Wireshark-users: Re: [Wireshark-users] Decoding packets from a Cisco's "ip traffic-export" flow

From: "Frank Bulk" <frnkblk@xxxxxxxxx>
Date: Mon, 3 Mar 2008 11:11:44 -0600
Based on the other postings, it looks like I need to test this on another
platform.  I may have omitted to mention this earlier, but IP Traffic Export
is not mentioned in Cisco's Feature Navigator for this code release on the
7200.  It's possible that this feature was compiled in but never tested and
perhaps not supported.

I've opened up a case with TAC and we'll see how that goes.  At the same
time, I'm going to try to see if I can find a 3600/3800 from another
company, a box that does specifically support IP Traffic Export.

I could also load a 12.3 line of code that does officially support that
feature on the 7200 and see if it acts any differently/better.

Regards,

Frank

-----Original Message-----
From: Bill Meier [mailto:wmeier@xxxxxxxxxxx] 
Sent: Saturday, March 01, 2008 2:18 PM
To: Community support list for Wireshark
Cc: frnkblk@xxxxxxxxx
Subject: Re: [Wireshark-users] Decoding packets from a Cisco's "ip
traffic-export" flow

Frank Bulk wrote:
> Thanks!  Did you use bittwiste with the '-D' option to remove the first 24
> bytes?

Actually: I did it the hard way using Wireshark export, an editor and
then text2pcap.  :)

(It's only the first 12 bytes that need to be removed).

>
> The "from" in your modified capture is properly decoded as the Sony laptop
> I'm using (00:01:4a:9e:0e:06), but the destination (08:00:b6:53:00:08)
seems
> to be some kind of variation off of the MAC address of the 7200VXR's
> FastEthernet interface (0030.b653.0008) that Sony laptop is connected to.
> Perhaps it's the MAC address of loopback interface I have defined for the
> Virtual-Template?
>

> In any case, is there an option in Wireshark to ignore the first 'x'
bytes,
> or, is it possible for someone to write a dissector that handles the IP
> Traffic Export format, perhaps making it optional in the "Frame" section
in
> the same way that "Treat all frames as DOCSIS frames"?
>

1. AFAIK there's no option to ignore the first x bytes.
2. It's certainly possible add some code to be able to process this type
of capture.

That being said, as you've suggested one would want to know more as to
whether this is a standard Cisco format for 'IP Traffic Export' and so on.

I'm not familiar with this Cisco functionality so I'll leave the
decision as to the best way to proceed to those who are.