On Mon, 4 Feb 2002, Sam Deckert wrote: > by monitoring, i mean by protocol and possibly port......sorry, should have > been more specific.
Hi Sam (hooray for more Australians :)), Netflow sounds like what you're after. On the ingres interface you want to monitor, add 'ip route-cache flow'. Now you can 'show ip cache flow' to show how NetFlow is switching traffic - very handy for tracking DoS attacks - on one of our 7206VXRs, I can 'show ip cache flow' and hold down the space bar - if I see any address standing out, its generally because of a DoS. Example: (IP addresses changed to protect the... errr, not so innocent). SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts AT3/0.501 209.132.1.27 Fa0/0.1 10.1.1.2 11 0035 0999 1 AT3/0.501 24.30.201.3 Fa0/0.1 192.168.1.1 11 0035 0819 12 AT3/0.501 209.71.218.87 Fa0/0.1 172.16.5.5 06 0050 040D 4 AT3/0.501 64.154.61.232 Fa0/0.1 10.11.10.1 06 1A0C 0440 1 AT3/0.501 66.61.73.34 Fa0/0.1 192.168.10.11 06 04BE 0454 10 All pretty obvious, save Pr (its protocol - 11 is UDP, 06 is TCP, see http://www.iana.org/assignments/protocol-numbers). SrcP and DstP are in hex, so 0035 really means 53, or DNS. Note that we've applied the 'ip route-cache flow' command to ATM3/0.501, but not FastEthernet0/0.1 - we're only seeing incoming traffic. If you want to monitor it both ways, add the command to both directions of interface (ie, Ethernet0 and Serial0 or whatever). The next thing is getting the information off the router. Do a search on freshmeat for cflowd, and look at the 'ip flow export x.x.x.x yyyy' command. This is used to send Netflow accounting records to a remote host via UDP. To make it pretty, have a look at Cricket. I know very little about this, but have seen it produce really pretty graphs based on protocol, port, etcetera. Again, do a search on freshmeat (www.freshmeat.net). Rgds, - I. -- Ian Henderson CCNA, CCNP Network Engineer, iiNet Limited Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34452&t=34382 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
