Cisco switches provides SPAN and RSPAN feature which is suitable for monitoring and capturing packets flowing through switch ports or VLANs. But this feature is not provided on Cisco routers, therefore if you look for it there is not result.
Cisco routers provides (of course check on the cisco support page for your device and IOS) another features which should be used for traffic monitoring and capturing. Searching for this I've found two posibilities:
- Router IP traffic Export (Raw IP)
- Cisco IOS Embedded Packet Capture
Router IP Traffic Export (RITE)
Notes from the Cisco site:
IP Traffic Export allows you to configure your router to export IP packets received on multiple, simultaneous WAN or LAN interfaces. The unaltered IP packets are exported on a single LAN or VLAN interface, thereby, easing deployment of protocol analyzers and monitoring devices.
The Router IP Traffic Export Packet Capture Enhancements feature allows you to configure your router to capture IP packets in a buffer within the router, and then to dump these packets into a specified memory device.
So, we'll try it to check how does it work and how to use it.
To configure this feature we have to follow three steps:
- Configure IP traffic export
- Configure IP traffic capture
- Display captured data
Configuring of IP traffic export
Main task is to configure traffic export profile, which is used to define monitored interface through which traffic is entering/leaving and outgoing interface (monitoring), to which the traffic will be exported. One device support multiple export profiles.
Lets do that in general:
1. enable 2. configure terminal 3. ip traffic-export profile profile-name ! create the RITE profile 4. interface interface-name ! specify the outgoing interface where the traffic will be exported 5. bidirectional ! export incoming and outgoing traffic 6. mac-address H.H.H ! where H.H.H is the destination mac addess of host where we will export an IP traffic 7. incoming {access-list {standard | extended | named} | sample one-in-every packet-number} !optional 8. outgoing {access-list {standard | extended | named} | sample one-in-every packet-number} !optional 9. exit 10. interface type number 11. ip traffic-export apply profile-name
and in practise I had prepared a small demonstration network network
The topology is simulated within GNS3 and consist of two linux TinyCore machines connected through the R1 cisco router. The fa 1/0 interface is connected to my real OS where is wireshark running.
RITE configuration
R1(config)#ip traffic-export profile MY_PROFILE
R1(conf-rite)#interface fas 1/0
! MY PC mac address - ipconfig /all
R1(conf-rite)#mac-address 3C97.0E68.3683
R1(config)#int fa 0/0
R1(config-if)#ip traffic-export apply MY_PROFILE
*Mar 1 00:24:15.723: %RITE-5-ACTIVATE: Activated IP traffic export on interface FastEthernet0/0
*Mar 1 00:24:17.471: %SYS-5-CONFIG_I: Configured from console by console
Simple Ping from one linux-tinycore1 machine on the other one
is visible within my wireshark
Verification on the router
R1#show ip traffic-export
Router IP Traffic Export Parameters
Monitored Interface FastEthernet0/0
Export Interface FastEthernet1/0
Destination MAC address 3c97.0e68.3683
bi-directional traffic export is on
Output IP Traffic Export Information Packets/Bytes Exported 76/6384
Packets Dropped 0
Sampling Rate one-in-every 1 packets
No Access List configured
Input IP Traffic Export Information Packets/Bytes Exported 89/7556
Packets Dropped 0
Sampling Rate one-in-every 1 packets
No Access List configured
Profile MY_PROFILE is Active
Configuring of IP traffic capture
1. enable 2. configure terminal 3. ip traffic-export profile profile-name mode capture 4. bidirectional 5. incoming {access-list {standard | extended | named} | sample one-in-every packet-number} 6. outgoing {access-list {standard | extended | named} | sample one-in-every packet-number} 7. length bytes 8. exit 9. interface type number 10. ip traffic-export apply profile-name size size
Displaing captured data
Cisco IOS Embedded Packet Capture