Turning the router in to Packet sniffer

Turning the router in to Packet sniffer

I see lot of posts on the net on troubleshooting of different applications being used on the network. People try to rely on third party sniffers to see what is happening. But do you know we can create a small sniffer script and add to make things lot more easier in troubleshooting. Moreover, Many applications need access through an access control list (ACL) on a router, but you might not know what ports or protocols to allow in the ACL rules. Simply use an access list and the router’s logging function to “sniff” and report what it sees.Take a transparent approach to locking the ACL down to only what is needed. The process takes some time, but is effective and can be used on virtually any interface ACL.

Follow these steps:

1. Discover: Use the router’s ability to log ACL matches in its own buffer in order to catalog the traffic that crosses it. The configuration is the following:

Router (config)# logging buffered 15000 (this creates a large enough buffer to look at locally on the router,or you can configure the router to log the ACL matches to a Syslog server).

Router (config)# access-list 101 permit tcp any gt 0 any gt 0 log

Router (config)# access-list 101 permit udp any gt 0 any gt 0 log

Router (config)# access-list 101 permit icmp any any

Router (config)# access-list 101 permit ip any any log (this entry is a “catch-all”)

Router (config)# interface interfaceRouter (config-if)# ip access-group 101 in

Look at the log by using the show log command from the exec prompt. You should see IP addresses (source and destination), along with the used TCP or UDP ports (in parentheses):

Mar 18 20:05:10.628: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 192.168.19.137(50051) -> 10.2.9.30(15648), 1 packet

Mar 18 20:05:20.697: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 192.168.19.137(50054) ->10.2.9.30(15648), 1 packet

Mar 18 20:05:30.757: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 192.168.19.137(50057) ->10.2.9.30(15648), 1 packet

Mar 18 20:05:40.854: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 192.168.19.137(50060) ->10.2.9.30(15648), 1 packet

Mar 18 20:05:51.006: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 192.168.19.137(50063) ->10.2.9.30(15648), 1 packet

Mar 18 20:06:01.115: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 192.168.19.137(50115) ->10.2.9.30(15648), 1 packet

Mar 18 20:06:10.354: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 192.168.19.137(50118) ->10.2.9.30(15648), 1 packet

Mar 18 20:06:20.423: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 192.168.19.137(50121) ->10.2.9.30(15648), 1 packet

When using earlier IOS versions you can specify permit ip any any log or permit tcp any any log. This showsyou the port numbers in the show log command. However, with later IOS versions, using these permit statements produces a port zero (0) in the show log command, which is why I use statements such as permit TCP any gto any gto log. This produces the TCP port numbers. The same goes for UDP.

In this example, two IP addresses need to communicate, and the destination TCP port is 15648. The source port changes, so I cannot create a static ACL for that port. I can create a TCP ACL that states:

access-list 101 permit tcp host 192.168.19.137 host 10.2.9.30 eq 15648

This should be sufficient for a tight access list. Using this information, I can create a new access list.

2. Notify: Even though we do not expect any connectivity issues, notify those who could be affected by an error or an unexpected condition during this process.

3. Implement: We do not want to interrupt a production environment to make changes. I used this method:

Router (config)# interface interface

Router (config-if)# no ip access-group 101 in(Removes the ACL from active service)

Router (config-if)# exit (I could use Crtl+Z here as well)

Router (config)# exitRouter# ena

Router (config)# no access-list 101 (Now go and delete the ACL.)

If you use “named” access lists, you can edit out individual access-list entries. I use Microsoft Notepad to edit the access list from the configuration by pasting it into the Telnet/SSH session. Next, Iadd the new access list:

Router (config)# access-list 101 permit tcp host192.168.19.137 host 10.2.9.30 eq 15648

Router (config)# access-list 101 permit tcp any gt 0any gt 0 log

Router (config)# access-list 101 permit udp any gt 0any gt 0 log

Router (config)# access-list 101 permit icmp any any

Router (config)# access-list 101 permit ip any any log

Router (config)# interface interface

Router (config-if)# ip access-group 101 in

4. Verify: Use the show access-list command and the show log command to verify that the access list is working.As the more specific access-list entries are added, the more general ones are pushed to the bottom of the list, and eventually the hit counters on the general ACL entries will be zero. Then you can delete those general ACL entries, leaving only the specific rules. The sequence of commands I used is important in retaining a transparent change to a production environment.