On Tue, 2011-08-02 at 14:36 -0400, Ryan Pavely wrote: > Looking at my 15min the only ips/vlans that are sending packets are my > two 'expected' hosts. Neither would be sending an invalid community. > We were going to run 'debug snmp packets' for a longer period of time > to get a good snapshot of data.
If you only see your "trusted" hosts, it could be that they're sending something with a wrong community. This could be an invalid context when searching e.g. BRIDGE-MIB. (I.e.: To search VLAN 2 you would use "SomeCommunity@2" as the community; you can see all valid communitites and contexts with "show snmp community".) > Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), > Version 12.2(33)SXI, RELEASE SOFTWARE (fc2) Then you have a sniffer already. :-) Try a configuration like this: ip access-list extended Capture-ACL deny ip host 10.0.0.1 any deny ip host 10.0.0.2 any permit udp any any eq snmp ! monitor session 1 type capture filter access-group Capture-ACL source interface Gi2/40 rx ! The two hosts in the ACL would be your normal management stations, which you might not care about. You need to know the inbound interface, but you can specify more than one. With the above configuration you can start the capture from exec mode with e.g. "monitor capture start for 100 packets" and get a dump of the packets with "show monitor capture buffer dump". -- Peter _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/