Ethereal-users: Re: [Ethereal-users] Filters

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Serge Dergham" <serge@xxxxxxxxx>
Date: Fri, 22 Jun 2001 15:36:57 -0000
Thank you much for your help
Funny thing is I opened a case with cisco about this problem, they never mentioned this possibility, they said I should try a network analyzer.
Now i think I will try both methods next time this problem occur.
 
----- Original Message -----
Sent: Friday, June 22, 2001 6:17 AM
Subject: RE: [Ethereal-users] Filters

 
1. Firstly I would probably make use of the ip accounting in the Cisco. You need to config on the serial interface and add " ip accounting output-packets
". After a minute then do "show ip accounting". You'll get something like :-
 
   Source           Destination              Packets               Bytes
 10.138.2.2       10.128.9.2                  865846            76277502
 10.138.2.2       10.136.5.2                  907612            78689819
 10.138.2.2       10.128.9.4                 1904894           126219478
 10.138.2.2       10.132.2.2                  439578            38682864
 10.138.2.2       10.176.71.3                  10629              694619
 10.138.2.2       10.176.71.2                 859281            75611829
 10.138.2.2       10.128.2.150                   691              120774
 10.138.3.2       10.128.2.150                  3423              206338
 10.138.2.2       127.0.0.1                      906               26274
 
Accounting data age is 3d03h
 
2. If you are on the ethernet going into the router you can't actually know if traffic is going to  the Internet. However you can certainly make a good guess.
 
As a capture filter you can use the MAC address of the router e.g. "ether dst 01:02:34:56:78:90". This will only capture traffic to the router. If the router also does local routing you may also need to added display filtering to remove local destination addresses. Once you have isolated the traffic type though you can probably just analyse a small sample of data to determine the culprits
 
 
Martin Visser
Network Consultant - Compaq Global Services

Compaq Computer Australia
410 Concord Road
Rhodes, Sydney NSW 2138
Australia

Phone: +61-2-9022-5630
Mobile: +61-411-254-513
Fax:+61-2-9022-7001
Email:martin.visser@xxxxxxxxxx

-----Original Message-----
From: Serge Dergham [mailto:serge@xxxxxxxxx]
Sent: Friday, 22 June 2001 10:23 AM
To: ethereal-users@xxxxxxxxxxxx
Subject: [Ethereal-users] Filters

Hi all,
 
I'm new to this stuff (but can learn fast ;-), need some help in my work.
We have noticed from time to time very heavy abnormal trafic going out of our main router/gateway (cisco 2500) toward the internet, and can last several hours each time, nearly bringing down our internet access.
Next time this happens I would like to be able to find the source/nature of this unusual trafic.
What are the capture filters that I can/should use to isolate/capture/see only the trafic going out of my router/gateway serial port ? or going thru the gateway to the outside world ? (I have several IP classes on my internal network).
or how would you go to solve the problem above ?
 
 
(running Ethereal on W2K)
 
TIA
 
Serge Dergham