Thanks for your willingness to look at this. I'm glad to have a tool like Wireshark because I can't interpret the raw packets. =)
Attached are three ping packets that my Wireshark PC caught. The info line complains "Bogus IP length (8, less than header length 24)". I'm using a Cisco 7200VXR running 12.2(31)SB11 to export the traffic. It should be noted that the instructions I referred to in the original e-mail are different than what's explained here: http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_rawip.html. In that link, the documentation refers to capture support that allows writing to 'disk', but only on the Cisco 1841, Cisco 2800 series, and Cisco 3800 series integrated services routers. Furthermore, I've been conversing with a listserv member at cisco-nsp that says that: "... I'm still really peeved about the annoying bug that exists where Cisco is not replicating packets correctly, thus making taps have invalid packet lengths. I was told this was fixed in SB11, but someone lied." and "The problem I'm seeing is with SII, it may or may not be effected with IP export as well, that would be interesting to know. When you tap a virtual interface you get more than just IP packets, you get raw PPPoX frames, headers, etc. The problem we're seeing is that the PPPoE payload length is "0" when it should be the actual packet payload size. Wireshark see them as invalid because of this... In our Mediation Server we have a "fixup" for this if the payload is zero to calculate and fix the actual packets in the pcap." This may or may not be relevant, but he's also running the same code and hardware platform, so, it's *possible* that what I'm seeing is the result of some Cisco bug that is both in SII and IP Traffic Export. Frank -----Original Message----- From: Stephen Fisher [mailto:[EMAIL PROTECTED] Sent: Friday, February 29, 2008 10:40 PM To: [EMAIL PROTECTED]; Community support list for Wireshark Subject: Re: [Wireshark-users] Decoding packets from a Cisco's "ip traffic-export" flow On Fri, Feb 29, 2008 at 10:33:42PM -0600, Frank Bulk wrote: > The packets are showing up in Wireshark my workstation, but the > packets aren't decoding to show that they are a ping. I see the > payload of the ping in the data section, but it's like the "ip traffic > export" feature added another header. But the documentation says, > "The unaltered IP packets are exported on a single LAN or VLAN > interface, thereby, easing deployment of protocol analyzers and > monitoring devices." I haven't used that feature before, but if you would like to attach a small capture file (2-3 packets) in a mail to the list, myself or someone else could have a look at what the router may be adding. Steve
ip_traffic-export(ping).pcap
Description: Binary data
_______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
