Re: Monitor Ports

From: Vladimir Sousa (vladrac@gmail.com)
Date: Mon Nov 19 2007 - 22:01:52 ART

• Next message: Ladee Geek: "Re: IP IGMP filter???"
• Previous message: Vladimir Sousa: "Re: Inverse Mask Odds and Evens Fun"
• Maybe in reply to: Ernst Pelser: "Monitor Ports"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello there,

my understanding of this command "debug ip icmp" is that it will show you
replies (not even source icmp) from your router (for packets that are
destined to my router's IP).

I dont think you'll see icmp packets in transit or that are not destined to
the router itself.

Vlad

On 11/17/07, Ernst Pelser <e.pelser@infosecureltd.com> wrote:
>
> Hi Antonio
> Thanks for your response. I just realized that I probably didn't spend
> enough time thinking this question through. So assume that if I did a
> debug
> ip icmp on R6 I would see the traffic. Right?
>
> Regards, EP
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Antonio Soares
> Sent: 17 November 2007 17:30
> To: 'Ernst Pelser'; ccielab@groupstudy.com
> Subject: RE: Monitor Ports
>
> The traffic is actually sent to R6 but you don't see anything because R6
> silently drops it:
>
> +++++++++++++++++++++++++++
> Ping from R1 to R2
> +++++++++++++++++++++++++++
> R1#ping 12.12.12.2 re 1000
>
> Type escape sequence to abort.
> Sending 1000, 100-byte ICMP Echos to 12.12.12.2, timeout is 2 seconds:
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!!!!!!!!!!!!!!!!!!
> Success rate is 100 percent (1000/1000), round-trip min/avg/max = 1/1/4 ms
> R1#
> +++++++++++++++++++++++++++
> SW1#sh runn | inc monitor
> monitor session 1 source vlan 12 rx
> monitor session 1 destination interface Gi0/6 SW1#
> +++++++++++++++++++++++++++
> SW1#sh int g0/6
> GigabitEthernet0/6 is up, line protocol is down (monitoring)
> Hardware is Gigabit Ethernet, address is 0019.e87c.d306 (bia
> 0019.e87c.d306)
> MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
> reliability 255/255, txload 1/255, rxload 1/255
> Encapsulation ARPA, loopback not set
> Keepalive set (10 sec)
> Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX
> input flow-control is off, output flow-control is unsupported
> ARP type: ARPA, ARP Timeout 04:00:00
> Last input 00:05:35, output 00:04:49, output hang never
> Last clearing of "show interface" counters 00:00:11
> Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
> Queueing strategy: fifo
> Output queue: 0/40 (size/max)
> 5 minute input rate 0 bits/sec, 0 packets/sec
> 5 minute output rate 7000 bits/sec, 8 packets/sec
> 0 packets input, 0 bytes, 0 no buffer
> Received 0 broadcasts (0 multicast)
> 0 runts, 0 giants, 0 throttles
> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
> 0 watchdog, 0 multicast, 0 pause input
> 0 input packets with dribble condition detected
> 2002 packets output, 236128 bytes, 0 underruns <------------ 1000
> echos
> from R1 + 1000 echo-replies from R2
> 0 output errors, 0 collisions, 0 interface resets
> 0 babbles, 0 late collision, 0 deferred
> 0 lost carrier, 0 no carrier, 0 PAUSE output
> 0 output buffer failures, 0 output buffers swapped out SW1#
> +++++++++++++++++++++++++++
>
> If you replace R6 with a sniffer, you will see the traffic.
>
> Regards,
>
> Antonio Soares
> CCIE #18473 (R&S),CCNP,CCIP,JNCIA-ER
> http://pwp.netcabo.pt/amsoares/
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Ernst Pelser
> Sent: sabado, 17 de Novembro de 2007 16:51
> To: ccielab@groupstudy.com
> Subject: Monitor Ports
>
> Hi
> I have a question about monitoring ports (monitor session). I'm doing the
> SPAN section where you have routers 1 and 2 connecting to switch 1 on port
> f0/1 and f0/2 respectively. Then R6 connects to f0/6. The monitor session
> is
> set up to with the source being VLAN12 which both R1 and R2 are part of.
> The
> destination is F0/6 on SW (R6).
>
> To verify we enable debugging on R6. Then we ping 255.255.255.255 from R1
> and see traffic on R6. No problem there.
>
> The question I have is, why don't you see traffic on R6 when you ping to
> R2's IP from R1? Surely R6 should see that traffic as well?
>
> Thanks, EP
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Ladee Geek: "Re: IP IGMP filter???"
• Previous message: Vladimir Sousa: "Re: Inverse Mask Odds and Evens Fun"
• Maybe in reply to: Ernst Pelser: "Monitor Ports"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:30 ART