Saturday, August 20, 2011

Router Sniffer Capture




Ever wondered if you can run a sniffer from a router? I have only ever used monitor sessions on switches so Router IP Traffic Export or RITE was an interesting discovery for me. This can be used to achieve the same as a monitor session on a switch. Also this is on the V4 blueprint so a useful command to have come across. Its not that difficult either!

There are just two configuration steps. Define the outgoing sniffer port along with the mac address of the device attached and then define the capture traffic flows on the ingress port.

Heres an example
interface Ethernet0/1
ip traffic-export profile RICH
mac-address 1111.2222.3333

interface Ethernet0/0
ip traffic-export apply RICH

R1#show ip traffic-exp
Router IP Traffic Export Parameters
Monitored Interface Ethernet0/0
Export Interface Ethernet0/1
Destination MAC address 1111.2222.3333
bi-directional traffic export is off
Input IP Traffic Export Information Packets/Bytes Exported 0/0
Packets Dropped 0
Sampling Rate one-in-every 1 packets
No Access List configured
Profile RICH is Active

There are a number of extra options i'venot detailed here. The above shows the basic configuration that’s needed to get the feature operational.

No comments: