Cisco Guys: Monitor for port usage?

T

TechieSooner

Supreme [H]ardness
Joined
Nov 7, 2007
Messages
7,601
I've got a 2801 router. I was wondering if there was some way I could debug or something to figure out if anything is using port 110??? I don't want to shut it off if it's getting used. To my knowledge, it's not. But I wanted to be sure.

Thanks!
 
I think you can use port mirroring/port monitoring, and run wireshark on the destination port with a filter to see if there is any POP3 traffic

probobly more useful if I tell you how, lol


first define the port you want to monitor (in config mote, type "conf t")
type: "monitor session *session 1-6, I think) source interface *interface name*"
Then define your destination port, this is the one you'll run wireshark on
type: "monitor session *same session number you chose above* destination interface *interface name you are going to be monitoring on*"
 
Berg0 said:
I think you can use port mirroring/port monitoring, and run wireshark on the destination port with a filter to see if there is any POP3 traffic

probobly more useful if I tell you how, lol


first define the port you want to monitor (in config mote, type "conf t")
type: "monitor session *session 1-6, I think) source interface *interface name*"
Then define your destination port, this is the one you'll run wireshark on
type: "monitor session *same session number you chose above* destination interface *interface name you are going to be monitoring on*"
Click to expand...
TechieSooner, assuming that you have a cisco switch INLINE with your router then you can do SPAN if not, you cannot do what bergo recommended.

Less work, enable netflow and setup a collector(optional). :)

int fa0/0
ip flow ingress/egress

show ip cache flow

http://www.cisco.com/en/US/docs/ios...TSD_Products_Configuration_Guide_Chapter.html
theres a TON more stuff that you can do.
 
Berg0 said:
I think you can use port mirroring/port monitoring, and run wireshark on the destination port with a filter to see if there is any POP3 traffic

probobly more useful if I tell you how, lol


first define the port you want to monitor (in config mote, type "conf t")
type: "monitor session *session 1-6, I think) source interface *interface name*"
Then define your destination port, this is the one you'll run wireshark on
type: "monitor session *same session number you chose above* destination interface *interface name you are going to be monitoring on*"
Click to expand...

Then I run wireshark ... where?

I dont have a Cisco switch inline so I guess this is my option.
 
TechieSooner said:
Then I run wireshark ... where?

I dont have a Cisco switch inline so I guess this is my option.
Click to expand...
Dude, are you kidding me? If you dont have a switch inline then you NEED to do either what myself of Vito said. What Vito said will be a bit quicker than what I said but not as granular. Did you even read our posts? :rolleyes:
 
If all you need to do is see if the traffic is there, I'd put an extended ACL on your interface like this.

access-list 100 permit tcp any eq 110 log
access-list 100 permit any

Then you can simply type "show access-list 100" and you'll see a packet count
 
Vito_Corleone said:
ARE YOU RUNNING NAT??
Click to expand...
Yes.
xphil3 said:
Dude, are you kidding me? If you dont have a switch inline then you NEED to do either what myself of Vito said. What Vito said will be a bit quicker than what I said but not as granular. Did you even read our posts? :rolleyes:
Click to expand...
Read them? Yes. Read them correctly? Apparently not.


Lightworker said:
If all you need to do is see if the traffic is there, I'd put an extended ACL on your interface like this.

access-list 100 permit tcp any eq 110 log
access-list 100 permit any

Then you can simply type "show access-list 100" and you'll see a packet count
Click to expand...
See this seriously looks easy... I've already got an ACL on it, so I just append "LOG" to the end of it and it logs a packet count?
 
^Right, just make sure that you are specifically matching port 110 in that line of your acl, like in my example. Also make sure that there are no matching statements above the line for port 110 that would catch the traffic, otherwise you won't see it
 
You don't even need the log command for Lightworker's solution.

Mine is pretty simple too, you just do "sh ip nat trans | i :110"
 
Vito_Corleone said:
You don't even need the log command for Lightworker's solution.

Mine is pretty simple too, you just do "sh ip nat trans | i :110"
Click to expand...

It looks to me like this displays your ACLs at the top (correct?) and then lists out all of the recent activity on 110? If so, I don't have any :D
 
TechieSooner said:
It looks to me like this displays your ACLs at the top (correct?) and then lists out all of the recent activity on 110? If so, I don't have any :D
Click to expand...

No. It lists your current NAT (port) translations, then it filters down to only lines with ":110" in them.
 
Vito_Corleone said:
No. It lists your current NAT (port) translations, then it filters down to only lines with ":110" in them.
Click to expand...

Ahh ok... I just see my NAT entries for the servers themselves, nothing for any client connections (there's some listed but it's from ports 110034, stuff like that).
 
TechieSooner said:
Ahh ok... I just see my NAT entries for the servers themselves, nothing for any client connections (there's some listed but it's from ports 110034, stuff like that).
Click to expand...
When you start sending traffic from your clients you will begin to see NAT translations with both their source port(infermal) and destination ports to their global addresses. I can see how it might be a bit confusing.

Try the other suggestions, you'll learn more and can pick with one you like more :D
 
xphil3 said:
When you start sending traffic from your clients you will begin to see NAT translations with both their source port(infermal) and destination ports to their global addresses. I can see how it might be a bit confusing.

Try the other suggestions, you'll learn more and can pick with one you like more :D
Click to expand...

Well, I was saying since those ports start with 110, they were included. I didn't see any mappings on 110 at all, aside from the actual NAT entries.

Question on this, does this only show current (<5 Minutes) NAT entries, or everything since a reload, or ?
 
TechieSooner said:
Well, I was saying since those ports start with 110, they were included. I didn't see any mappings on 110 at all, aside from the actual NAT entries.

Question on this, does this only show current (<5 Minutes) NAT entries, or everything since a reload, or ?
Click to expand...
The NAT table is very dynamic, so it will show entries within ms of them being created, and once the session tear down occurs so does the PAT translations(to free up that port to be used for the next translation).

NAT enteries(Static) will never have a timeout as they are constantly in the table.
 
Alright, so I'll let this be a couple days and see if anything else builds up in here then. Thanks
 
TechieSooner said:
Alright, so I'll let this be a couple days and see if anything else builds up in here then. Thanks
Click to expand...
If you intend to sit in front of the router to issue the command for several days then sure that will work, but I dont think that you want to do that. Again, sessions will timeout of the NAT translations table the minute that the TCP session is torn down since we're talking about dynamic NAT(PAT) translation. If you want to let something sit and collect information then do what I said to do(enable netflow) OR what lightworker suggested(access-list).
 
You must log in or register to reply here.
Back
Top