Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

problem with debug config

cisco 2651XM router

IOS: c2600-adventerprisek9-mz.124-15.T9.bin

I have a mail-and-web server set at 192.168.0.6 connected to fa0/0 on my router and I want to monitor all traffic in and out of the server. The best debug config I've found so far for this is:

access-list 106 permit ip any host 192.168.0.6

access-list 106 permit ip host 192.168.0.6 any

no ip route-cache (on fa0/0)

debug ip packet 106

but this doesn't show mail traffic. I do see some activity in the form of outside ip's probing the server but when I send or receive mail I should see activity in the debug but there's nothing. Is there a better way to capture ALL traffic to and from this ip address? Thanks for any help.

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: problem with debug config

Hi Tony.

The most likely reason you are not seeing the traffic in your debug is that you will need to do 'no ip route-cache' on your other interfaces as well. The switching process for a packet will pretty much be determined by what switching type you have configured on your source interface. So with 'no ip route-cache' on your f0/0 you will only process switch packets which are entering f0/0.

However this is not goo practice for your network. You should be using another feature that does not cause of your traffic to be process switched. What information do you need about this traffic?

You could try 'ip source-track 192.168.0.6 - this will give you information on what is accessing your server using 'show ip source-track'

You could use 'ip accounting' under each inteface and then 'show ip accounting'

Or you can think about Netflow.

But again it all depends on what you want to view about this traffic.

Kind Regards

Simon

Re: problem with debug config

monitor session 1 source interface f0/1/1 rx

and

monitor session 1 destination interface f0/1/2

19 REPLIES

Re: problem with debug config

Hi Tony.

The most likely reason you are not seeing the traffic in your debug is that you will need to do 'no ip route-cache' on your other interfaces as well. The switching process for a packet will pretty much be determined by what switching type you have configured on your source interface. So with 'no ip route-cache' on your f0/0 you will only process switch packets which are entering f0/0.

However this is not goo practice for your network. You should be using another feature that does not cause of your traffic to be process switched. What information do you need about this traffic?

You could try 'ip source-track 192.168.0.6 - this will give you information on what is accessing your server using 'show ip source-track'

You could use 'ip accounting' under each inteface and then 'show ip accounting'

Or you can think about Netflow.

But again it all depends on what you want to view about this traffic.

Kind Regards

Simon

Hall of Fame Super Silver

Re: problem with debug config

Anthony

Simon is right that debug can only see and report traffic that is processed in the CPU (and process switching is much less efficient than CEF switching). As a short term thing to investigate a problem it may be ok to turn off CEF on all interfaces. But it does impact processing on the router.

Perhaps there is another possibility to consider. Assuming that there is a switch that connects the devices in that subnet to the router, is it possible to configure a port on that switch as a span port (or mirror port, depending on which switch it is) and to put a PC running packet capture software (something like wireshark) to capture all traffic to and from the server?

HTH

Rick

New Member

Re: problem with debug config

thanks for your response Rick. Your second paragraph sounds like the perfect solution but I've never done the span port/mirror port thing before. The router is fitted with an NM-16-ESW switch - configured as Vlan1 - set on 172.16.1.x - and I do have PC's connected to this. Up until now I've been logging the debug onto a syslog program on the PC but having a detailed traffic feed to wireshark would be ideal. Thanks for any further ideas.

New Member

Re: problem with debug config

simon thanks for your help and your comment regarding 'no ip route-cache' on all interfaces made all the difference. I did this and now there's loads of action in the debug log, including when sending an receiving mail.

I get what you say about it not being good for my network though so I'll have to look at the other options you mentioned ie: 'ip source-track 192.168.0.6' but as a beginner it's all new to me.

To answer your question the reason I want to see the traffic is because the other day a hack attempt was being made on my server and it made me realise I should be able to get instant and full feedback on my server traffic when I needed it. Fortunately the hack was unsuccessful but that was just luck on my part and I put a block on the source ip which worked great.

Re: problem with debug config

Hall of Fame Super Silver

Re: problem with debug config

Simon

This is a very interesting feature with which I was not familiar. But I am not sure that it is going to work well for Anthony. Quoting from the link that you supplied about source track:

IP Source Tracker: Hardware Support

IP source tracking is supported on all Engine 0, 1, 2, and 4 line cards in the Cisco 12000 series Internet router. It is also supported on all port adapters and RSPs that have CEF switching enabled on Cisco 7500 series routers.

Since Anthony indicates that he is running on a 2651 it sounds like the feature may not yet be supported on his platform. It would be an excellent solution for him when the feature becomes supported on his platform (but given the age of the 2651XM I wonder if Cisco will extend support for the feature to that platform)

HTH

Rick

Re: problem with debug config

Hi Rick.

You are right it may not well be fully supported on his release. It doesn't seem to be supported for 2600 and 3600 but most newer platforms have no problem even down to 87x routers. Just need to have a later IOS.

I've never had a problem configuring it but then I haven't configured a 2600/3600 for some time.

I do not think that document makes it very clear on what hardware supports it, it kind of suggests that only the 12000 and 7500 support it which is incorrect.

Simon

New Member

Re: problem with debug config

thanks for the link simon. I tried ip source-track but ran into a couple of problems. I don't see how one can get a 'live' traffic picture using this tool. I couldn't see any reference to logging this command to a syslog. Nothing appears in the syslog window. I did 'show ip source-track' but it only gave scant details but then maybe I'm not doing it right. I need to see the traffic as it happens, a bit like wireshark shows.

Re: problem with debug config

Hi Tony.

That's correct - ip source tracker will never show you real time information.

A better solution to your current debug would be to re-enable CEF switching but then to configure an ACL that logs traffic to this particular host. Why this would be better is because your router will only be process switching the traffic to/from this host and not process switching ALL traffic. An example would be:

access-list 106 permit ip any host 192.168.0.6 log-input

access-list 106 permit ip any any

access-list 107 permit ip host 192.168.0.6 any log-input

access-list 107 permit ip any any

!

ip access-list log-update threshold 1

!

interface f0/0

ip route-cache cef

ip access-group 106 out

ip access-group 107 in

A more permanent solution could be the IP Export feature and then you can view your traffic on wireshark. I've not configured this myself.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_rawip.html

Simon

Re: problem with debug config

Depending on the detail required you could run netstat, tcpdump (windump), or a packet sniffer (Wireshark etc...) on the Server itself.

New Member

Re: problem with debug config

normally yes but the server in question is a sun cobalt raq server. These servers don't have monitors or keyboards, they are controlled by web gui only on another PC, you can't install capture programs on them. Thus capturing traffic data on them is a challenge.

Re: problem with debug config

If its a sun box you should be able to shell into it and run snoop.

If a little bit of downtime is acceptable you could also put a hub / switch in front of it and sniff off of that.

James

New Member

Re: problem with debug config

thanks for your further response James.

After searching google it would appear there is no snoop package for the Raq4. The early raqs are quite limited in that they run on a thinned down versions of linux.

But your idea about about sniffing from a hub/switch was good - I don't know why I ddn't think of that. The raq server and my pc are both connected to the same NM-16-ESW switch module in the cisco router and both on the same Vlan but I'm not having much luck with wireshark on the PC, it won't pick up the traffic going to the raq server. Do you know if there's a command that will 'join' the two ports together to act as a hub?

Hall of Fame Super Silver

Re: problem with debug config

Anthony

I do not believe that there is a command that will join the 2 ports together to act as a hub. But you may be able to configure the port of your PC as a SPAN (or monitor) port to see all the traffic to and from the server. (SPAN or monitor depending on the command syntax of the NM-16-ESW - I am not sure which it uses)

HTH

Rick

Re: problem with debug config

monitor session 1 source interface f0/1/1 rx

and

monitor session 1 destination interface f0/1/2

New Member

Re: problem with debug config

yeah!

thanks for your response James, and now I'm getting somewhere since applying those two monitor commands you gave. I'm now getting a live readout in wireshark on a pc of traffic on the raq server.

Only slight drawback is the pc that's receiving the data loses internet access while the monitor commands are running. Fortunately I have a spare pc behind me that I don't use much and I can feed the data to that.

Re: problem with debug config

Thanks for the rating.

Regarding the loss of Internet access. I have an older laptop with two nics (One dedicated to capturing traffic) that i use when sniffing. Its very handy to have if you sniff a lot. At times I even pack it up and ship it off to remote locations. That laptop has seen more of the world than me!

New Member

Re: problem with debug config

ok but I do have some confusion regarding the monitor commands you gave.

I've never seen a network port referred to as f0/1/1. I've only ever seen f0/1 which refers to one network port. How can you have /1 and /2 on one port?

Re: problem with debug config

335
Views
4
Helpful
19
Replies
CreatePlease to create content