Wireshark-users: Re: [Wireshark-users] Decoding packets from a Cisco's "ip traffic-export" flow

From: "Frank Bulk" <frnkblk@xxxxxxxxx>
Date: Sat, 1 Mar 2008 10:30:16 -0600
Thanks for your willingness to look at this.  I'm glad to have a tool like
Wireshark because I can't interpret the raw packets. =)

Attached are three ping packets that my Wireshark PC caught.  The info line
complains "Bogus IP length (8, less than header length 24)".

I'm using a Cisco 7200VXR running 12.2(31)SB11 to export the traffic.  It
should be noted that the instructions I referred to in the original e-mail
are different than what's explained here:
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_rawip.html.  In that
link, the documentation refers to capture support that allows writing to
'disk', but only on the Cisco 1841, Cisco 2800 series, and Cisco 3800 series
integrated services routers.  

Furthermore, I've been conversing with a listserv member at cisco-nsp that
says that:
	"... I'm still really peeved about the annoying	bug 
	that exists where Cisco is not replicating packets 
	correctly, thus making taps have invalid packet lengths.  
	I was told this was fixed in SB11, but someone lied."
and
	"The problem I'm seeing is with SII, it may or may not 
	be effected with IP export as well, that would be 
	interesting to know.

	When you tap a virtual interface you get more than just 
	IP packets, you get raw PPPoX frames, headers, etc.

	The problem we're seeing is that the PPPoE payload length 
	is "0" when it should be the actual packet payload size.  
	Wireshark see them as invalid because of this...  In our 
	Mediation Server we have a "fixup" for this if the 
	payload is zero to calculate and fix the actual packets 
	in the pcap."

This may or may not be relevant, but he's also running the same code and
hardware platform, so, it's *possible* that what I'm seeing is the result of
some Cisco bug that is both in SII and IP Traffic Export.

Frank

-----Original Message-----
From: Stephen Fisher [mailto:stephentfisher@xxxxxxxxx] 
Sent: Friday, February 29, 2008 10:40 PM
To: frnkblk@xxxxxxxxx; Community support list for Wireshark
Subject: Re: [Wireshark-users] Decoding packets from a Cisco's "ip
traffic-export" flow

On Fri, Feb 29, 2008 at 10:33:42PM -0600, Frank Bulk wrote:

> The packets are showing up in Wireshark my workstation, but the
> packets aren't decoding to show that they are a ping.  I see the
> payload of the ping in the data section, but it's like the "ip traffic
> export" feature added another header.  But the documentation says,
> "The unaltered IP packets are exported on a single LAN or VLAN
> interface, thereby, easing deployment of protocol analyzers and
> monitoring devices."

I haven't used that feature before, but if you would like to attach a
small capture file (2-3 packets) in a mail to the list, myself or
someone else could have a look at what the router may be adding.


Steve

Attachment: ip_traffic-export(ping).pcap
Description: Binary data