Cisco IOS and Sniffing

Unanswered Question
Oct 12th, 2009

How can I leverage Cisco IOS to sniff traffic?

I can span a port and connect a sniffer.

What else? NetFlow? ACLs? have lost track of all the tools in IOS that one can use to sniff traffic.

I want to see if the 7609 router is receiving aaa traffic (UDP 1812 and 1813) and vise versa.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Lucien Avramov Mon, 10/12/2009 - 10:05

netflow is not a sniffing tool. It's a tool to create statistics about protocol usage and source / dest ip addresses. There is also NBAR for protocol usage.

For sniffing, as you say you need a SPAN/ RSPAN session and have a sniffer on the other end.

Or you can use the NAM module or appliance.

What exactly are you trying to achieve?

Giuseppe Larosa Mon, 10/12/2009 - 10:08

Hello Victor,

the newest feature is the embedded packet capture that works only on ISR and C7200 VXR routers.

But you still need and external sniffer on the destination port.


depending on your needs netflow, ACLs or ip accounting can provide some feedback

Also NBAR could be used for flow classification on an interface.

Hope to help


lamav Mon, 10/12/2009 - 11:33


I have a situation in which I need to verify that my 7609 router is receiving aaa requests from a certain appliance, and then forwarding them to the AAA server.

So, I know I can configure an ACL that matches the source/destination addresses as well as UDP 1812 and 1813, and then apply the ACL inbound to the interface in question. That is a pretty crude way to do it. I may see hits, but if there are too many, the buffer will overflow and a 'sh access-list" may not give the kind of accurate numbers I would like to see.

I have used ip accounting before to identify flows - again its crude because it will not match application ports (at least I dont remember it doing so). Anyway I enabled it on the interface in question, yet it does not give me any statistics at all - for any flows. Not sure whats the story with that.

I am vaguely aware of Netlow, but I think one must have that feature set enbled in the IOS version, no? Or does it come with the ip adv services version by default?

Then I know of course about spanning the port and using a sniffer, but I am trying to avoid that since that would require someone being located at the site to plug the sniffer in.

Any ideas now given the dtailed information have given?


Lucien Avramov Mon, 10/12/2009 - 11:38

Netflow will not be able to provide you that information.

What kind of aaa packets? You have many debug aaa options on the router to troubleshoot this.

lamav Mon, 10/12/2009 - 14:46

The router is neither generating nor terminating aaa traffic. ts just passing through like any other application traffic. So debug aaa authentication is worthless.

Lucien Avramov Mon, 10/12/2009 - 15:07

ACL matching can lead you to misleading information as you wont see the packet capture.

At this point, you dont have other options besides span the traffic to a sniffer.

ullasupendran Wed, 10/28/2009 - 15:32

Hi Victor,

In your case the 7609 router wont be able to see the aaa traffic as you have an IPSEC tunnel that carries the traffic. So the only traffic you will see is the ESP or AH through your 7609 routers.

So you need to sniff or use ACL before or after the IPSEC encription. :-)



glen.grant Wed, 10/28/2009 - 15:58

If you want to see packets and you know the addresses you are looking for you can create a acl with said addreses . You then do a debug ip packet detail and it will give you packet information about the addresses in your acl. On a router you may have to turn ip route cache off on the L3 interface that does the routing so it gets sent to the cpu and you can see it . Thats why you don't want to do this with a huge acl either as all the output gets sent to the cpu.


This Discussion