On 09/09/2014 06:46 AM, Christian Schmit wrote:
Hi,
Legal authorities require that upon request we provide them with pcap
files of a PPPoVPDN or PPPoE subscriber session we terminate on ASR1000
devices.
I need to limit the captured data to a specific subscriber/IP address.
So far I looked into:
- SPAN: on the ASR1000 SPAN does not seem to offer the possibility to
apply an IP access list to the SPAN session
- EPC: EPC can only collect data until the buffer is full which is by far
to small if a session needs to be captured/monitored over weeks
- LI feature: For using the lawful intercept (LI) feature of the ASR a
mediation device is required which we do not have
Any hints will be appreciated.
thanks,
Christian
We implemented a solution for this.
In house we have a tool that is able to grok subscribers by name/dsl or
dhcp circuit id/ip address, and determine their mac address. This mac
address then is simply used in a tcpdump on a span port and picks out
exactly and only that subscriber's traffic. The typical case is you only
really need to know the single mac address because most subscribers are
using either a single PC or router to which all of their traffic winds
up. Typically we are using it to assist customers with setup or
configuration issues (no substitute for packets!) and it's quite effective.
Mike
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
