Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Decoding packets from a Cisco's "ip traffic-export" flow

From: "Frank Bulk" <frnkblk@xxxxxxxxx>
Date: Fri, 18 Apr 2008 13:59:40 -0500
Another update: Cisco TAC tells me that RITE over Virtual-Interfaces is not
supported on 12.2(SB11)31 and they will file a feature request for that.

Frank

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Frank Bulk
Sent: Wednesday, March 26, 2008 9:53 AM
To: Wireshark-users@xxxxxxxxxxxxx
Subject: Re: [Wireshark-users] Decoding packets from a Cisco's "ip
traffic-export" flow

Good news: After one month of (slowly) working with Cisco's TAC the (third)
tech reproduced the problem.

I've asked Cisco to supply me a Bug ID.

Frank

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Frank Bulk
Sent: Friday, February 29, 2008 10:34 PM
To: Wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] Decoding packets from a Cisco's "ip
traffic-export" flow

I must be missing something obvious, so hopefully there's an easy answer.
I'm testing Cisco's "ip traffic-export" (http://tinyurl.com/3yalw4) feature
on a spare 7206VXR.  I've configured the "ip traffic export profile" to
monitor a PPPoE client on a WinXP laptop which is terminated onto one of the
router's Ethernet interface and am exporting the traffic out the router's
other Ethernet interface to my workstation equipped with Wireshark.  I've
applied the profile to the Virtual-Template.  To keep my tests simple, I'm
just sending a ping from the laptop the router.

The packets are showing up in Wireshark my workstation, but the packets
aren't decoding to show that they are a ping.  I see the payload of the ping
in the data section, but it's like the "ip traffic export" feature added
another header.  But the documentation says, "The unaltered IP packets are
exported on a single LAN or VLAN interface, thereby, easing deployment of
protocol analyzers and monitoring devices."

Does anyone have experience with this Cisco feature and explain to me if I'm
doing something wrong, or if I need to somehow create a filter that take
this into account?

Regards,

Frank

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users