sniffing with debug
The debug option "debug ip packet detail" works very well, for some kind of sniffing, but if there is no or a wrong access-list define, it may crash your router, or extrely slow down!!
1. Creat Access List, what you what to see
 
	evil-router#sh access-lists
	Extended IP access list 101
	    10 permit icmp any any (220 matches)
apply the acces list to de debug ip packet command
 
	evil-router#debug ip packet detail 101
	IP packet debugging is on (detailed) for access list 101
	evil-router#
check the logs.. 
018710: *Sep 16 21:03:36.487: IP: s=192.168.2.100 (FastEthernet0), d=192.168.2.156 (FastEthernet0), len 84, rcvd 3
018711: *Sep 16 21:03:36.487:     ICMP type=8, code=0
018712: *Sep 16 21:03:36.487: IP: tableid=0, s=192.168.2.156 (local), d=192.168.2.100 (FastEthernet0), routed via FIB
018713: *Sep 16 21:03:36.487: IP: s=192.168.2.156 (local), d=192.168.2.100 (FastEthernet0), len 84, sending
018714: *Sep 16 21:03:36.487:     ICMP type=0, code=0
018715: *Sep 16 21:03:37.487: IP: tableid=0, s=192.168.2.100 (FastEthernet0), d=192.168.2.156 (FastEthernet0), routed via RIB
018716: *Sep 16 21:03:37.487: IP: s=192.168.2.100 (FastEthernet0), d=192.168.2.156 (FastEthernet0), len 84, rcvd 3
018717: *Sep 16 21:03:37.487:     ICMP type=8, code=0
018718: *Sep 16 21:03:37.487: IP: tableid=0, s=192.168.2.156 (local), d=192.168.2.100 (FastEthernet0), routed via FIB
018719: *Sep 16 21:03:37.487: IP: s=192.168.2.156 (local), d=192.168.2.100 (FastEthernet0), len 84, sending
018720: *Sep 16 21:03:37.487:     ICMP type=0, code=0
You see the IP: Line with source and destination IP, and on a second line, the ICMP part of this packet. 
	
018719: *Sep 16 21:03:37.487: IP: s=192.168.2.156 (local), d=192.168.2.100 (FastEthernet0), len 84, sending
018720: *Sep 16 21:03:37.487:     ICMP type=0, code=0
with a acces list : permit tcp any any eq 23 you see only telnet packets
 
019945: *Sep 16 21:30:04.223: IP: s=192.168.2.100 (FastEthernet0), d=192.168.2.156 (FastEthernet0), len 40, rcvd 3
019946: *Sep 16 21:30:04.223:     TCP src=52768, dst=23, seq=1102711754, ack=2173505052, win=7840 ACK

sniffing with span ports
laber laber sülz

(c) 2008 by packetlevel.ch / last update: 26.10.2008