• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1041
  • Last Modified:

How to trace a packet through a Cisco Router?

Hi,

I've used CapIN with my Cisco ASA, but not sure how trace a packet going through a Cisco 2811 router.

We have data coming in one port, but there is a possibility it is going out the slower port. I've reviewed my configurations by hand and it appears the data is going out correctly, but i don't trust it.

Can someone give me an example of a trace by source and destination network IP? I'm running IOS v 12.4. There is no NAT between these networks. I'm using standard static routes and route-maps.

0
First Last
Asked:
First Last
1 Solution
 
packetguyCommented:
One of the sweetest tools in IOS is IP Cisco Express Forwarding (CEF), which lets you view a table of flows within the router. This is a very powerful debugging tool, and there is no downside to turning it on. Your router will actually run faster with CEF enabled. You need a global "ip cef" statement, and then an "ip route-cache flow" statement in each interface. e.g.:

ip cef
interface fastethernet0/0
  ip addresss x.x.x.x...
  ip route-cache flow
  .
  .
  .
interface fastethernet0/1
  ip addresss x.x.x.x...
  ip route-cache flow
  .
  .
  .

You can then run the "show ip cache flow" command and get fantastic traffic details:

#show ip cache flow
IP packet size distribution (15845M total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .000 .382 .040 .018 .011 .010 .009 .008 .026 .005 .005 .006 .003 .007 .004

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .004 .007 .005 .037 .403 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 4456704 bytes
  2656 active, 62880 inactive, 873065850 added
  3457684435 ager polls, 0 flow alloc failures
  Active flows timeout in 5 minutes
  Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 336520 bytes
  0 active, 16384 inactive, 0 added, 0 added to flow
  0 alloc failures, 0 force free
  1 chunk, 1 chunk added
  last clearing of statistics never
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
TCP-Telnet       87535      0.0        13    55      0.3       1.6      17.8
TCP-FTP         225337      0.0        33    65      2.0       8.3       9.2
TCP-FTPD         15308      0.0        80   908      0.3       0.5       4.3
TCP-WWW      102778262     28.2        41   878   1173.3       5.4       9.2
TCP-SMTP       2519453      0.6        16   458     11.4       3.0       8.4
TCP-X          2604783      0.7         2    43      2.0       0.0      18.1
TCP-BGP            122      0.0         3    47      0.0       0.3      15.2
TCP-NNTP        113243      0.0         7    67      0.2       0.4       4.0
TCP-Frag          3563      0.0        14    92      0.0       5.2       9.6
TCP-other    232281425     63.8        42   662   2713.9       7.5       9.8
UDP-DNS      242168364     66.6         1    71     93.4       0.1      17.3
UDP-NTP        2415563      0.6         2    75      1.9       0.0      17.2
UDP-TFTP           130      0.0         9   199      0.0       0.9      17.7
UDP-Frag         44547      0.0        38   993      0.4       4.7      17.2
UDP-other    261164341     71.8         2   304    152.3       0.6      17.3
ICMP          25996076      7.1         8    93     62.9       7.1      17.1
IGMP                17      0.0        10    28      0.0       0.6      18.0
IPINIP              17      0.0        11    20      0.0       0.4      17.8
IPv6INIP         17364      0.0        37   236      0.1       8.0      17.3
GRE                361      0.0       194   596      0.0     104.5      13.5
IP-other        578799      0.1       901   429    143.4     152.9      10.5
Total:       873014610    240.1        18   677   4358.6       3.2      14.3

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Fa0/0         216.64.158.11   Fa1/0         132.239.253.131 11 0035 F7FC     1
Fa0/0         216.64.158.11   Fa1/0         63.248.120.18   11 0035 3F6B     1
Fa0/0         216.64.158.130  Fa1/0         121.194.2.3     11 0035 8048     1
Fa1/0         62.112.100.39   Fa0/0         206.83.0.58     06 61AB 0016    14
Fa0/0         206.83.0.1      Fa1/0         62.112.100.39   06 0016 BF3E     492
Fa0/0         206.83.0.1      Fa1/0         62.112.100.39   06 0016 BF3E    14
Fa0/0         216.64.158.11   Fa1/0         193.231.100.30  11 0035 9207     12
Fa0/0         206.83.0.1      Fa1/0         62.112.100.39   06 0016 BADE     114
Fa1/0         66.28.20.170    Fa0/0         216.64.159.100  11 8FE5 0035     1
Fa1/0         98.108.212.27   Fa0/0         206.83.5.100    32 D37C 0974    38

The first part is a nifty table summarizing all traffic by protocol. Then you get one line per flow (a unique combination of source/destination IP address and ports), showing the source and destination interface, IP address, protocol (in hex), port numbers (in hex) and the number of packets in the flow. You can filter this for a particular IP address by using the pipe option on the command:

#show ip cache flow | include 206.83.0.44  
Fa1/0         62.112.100.39   Fa0/0         206.83.0.44     06 4E9B 0016     9
Fa1/0         62.112.100.39   Fa0/0         206.83.0.44     06 4D1F 0016    14
Fa0/0         206.83.0.44     Fa1/0         8.0.11.238      11 0035 69F7     1
Fa1/0         8.0.11.238      Fa0/0         206.83.0.44     11 69F7 0035     1
Fa0/0         206.83.0.44     Fa1/0         62.112.100.39   06 0016 4E9B    14
Fa0/0         206.83.0.44     Fa1/0         62.112.100.39   06 0016 4D1F    19

This lets you focus on just flows of interest. The pipe option takes lets you use a period as a single-chararacter wild-card, so you can filter things even further:

#show ip cache flow | include 206.83.0.42.....Fa1/0.........62.112.100.
Fa0/0         206.83.0.42     Fa1/0         62.112.100.39   06 0016 316F    13
0
 
adrianuta2004Commented:
traceroute command  doesn't help ?  
0
 
First LastAuthor Commented:
adrianuta - I couldn't get the router to trace from the source IP. The source IP is on a different network.

packetguy - I will try this now!
0
 
ipajonesCommented:
You can use "extended" traceroute which allows you to choose the source IP etc.  Just enter "traceroute" without any parameters and go from there.
--IJ
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now