RE: router as a sniffer?

From: Brian Dennis (brian@labforge.com)
Date: Fri Apr 04 2003 - 23:18:28 GMT-3

• Next message: Frank Medlin: "RE: Karl Solie book"
• Previous message: Brian Dennis: "RE: local sourced traffic no matching out bound ACL?"
• Maybe in reply to: Richard Davidson: "router as a sniffer?"
• Next in thread: Brian Dennis: "RE: router as a sniffer?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Use an ACL with the "debug ip packet" command to match only the packets
with the IP precedence you are looking for (i.e. access 101 per ip any
any pre 4). Remember to turn off any switching you are doing on the
interfaces so that the packets get sent to the processor for the debug
command to "see" them. Of course be careful process switching a lot of
packets on a real world router.

You could also use the "debug ip packet <acl>" command with the hidden
"dump" option if you want to actually see the IP precedence. You should
be able to figure out where the IP precedence is with the packets below
;-)

Output of the "debug ip packet dump" command:

<Packet with IP Precedence of Immediate>
2d06h: IP: s=10.1.1.2 (Ethernet0/0), d=10.1.1.1 (Ethernet0/0), len 100,
rcvd 3
03D5AFC0: 00D0 586EB720 .PXn7
03D5AFD0: 00055E0F B8E00800 45400064 001E0000 ..^.8`..E@.d....
03D5AFE0: FE01A636 0A010102 0A010101 0800958A ~.&6............
03D5AFF0: 25721219 00000000 0B99A59B ABCDABCD %r........%.+M+M
03D5B000: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
03D5B010: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
03D5B020: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
03D5B030: ABCDABCD ABCDABCD ABCDABCD 0A +M+M+M+M+M+M.
</Packet with IP Precedence of Immediate>

<Packet with IP Precedence of Flash Override>
2d06h: IP: s=10.1.1.2 (Ethernet0/0), d=10.1.1.1 (Ethernet0/0), len 100,
rcvd 3
03C04080: 00D0 586EB720 .PXn7
03C04090: 00055E0F B8E00800 45800064 00230000 ..^.8`..E..d.#..
03C040A0: FE01A5F1 0A010102 0A010101 0800FAAF ~.%q..........z/
03C040B0: 01221088 00000000 0B9F6651 ABCDABCD ."........fQ+M+M
03C040C0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
03C040D0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
03C040E0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
03C040F0: ABCDABCD ABCDABCD ABCDABCD 00 +M+M+M+M+M+M.
</Packet with IP Precedence of Flash Override>

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
Director of CCIE Training and Development - IPexpert, Inc.
Mailto: brian@ipexpert.net
Toll Free: 866.225.8064
Outside U.S. & Canada: 312.321.6924

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Richard Davidson
Sent: Friday, April 04, 2003 3:19 PM
To: groupstudy
Subject: router as a sniffer?

Is there a command on a router that will give you
packet info. Say for example I want to know what the
precedence in a packet is. Debug ip packet detail is
just not detailed enough.
Rich

• Next message: Frank Medlin: "RE: Karl Solie book"
• Previous message: Brian Dennis: "RE: local sourced traffic no matching out bound ACL?"
• Maybe in reply to: Richard Davidson: "router as a sniffer?"
• Next in thread: Brian Dennis: "RE: router as a sniffer?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu May 01 2003 - 13:35:46 GMT-3