Posts Tagged ‘monitor’

Port Mirroring on Cisco – Monitoring the network

Thursday, May 14th, 2009

“We just bought a new IPS/IDS, just put it between us and our transit provider!”. Sounds slick, huh? This request seems easy, but do you really know if it will function like expected and not jam all network traffic?

Try it out on a mirrored (SPAN) port first! With a SPAN you can get a copy of all traffic from/to a port output on a second port, without interacting with traffic. This can be very helpful if you want to test out some new equipment for Intrusion detection and/or prevention. Snort is an open source alternative for monitoring network traffic for obscurity and irregularities.

To configure a SPAN on 2940, 2950, 2955, 2960, 2970, 3550, 3560 and 3750 switches

Switch#conf t
Switch(config)#monitor session 1 source interface Fa0/18
Switch(config)#monitor session 1 destination interface Fa0/2

With the configuration above you will copy all traffic from FastEthernet 0/18 and output it to FastEthernet 0/2
The Cisco Catalyst 2950 is incapable to monitor vlans, but this is possible on for example the Cisco 3750.

To verify a SPAN session

Switch#sh monitor session 1
Session 1
Source Ports:
RX Only: None
TX Only: None
Both: Fa0/18
Destination Ports: Fa0/2

I hope this maybe encourages you to test out some applications or equipment that you’ve been wanting to try but haven’t had the guts to!

Using Tcpdump in Linux to Analyze Network Traffic

Wednesday, February 25th, 2009

Have you ever needed to see traffic in front of your eyes? There exists a tool in linux to do this. You can see it all, even .. passwords.

I will just give you the commands to see different types of traffic, use it for what you want.
You will not see network traffic going between other devices on the network, only to your workstation – assuming you are on a switched network, on a WLAN things are different.
If you want to monitor a network port, you can use a ‘mirror port’ in Cisco, configuration is as follows:

monitor session 1 source interface fastethernet 0/1
monitor session 1 destination interface fastethernet 0/2 encap ingress vlan 1

This will mirror all network traffic on FastEthernet 0/1 to FastEthernet 0/2.
There also exists methods for injecting ARP to a switched network to make network devices believe you are the gateway, so that you can inspect the packets before passing them on to the gateway.

Tcpdump commands
So back to tcpdump, to look at for example web traffic
Always remember that if you want to see the traffic as ASCII, just apply the argument ‘-A’ to tcpdump

I am assuming you are using eth0, -n turns off DNS.

tcpdump -i eth0 -n port 80

Now a little more fancy, using egrep – this will show all your web requests in real time!

tcpdump -i eth0 -A -n port 80 | egrep -i \(GET.\/\|POST.\/\|Host:\)

Did you know you can tcpdump for a subnet by just excluding the last octet?

tcpdump -i eth0 -n port 80 and host 10.0.5

You can see I used ‘and’ here to specify more filter, you can also use or
For example port 80 or port 81

If you forgot your pop3 password, but have it stored in the client

tcpdump -i eth0 -n port 110 -A | egrep -i \(user\|pass\)

This also applies to passwords for the web, I have used this a lot instead of the ‘forgot password’ mechanism.

If I forgot to mention anything, please let me know.