Just take a dump !
Okay, not that kind of dump!
You can craft a acl and debug that acl with the keyword dump. Let's say you want to look at traffic to a single host and port 666/tcp
config t
!
!
!
access-list 101 permit tcp any host 1.1.1.1 eq 666
!
!
end
and finally
debug ip packet detail 101 dump
show log
The output will be dump in a way similar to tcpdump and the -A option.
e.g
*Mar 1 02:00:15.743: IP: s=10.0.0.2 (local), d=224.0.0.5 (FastEthernet0/0), len 76, sending broad/multicast, proto=89
47A00D50: 45C0004C 03470000 E@.L.G..
47A00D60: 0159CB4B 0A000002 E0000005 0201002C .YKK....`......,
47A00D70: 02020202 00000000 DE980000 00000000 ........^.......
47A00D80: 00000000 FFFFFF00 000A1201 00000028 ...............(
47A00D90: 0A000002 00000000 FFF60003 00010004 .........v......
47A00DA0: 00000001 ....
R2#
*Mar 1 02:00:25.743: IP: s=10.0.0.2 (local), d=224.0.0.5 (FastEthernet0/0), len 76, sending broad/multicast, proto=89
47A00350: 45C0004C 03480000 E@.L.H..
47A00360: 0159CB4A 0A000002 E0000005 0201002C .YKJ....`......,
47A00370: 02020202 00000000 DE980000 00000000 ........^.......
47A00380: 00000000 FFFFFF00 000A1201 00000028 ...............(
47A00390: 0A000002 00000000 FFF60003 00010004 .........v......
47A003A0: 00000001 ....
R2#
*Mar 1 02:00:35.743: IP: s=10.0.0.2 (local), d=224.0.0.5 (FastEthernet0/0), len 76, sending broad/multicast, proto=89
47A01110: 45C0004C 03490000 E@.L.I..
47A01120: 0159CB49 0A000002 E0000005 0201002C .YKI....`......,
47A01130: 02020202 00000000 DE980000 00000000 ........^.......
47A01140: 00000000 FFFFFF00 000A1201 00000028 ...............(
47A01150: 0A000002 00000000 FFF60003 00010004 .........v......
47A01160: 00000001 ....
R2#
*Mar 1 02:00:45.743: IP: s=10.0.0.2 (local), d=224.0.0.5 (FastEthernet0/0), len 76, sending broad/multicast, proto=89
47A01390: 45C0004C 034A0000 E@.L.J..
47A013A0: 0159CB48 0A000002 E0000005 0201002C .YKH....`......,
47A013B0: 02020202 00000000 DE980000 00000000 ........^.......
47A013C0: 00000000 FFFFFF00 000A1201 00000028 ...............(
47A013D0: 0A000002 00000000 FFF60003 00010004 .........v......
47A013E0: 00000001 ....
R2#
NOTE: The above is a simple ospf dump btw.
Just make sure you clear the debug when you done. Key points;
- be specific with the ACL
- if your cpu is high, you probably want to avoid this
- term mon will dump to your screen
Ken Felix
Freelance Network & Security Engineer
kfelix ---a--t-- socpuppets ---d---o--t--- com
^ ^
=( * * )=
O
// \\
No comments:
Post a Comment