Saturday, July 13, 2013

dump a packet on a cisco router

A neat trick that you can use  & if your in a bind.

                                                              Just take a dump !



                                                   Okay, not that kind of  dump!

You can craft a acl and debug that  acl with the keyword dump. Let's say you want to look at traffic to a single host and port 666/tcp


    config t

   !
   !
   !
   access-list 101 permit tcp any host 1.1.1.1 eq 666
   !
   !
   end


and finally

     debug ip packet detail 101 dump

      show log 

The output will be dump in a way similar to tcpdump and  the -A option.

e.g
*Mar  1 02:00:15.743: IP: s=10.0.0.2 (local), d=224.0.0.5 (FastEthernet0/0), len 76, sending broad/multicast, proto=89
47A00D50:                   45C0004C 03470000          E@.L.G..
47A00D60: 0159CB4B 0A000002 E0000005 0201002C  .YKK....`......,
47A00D70: 02020202 00000000 DE980000 00000000  ........^.......
47A00D80: 00000000 FFFFFF00 000A1201 00000028  ...............(
47A00D90: 0A000002 00000000 FFF60003 00010004  .........v......
47A00DA0: 00000001                             ....           
R2#
*Mar  1 02:00:25.743: IP: s=10.0.0.2 (local), d=224.0.0.5 (FastEthernet0/0), len 76, sending broad/multicast, proto=89
47A00350:                   45C0004C 03480000          E@.L.H..
47A00360: 0159CB4A 0A000002 E0000005 0201002C  .YKJ....`......,
47A00370: 02020202 00000000 DE980000 00000000  ........^.......
47A00380: 00000000 FFFFFF00 000A1201 00000028  ...............(
47A00390: 0A000002 00000000 FFF60003 00010004  .........v......
47A003A0: 00000001                             ....           
R2#
*Mar  1 02:00:35.743: IP: s=10.0.0.2 (local), d=224.0.0.5 (FastEthernet0/0), len 76, sending broad/multicast, proto=89
47A01110:                   45C0004C 03490000          E@.L.I..
47A01120: 0159CB49 0A000002 E0000005 0201002C  .YKI....`......,
47A01130: 02020202 00000000 DE980000 00000000  ........^.......
47A01140: 00000000 FFFFFF00 000A1201 00000028  ...............(
47A01150: 0A000002 00000000 FFF60003 00010004  .........v......
47A01160: 00000001                             ....           
R2#
*Mar  1 02:00:45.743: IP: s=10.0.0.2 (local), d=224.0.0.5 (FastEthernet0/0), len 76, sending broad/multicast, proto=89
47A01390:                   45C0004C 034A0000          E@.L.J..
47A013A0: 0159CB48 0A000002 E0000005 0201002C  .YKH....`......,
47A013B0: 02020202 00000000 DE980000 00000000  ........^.......
47A013C0: 00000000 FFFFFF00 000A1201 00000028  ...............(
47A013D0: 0A000002 00000000 FFF60003 00010004  .........v......
47A013E0: 00000001                             ....           
R2#


NOTE: The above is a simple ospf dump btw.


Just make sure  you  clear the debug when you done.  Key points;


  • be specific with the ACL
  • if your cpu is high, you probably want to avoid this
  • term mon will dump to your screen


Ken Felix
Freelance Network & Security Engineer
kfelix  ---a--t-- socpuppets ---d---o--t--- com


    ^      ^
=( *     * )=
        O
       // \\






Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)