Wireshark-users: [Wireshark-users] Decoding packets from a Cisco's "ip traffic-export" flow
From: "Frank Bulk" <fbulk@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 29 Feb 2008 22:33:42 -0600
I must be missing something obvious, so hopefully there's an easy answer.
I'm testing Cisco's "ip traffic-export" (http://tinyurl.com/3yalw4) feature
on a spare 7206VXR.  I've configured the "ip traffic export profile" to
monitor a PPPoE client on a WinXP laptop which is terminated onto one of the
router's Ethernet interface and am exporting the traffic out the router's
other Ethernet interface to my workstation equipped with Wireshark.  I've
applied the profile to the Virtual-Template.  To keep my tests simple, I'm
just sending a ping from the laptop the router.

The packets are showing up in Wireshark my workstation, but the packets
aren't decoding to show that they are a ping.  I see the payload of the ping
in the data section, but it's like the "ip traffic export" feature added
another header.  But the documentation says, "The unaltered IP packets are
exported on a single LAN or VLAN interface, thereby, easing deployment of
protocol analyzers and monitoring devices."

Does anyone have experience with this Cisco feature and explain to me if I'm
doing something wrong, or if I need to somehow create a filter that take
this into account?

Regards,

Frank