IP traffic export: how to mirror traffic on a router
The Switched Port Analyzer (SPAN) feature, which is sometimes called port mirroring or port monitoring, selects network traffic, from a switched port, for analysis by a network analyzer. Unfotunately this feature works only on switches or switches Layer3. And in a router, what can I do to copy the traffic?
In a previous article, I explained the Embedded Packet Capture, a powerful feature to capture data packets directly on the NVRAM. Another good solution is the ‘IP traffic export‘.
Introduced in 12.3(4)T IOS, the IP Traffic Export feature allows users to configure their router to export IP packets that are received on multiple, simultaneous WAN or LAN interfaces. The unaltered IP packets are exported on a single LAN or VLAN interface, thereby, easing deployment of protocol analyzers and monitoring devices.
How to use IP traffic export
Suppose that you would copy the Dialer1 traffic to the IDS host (Mac address: 0015.61b9.2abb).
Step #1: Define a traffic export profile
Ciscozine#conf t Ciscozine(config)#ip traffic-export profile ciscozine-test mode export Ciscozine(conf-rite)#bidirectional Ciscozine(conf-rite)#interface fastEthernet 0/0 Ciscozine(conf-rite)#mac-address 0015.61b9.2abb
The bidirectional command exports incoming and outgoing IP traffic on the monitored interface. If this command is not enabled, only incoming traffic is exported.
The interface commnad specifies the outgoing interface for exported traffic.
The mac-address command specifies the 48-bit address of the destination host that is receiving the exported traffic.
Step #2: Apply the profile to an ingress interface
Ciscozine(config)#interface dialer 1 Ciscozine(config-if)#ip traffic-export apply ciscozine-test
After that, the router will start to mirror the IP traffic to the host.
To see traffic export statistics use the “show ip traffic-export” command:
Ciscozine#show ip traffic-export Router IP Traffic Export Parameters Monitored Interface Dialer1 Export Interface FastEthernet0/0 Destination MAC address 0015.61b9.2abb bi-directional traffic export is on Output IP Traffic Export Information Packets/Bytes Exported 981/475672 Packets Dropped 0 Sampling Rate one-in-every 1 packets No Access List configured Input IP Traffic Export Information Packets/Bytes Exported 900/571078 Packets Dropped 0 Sampling Rate one-in-every 1 packets No Access List configured Profile ciscozine-test is Active Ciscozine#
Remember: When IP traffic export is enabled, a delay is incurred on the outbound interface when packets are captured and transmitted across the interface. Performance delays increase with the increased number of interfaces that are monitored and the increased number of destination hosts.
- The MAC address of the device that is receiving the exported traffic must be on the same VLAN or directly connected to one of the router interfaces. (Use the show arp command to determine the MAC address of device that is directly connected to an interface.)
- The outgoing interface for exported traffic must be Ethernet (10/100/1000). (Incoming (monitored) traffic can traverse any interface.)
As Embedded Packet Capture, IP traffic export permits to save packets in local router memory, and then dump this data to a file on an external device, such as flash memory. To do it, you need:
Step 1: Define a traffic capture profile
Ciscozine(config)#ip traffic-export profile ciscozine-test-2 mode capture Ciscozine(conf-rite)#bidirectional
Step2: Apply the profile to an ingress interface
Ciscozine(config)#int dialer 1 Ciscozine(config-if)#ip traffic-export apply ciscozine-test-2 size 1000000
Step3: Start the capture
traffic-export interface dialer 1 start
Step4: Stop the capture when you want of, if you prefer, wait the buffer is full
traffic-export interface dialer 1 stop
Step5: Check the IP traffic capture statistics
Ciscozine#show ip traffic-export Router IP Traffic Export Parameters Monitored Interface: Dialer1 Capture full packet length. bi-directional traffic capture is on Output IP Traffic Capture Information Packets/Bytes Captured 748/389641 Packets Dropped 1078 Sampling Rate one-in-every 1 packets No Access List configured Input IP Traffic Capture Information Packets/Bytes Captured 794/584753 Packets Dropped 1040 Sampling Rate one-in-every 1 packets No Access List configured IP Traffic Capture Buffer Information Defined Buffer Size 1000000 bytes Capture Buffer Size 1000000 bytes Capture Buffer Used 999090 bytes Capture Buffer Free 910 bytes Profile ciscozine-test-2 capture state: Buffer Full Ciscozine#
Step6: Copy the dump file to an external device (in this case to a tftp server)
traffic-export interface dialer 1 copy tftp:
Step7: Check the dump file using wireshark
Remember: If you want clear the packet capture buffer for the designated interface, use the traffic-export interface clear command.
Below the video with the example
Enter your email address to receive notifications of new posts.