Sniffing packets, on a router.
warning: if you capture traffic on an havey used router, it may have a impact on the speed of the router.
in this case, create a access-list to reduce the traffic
debug ip packet
Use the debug ip packet EXEC command to display general IP debugging information and IP security option (IPSO) security transactions. The no form of this command disables debugging output.
[no] debug ip packet [access-list-number] [detail] [dump]
Syntax Description
access-list-number (Optional) IP access list number that you can specify.
If the datagram is not permitted by that access list,
the related debugging output is suppressed.
detail (Optional) Displays detailed IP packet debugging information.
This information includes the packet types and codes as well as
source and destination port numbers.
dump (Hidden) Displays IP packet debugging information along with raw packet
data in hexadecimal and ASCII forms. This keyword can be enabled with individual
access lists and also with the detail keyword.
Sample: 1
packets Logging to the Console, (see warning!!)
evil-router#terminal monitor
evil-router#debug ip packet
*May 29 20:10:55.755: IP: tableid=0, s=192.168.2.156 (local), d=192.168.2.100 (FastEthernet0), routed via FIB
*May 29 20:10:55.759: IP: tableid=0, s=192.168.2.156 (local), d=192.168.2.100 (FastEthernet0), routed via FIB
*May 29 20:10:55.759: IP: tableid=0, s=192.168.2.156 (local), d=192.168.2.100 (FastEthernet0), routed via FIB
Sample: 2
detaild packets Logging to the Console, (see warning!!)
evil-router#terminal monitor detail
evil-router#debug ip packet
*May 29 20:15:32.991: IP: s=192.168.2.156 (local), d=192.168.2.100 (FastEthernet0), len 56, sending
*May 29 20:15:32.991: ICMP type=3, code=13
*May 29 20:15:32.991: IP: tableid=0, s=192.168.2.156 (local), d=192.168.2.100 (FastEthernet0), routed via FIB
*May 29 20:15:32.995: IP: s=192.168.2.156 (local), d=224.0.0.2 (FastEthernet0), len 62, sending broad/multicast
*May 29 20:15:32.995: UDP src=646, dst=646
Sample: 3
detaild packets with dump Logging to the Console, (see warning!!)
evil-router#terminal monitor detail dump
evil-router#debug ip packet
*May 29 20:16:47.935: IP: s=192.168.2.156 (local), d=224.0.0.2 (FastEthernet0), len 62, sending broad/multicast
*May 29 20:16:47.935: UDP src=646, dst=646
07D2A2D0: 45C0003E 00000000 E@.>....
07D2A2E0: 011115A9 C0A8029C E0000002 02860286 ...)@(..`.......
07D2A2F0: 002AC772 0001001E C0A8029C 00000100 .*Gr....@(......
07D2A300: 00140000 00000400 0004000F 00000401 ................
07D2A310: 0004C0A8 029C ..@(..
*May 29 20:16:50.967: ICMP type=3, code=13
07CD3110: 45000038 DC590000 E..8\Y..
07CD3120: FF01591A C0A8029C C0A80264 030D35B5 ..Y.@(..@(.d..55
07CD3130: 00000000 45000054 00004000 3F01B558 ....E..T..@.?.5X
07CD3140: C0A80264 C0A8029C 0800B74C 072E00C3 @(.d@(....7L...C
07CD3150:
Sample: 4
packets Logging with a access-list to the Console.
sample with logging only packets on port 23 to the target 192.168.2.156
evil-router#terminal monitor
evil-router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
evil-router(config)#access-list 150 permit tcp any host 192.168.2.156 eq 23
evil-router#exit
evil-router#debug ip packet 150
*May 29 20:10:55.755: IP: tableid=0, s=192.168.2.156 (local), d=192.168.2.100 (FastEthernet0), routed via FIB
*May 29 20:10:55.759: IP: tableid=0, s=192.168.2.156 (local), d=192.168.2.100 (FastEthernet0), routed via FIB
*May 29 20:10:55.759: IP: tableid=0, s=192.168.2.156 (local), d=192.168.2.100 (FastEthernet0), routed via FIB
INFO
Only packets from and to the router are processd with "debug ip packets"