IP traffic export: how to mirror traffic on a router

The Switched Port Analyzer (SPAN) feature, which is sometimes called port mirroring or port monitoring, selects network traffic, from a switched port, for analysis by a network analyzer. Unfotunately this feature works only on switches or switches Layer3. And in a router, what can I do to copy the traffic?

In a previous article, I explained the Embedded Packet Capture, a powerful feature to capture data packets directly on the NVRAM. Another good solution is the ‘IP traffic export‘.

Introduced in 12.3(4)T IOS, the IP Traffic Export feature allows users to configure their router to export IP packets that are received on multiple, simultaneous WAN or LAN interfaces. The unaltered IP packets are exported on a single LAN or VLAN interface, thereby, easing deployment of protocol analyzers and monitoring devices.

How to use IP traffic export

Suppose that you would copy the Dialer1 traffic to the IDS host (Mac address: 0015.61b9.2abb).

Step #1: Define a traffic export profile

Ciscozine#conf t
Ciscozine(config)#ip traffic-export profile ciscozine-test mode export
Ciscozine(conf-rite)#bidirectional
Ciscozine(conf-rite)#interface fastEthernet 0/0
Ciscozine(conf-rite)#mac-address 0015.61b9.2abb

The bidirectional command exports incoming and outgoing IP traffic on the monitored interface. If this command is not enabled, only incoming traffic is exported.

The interface commnad specifies the outgoing interface for exported traffic.

The mac-address command specifies the 48-bit address of the destination host that is receiving the exported traffic.

Step #2: Apply the profile to an ingress interface

Ciscozine(config)#interface dialer 1
Ciscozine(config-if)#ip traffic-export apply ciscozine-test

After that, the router will start to mirror the IP traffic to the host.

To see traffic export statistics use the “show ip traffic-export” command:

Ciscozine#show ip traffic-export
Router IP Traffic Export Parameters
Monitored Interface Dialer1
      Export Interface                FastEthernet0/0
      Destination MAC address 0015.61b9.2abb
      bi-directional traffic export is on
Output IP Traffic Export Information    Packets/Bytes Exported    981/475672
      Packets Dropped             0
      Sampling Rate               one-in-every 1 packets
      No Access List configured
Input IP Traffic Export Information     Packets/Bytes Exported    900/571078
      Packets Dropped             0
      Sampling Rate               one-in-every 1 packets
      No Access List configured
      Profile ciscozine-test is Active

Ciscozine#

Remember: When IP traffic export is enabled, a delay is incurred on the outbound interface when packets are captured and transmitted across the interface. Performance delays increase with the increased number of interfaces that are monitored and the increased number of destination hosts.

Limitation

  • The MAC address of the device that is receiving the exported traffic must be on the same VLAN or directly connected to one of the router interfaces. (Use the show arp command to determine the MAC address of device that is directly connected to an interface.)
  • The outgoing interface for exported traffic must be Ethernet (10/100/1000). (Incoming (monitored) traffic can traverse any interface.)

As Embedded Packet Capture, IP traffic export permits to save packets in local router memory, and then dump this data to a file on an external device, such as flash memory. To do it, you need:

Step 1: Define a traffic capture profile

Ciscozine(config)#ip traffic-export profile ciscozine-test-2 mode capture
Ciscozine(conf-rite)#bidirectional

Step2: Apply the profile to an ingress interface

Ciscozine(config)#int dialer 1
Ciscozine(config-if)#ip traffic-export apply ciscozine-test-2 size 1000000

Step3: Start the capture

traffic-export interface dialer 1 start

Step4: Stop the capture when you want of, if you prefer, wait the buffer is full

traffic-export interface dialer 1 stop

Step5: Check the IP traffic capture statistics

Ciscozine#show ip traffic-export
Router IP Traffic Export Parameters
Monitored Interface: Dialer1
      Capture full packet length.
      bi-directional traffic capture is on
   Output IP Traffic Capture Information       Packets/Bytes Captured 748/389641
      Packets Dropped 1078
      Sampling Rate one-in-every 1 packets
      No Access List configured
   Input IP Traffic Capture Information
      Packets/Bytes Captured 794/584753
      Packets Dropped 1040
      Sampling Rate one-in-every 1 packets
      No Access List configured
   IP Traffic Capture Buffer Information       Defined Buffer Size 1000000 bytes
      Capture Buffer Size 1000000 bytes
      Capture Buffer Used 999090 bytes       Capture Buffer Free 910 bytes
   Profile ciscozine-test-2 capture state: Buffer Full

Ciscozine#

Step6: Copy the dump file to an external device (in this case to a tftp server)

traffic-export interface dialer 1 copy tftp:

Step7: Check the dump file using wireshark

Remember: If you want clear the packet capture buffer for the designated interface, use the traffic-export interface clear command.

Below the video with the example

References: http://www.cisco.com/…/12_4t11/ht_rawip.html

1 COMMENT

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.