|
Using a Cisco Router as a “Remote Collector” for tcpdump or Wireshark |
|
|
|
Source: SANS - Posted by anthony
|
Have you ever thought about your routers. I mean - *really* thought about them? They think all day long, processing all of the packets in and out of your company’s WAN or internet connection, and hardly ever complain. But can you get any useful information out of those packets?
PC's with almost any operating system can be configured with tcpdump or windump (with wireshark or whatever gui you'd care to hang in front of it) to do packet capture an analysis. But if the traffic you are trying to capture is halfway across the world (or maybe closer but still too far to drive), can you use your router to capture packets in a standard libpcap format?
As you've probably guessed, the answer is YES, or else there’d be no reason to write this article. Let's go through the steps, from start to finish.
First, ensure that you have syslog set up – your packets are going to show up in the router’s log. You can execute this packet capture process without syslog by using “show log” to view the local log buffer, but you'll be very limited as to how many packets you can capture per session.
Read this full article at SANS
Only registered users can write comments.
Please login or register. Powered by AkoComment! |
