RE: SPAN - Using a router as a sniffer

From: Schulz, Dave (DSchulz@dpsciences.com)
Date: Thu Jun 01 2006 - 15:50:33 ART

• Next message: CCIEBOB: "checking usage of static routes"
• Previous message: Petr Lapukhov: "Re: SPAN - Using a router as a sniffer"
• Maybe in reply to: Schulz, Dave: "SPAN - Using a router as a sniffer"
• Next in thread: Scott Morris: "RE: SPAN - Using a router as a sniffer"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I did that and this doesn't appear to work. I believe that Petr may be
right. However, I do remember one of the Brian's talking about doing
this in some of their material. Maybe the promiscuous mode is a
specific to a certain module or router platform. Interesting.

Dave Schulz,
Email: dschulz@dpsciences.com

-----Original Message-----
From: Victor Cappuccio [mailto:cvictor@protokolgroup.com]
Sent: Thursday, June 01, 2006 2:45 PM
To: 'Petr Lapukhov'; Schulz, Dave
Cc: ccielab@groupstudy.com
Subject: RE: SPAN - Using a router as a sniffer

Or you can disable route cache in all interfaces and do a debug ip
packet
dump

-----Mensaje original-----
De: nobody@groupstudy.com [mailto:nobody@groupstudy.com] En nombre de
Petr
Lapukhov
Enviado el: Jueves, 01 de Junio de 2006 02:23 p.m.
Para: Schulz, Dave
CC: ccielab@groupstudy.com
Asunto: Re: SPAN - Using a router as a sniffer

You clearly need to set interface to promiscuous mode :)

while it seems to be "possible":

R1#show controllers fastEthernet 0/0 | inc Promisc
  Promiscuous Mode Disabled, PHY Addr Enabled, Broadcast Addr Enabled

I'm still looking for a way to enable that :)) Maybe that is some
undocumented command. You see, routers are rarely used as
packet sniffers :)

Petr

2006/6/1, Schulz, Dave <DSchulz@dpsciences.com>:
>
> Group -
>
> I have been going over some of the switching subjects, specifically
> SPAN and am trying to use a router as a monitor/sniffer. I thought
that
> there was a way to do this, but I can't seem to get it to work. I
have
> set up IP on the fastethernet interface of a 3640, and set the
interface
> to "no ip route-cache" to see the debug packets. Then, did a "debup
ip
> packet detail".
>
> When I set up the SPAN, I can do the show command on the switch and
> notice that it is in monitoring, and packets are sent out of the
> interface.....however, the packets are not being received at the
router
> interface that is doing the monitoring (or suppose to be doing the
> monitoring). Any thoughts? Maybe this just can't be done, but I
> thought someone did this before.
>
>
> Dave Schulz
>
> Email: dschulz@dpsciences.com <mailto:dschulz@dpsciences.com >
>
>

• Next message: CCIEBOB: "checking usage of static routes"
• Previous message: Petr Lapukhov: "Re: SPAN - Using a router as a sniffer"
• Maybe in reply to: Schulz, Dave: "SPAN - Using a router as a sniffer"
• Next in thread: Scott Morris: "RE: SPAN - Using a router as a sniffer"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:31 ART