Thanks for your willingness to look at this. I'm glad to have a tool like
Wireshark because I can't interpret the raw packets. =)
Attached are three ping packets that my Wireshark PC caught. The info line
complains "Bogus IP length (8, less than header length 24)".
I'm using a Cisco 7200VXR running 12.2(31)SB11 to export the traffic. It
should be noted that the instructions I referred to in the original e-mail
are different than what's explained here:
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_rawip.html. In that
link, the documentation refers to capture support that allows writing to
'disk', but only on the Cisco 1841, Cisco 2800 series, and Cisco 3800 series
integrated services routers.
Furthermore, I've been conversing with a listserv member at cisco-nsp that
says that:
"... I'm still really peeved about the annoying bug
that exists where Cisco is not replicating packets
correctly, thus making taps have invalid packet lengths.
I was told this was fixed in SB11, but someone lied."
and
"The problem I'm seeing is with SII, it may or may not
be effected with IP export as well, that would be
interesting to know.
When you tap a virtual interface you get more than just
IP packets, you get raw PPPoX frames, headers, etc.
The problem we're seeing is that the PPPoE payload length
is "0" when it should be the actual packet payload size.
Wireshark see them as invalid because of this... In our
Mediation Server we have a "fixup" for this if the
payload is zero to calculate and fix the actual packets
in the pcap."
This may or may not be relevant, but he's also running the same code and
hardware platform, so, it's *possible* that what I'm seeing is the result of
some Cisco bug that is both in SII and IP Traffic Export.
Frank
-----Original Message-----
From: Stephen Fisher [mailto:stephentfisher@xxxxxxxxx]
Sent: Friday, February 29, 2008 10:40 PM
To: frnkblk@xxxxxxxxx; Community support list for Wireshark
Subject: Re: [Wireshark-users] Decoding packets from a Cisco's "ip
traffic-export" flow
On Fri, Feb 29, 2008 at 10:33:42PM -0600, Frank Bulk wrote:
> The packets are showing up in Wireshark my workstation, but the
> packets aren't decoding to show that they are a ping. I see the
> payload of the ping in the data section, but it's like the "ip traffic
> export" feature added another header. But the documentation says,
> "The unaltered IP packets are exported on a single LAN or VLAN
> interface, thereby, easing deployment of protocol analyzers and
> monitoring devices."
I haven't used that feature before, but if you would like to attach a
small capture file (2-3 packets) in a mail to the list, myself or
someone else could have a look at what the router may be adding.
Steve
Attachment:
ip_traffic-export(ping).pcap
Description: Binary data