Cisco Router as a “Remote Collector” for tcpdump or Wireshark

Forums > General Discussion > Cisco Router as a “Remote Collector” for tcpdump or Wireshark

williamruckman 2 posts	19 Nov 2009 at 4:28 a.m. UTC Here is a neat article I saw over at the Internet Storm Center website about using a Cisco Router as a “Remote Collector” for tcpdump or Wireshark. Link: http://isc.sans.org/diary.html?storyid=7609
lobo 4 posts	19 Nov 2009 at 12:50 p.m. UTC Hi William, I have also read the article today and found it very interesting. But then I remembered that most of the routers have CEF enabled nowadays and "debug ip packet" will only show you process switched packets. IOS 12.4 Debug Command Reference: IP packet debugging captures the packets that are process switched including received, generated and forwarded packets. IP packets that are switched in the fast path are not captured Regards, Jochen
luismg 130 posts	19 Nov 2009 at 2:40 p.m. UTC I cannot understand how an access list is able to capture traffic, it should just match the traffic, but not store it. I don't see how is any device capturing the traffic that is accepted on that access-list. Could you please clarify me that? thanks in advance
lobo 4 posts	19 Nov 2009 at 3:03 p.m. UTC The access list itself doesn't capture any traffic. It is rather used as a filter to specify which packets should be captured. You can think of it as a capture filter in tcpdump or Wireshark.
luismg 130 posts	19 Nov 2009 at 3:19 p.m. UTC So the interface is sniffing and the access list just lets go through the "interesting" traffic, is that the point of it? kind regards
williamruckman 2 posts	20 Nov 2009 at 2:17 a.m. UTC The access list is used to log the "interesting traffic" to a syslog server. The traffic dump is then included in the log. You can then pull the packet dumps from the log and format it for wireshark.
stretch 269 posts	20 Nov 2009 at 4:23 a.m. UTC Not a great idea. The proper tool for something like this is SPAN or RITE.
luismg 130 posts	20 Nov 2009 at 10:27 a.m. UTC I agree with span, I think the admin shouldn't touch the traffic on the production interface.
neoce11 3 posts	8 Dec 2009 at 3:30 p.m. UTC I like the part when the author said just for fun. I agree with him. :D Quote My answer to this might be “Perhaps there are no PC’s at the remote location”, or “Maybe you’re not allowed to install a packet capture program on any of the remote PC’s”, or “the switch at the remote location might not support a SPAN port”. But the best answer is “Why wouldn’t you want to do this at least once just for fun – isn’t this the neatest thing ever?”

Viewing 1 - 9 of 9