking at the netflow and nbar results (using the GUI) I see some traffic that should not be on the network such as vdolive, napster,pcanywhere,edonkey, etc.

When I try to view the toptalkers, I get a message saying that this IOS will not support this feature.

So how do I determine which IP's are initiating this specific traffic?

Is sniffer the answer? Anything on the IOS?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
michael.leblanc Fri, 07/11/2008 - 08:17

If you have a Catalyst switch that supports Switch Port Analyzer (SPAN), you might want to use it with a sniffer to maintain an ongoing awareness of what traffic exists on your network.

I would hope that you are utilizing interface ACLs and "inspection" on the router. If so you can generate an audit trail via syslog messages (giving you session visibility etc.).

ip inspect audit-trail

The "APPFW" inspection feature would allow you to curb these applications if they are being tunneled through port 80.

If these applications are making it to the Internet side, and if you are using NAT, you could use the following to quickly determine which internal host was involved:

show ip nat translations

ronshuster Fri, 07/11/2008 - 10:40

I am trying to capture the traffic on a C3845-IPBASE-M with IOS Version 12.4(13r)T.

I am unsure how and where to apply the ip inspect command. I tried it from config mode but that function does not exist. Tried the same on the switch (CAT3750) but no luck there as well.

michael.leblanc Fri, 07/11/2008 - 11:44

If the "ip inspect" command is not available in global configuration mode on the router, it is most likely because of the IPBASE image in use.

The inspection feature is used to provision a return path by opening temporary dynamic holes in the ACLs encountered by returning traffic, as well as performing other key functions (protocol conformance, etc.). It reduces ACL configuration requirements considerably.

Using SPAN on the switch (assuming it's supported) would give you visibility into the sources of the undesired traffic.

If SPAN is unsupported, you might configure the switch port and router interface for half-duplex, and insert a hub between them so that you can gain visibility with a sniffer.

The hub shouldn't create an issue even in the presence of other encapsulations (e.g.: 802.1Q VLAN headers), but it's a good idea to look at the port/interface error counters before and after injecting the hub to verify that you are not introducing an issue.

Usually a good idea to unbind the IP stack from the sniffer NIC.

As stated previously, the "show ip nat translations" command (assuming NAT in use) would quickly identify the hosts responsible for most of the undesired application traffic. This is less true for the offending applications that are utilizing port 80 tunneling. It would be hard to distinguish it from HTTP in the translations.

ronshuster Wed, 07/16/2008 - 07:58

We do in fact have SolarWind (Engineering version) which does have netflow tools. However, I don't believe my IOS supports netflow. I tried to apply the following on one of interfaces and the command is not available:

ip nbar protocol-discovery

ip flow ingress

ip flow egress

This is what I am running:

C3750E Software (C3750E-UNIVERSALK9-M), Version 12.2(40)SE

I will simply connect a wireshark sniffer in the hope to determine where the traffic is coming from.

I am now seeing that the basic IOS is very limited when it comes to troubleshooting. I was unable to find IOS commands (with the basic version) that can detect where traffic is coming from, which protocols are running on a particular port, etc.

michael.leblanc Wed, 07/16/2008 - 09:03

I'm not using the same platform as you, so I can't be sure if the following is true of your scenario.

However, if you were looking to determine whether NetFlow was supported, I would have expected you to look for the presence of the "ip flow-export" command in global configuration mode.

e.g.:

router(config)# ip flow-export source loopback0

router(config)# ip flow-export version 5

router(config)# ip flow-export destination 2055

interface FastEthernet0

ip route-cache flow

and/or:

interface FastEthernet0.8

ip flow ingress

... depending on whether you are looking to collect from the physical interface, subinterface, or both. Some NetFlow Collectors do not support NetFlow configured directly on sub-interfaces, and require that it be configured on the physical interface.

To facilitate CLI access to NetFlow data, consider:

ip flow-top-talkers

top 50

sort-by packets

show ip flow top-talkers

I do think network taps should be in place to facilitate access with Wireshark, even if you utilize NetFlow. It is a primary tool that aids implementation, monitoring and diagnosis.

a.alekseev Wed, 07/16/2008 - 09:38

Netflow is not supported on 3750.

Use a sniffer and SPAN.

[Pls RATE if HELPS]

Actions

This Discussion