Žilinská univerzita > Fakulta riadenia a informatiky > Katedra informačných sietí

Router IP Traffic Export - the router packet capture capabilities

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_rawip.html

Cisco switches provides SPAN and RSPAN feature which is suitable for monitoring and capturing packets flowing through switch ports or VLANs. But this feature is not provided on Cisco routers, therefore if you look for it there is not result.

Cisco routers provides (of course check on the cisco support page for your device and IOS) another features which should be used for traffic monitoring and capturing. Searching for this I've found two posibilities:

Router IP Traffic Export (RITE)

Notes from the Cisco site:

IP Traffic Export allows you to configure your router to export IP packets received on multiple, simultaneous WAN or LAN interfaces. The unaltered IP packets are exported on a single LAN or VLAN interface, thereby, easing deployment of protocol analyzers and monitoring devices.

 

The Router IP Traffic Export Packet Capture Enhancements feature allows you to configure your router to capture IP packets in a buffer within the router, and then to dump these packets into a specified memory device.

 

So, we'll try it to check how does it work and how to use it.

Configuration

To configure this feature we have to follow three steps:

  • Configure IP traffic export
  • Configure IP traffic capture
  • Display captured data

Configuring of IP traffic export

Main task is to configure traffic export profile, which is used to define monitored interface through which traffic is entering/leaving and outgoing interface (monitoring), to which the traffic will be exported. One device support multiple export profiles.

Lets do that in general:

1. enable
2. configure terminal
3. ip traffic-export profile profile-name
! create the RITE profile

4. interface interface-name
! specify the outgoing interface where the traffic will be exported

5. bidirectional
! export incoming and outgoing traffic

6. mac-address H.H.H
! where H.H.H is the destination mac addess of host where we will export an IP traffic

7. incoming {access-list {standard | extended | named} | sample one-in-every packet-number}
!optional

8. outgoing {access-list {standard | extended | named} | sample one-in-every packet-number}
!optional

9. exit
10. interface type number
11. ip traffic-export apply profile-name

and in practise I had prepared a small demonstration network network

Topology

The topology is simulated within GNS3 and consist of two linux TinyCore machines connected through the R1 cisco router. The fa 1/0 interface is connected to my real OS where is wireshark running.

topology

 

RITE configuration

R1(config)#ip traffic-export profile MY_PROFILE
R1(conf-rite)#interface fas 1/0
R1(conf-rite)#bidirectional
! MY PC mac address - ipconfig /all
R1(conf-rite)#mac-address 3C97.0E68.3683
R1(conf-rite)#exit
R1(config)#int fa 0/0
R1(config-if)#ip traffic-export apply MY_PROFILE

*Mar  1 00:24:15.723: %RITE-5-ACTIVATE: Activated IP traffic export on interface FastEthernet0/0

R1(config-if)#^Z

R1#

*Mar  1 00:24:17.471: %SYS-5-CONFIG_I: Configured from console by console
 

Verification

Simple Ping from one linux-tinycore1 machine on the other one

tinylinux

 

is visible within my wireshark

 

Verification on the router

R1#show ip traffic-export
Router IP Traffic Export Parameters
Monitored Interface             FastEthernet0/0
        Export Interface                FastEthernet1/0
        Destination MAC address 3c97.0e68.3683
        bi-directional traffic export is on
Output IP Traffic Export Information    Packets/Bytes Exported    76/6384
        Packets Dropped           0
        Sampling Rate             one-in-every 1 packets
        No Access List configured
Input IP Traffic Export Information     Packets/Bytes Exported    89/7556
        Packets Dropped           0
        Sampling Rate             one-in-every 1 packets
        No Access List configured
        Profile MY_PROFILE is Active
 

 

Configuring of IP traffic capture

1. enable
2. configure terminal
3. ip traffic-export profile profile-name mode capture
4. bidirectional
5. incoming {access-list {standard | extended | named} | sample one-in-every packet-number}
6. outgoing {access-list {standard | extended | named} | sample one-in-every packet-number}
7. length bytes
8. exit
9. interface type number
10. ip traffic-export apply profile-name size size

 

Displaing captured data

Cisco IOS Embedded Packet Capture

http://www.cisco.com/en/US/products/ps9913/products_ios_protocol_group_home.html

Groups: