Wireshark-users: Re: [Wireshark-users] Decoding packets from a Cisco's "ip traffic-export" flow

From: "Frank Bulk" <frnkblk@xxxxxxxxx>
Date: Wed, 26 Mar 2008 09:52:47 -0500
Good news: After one month of (slowly) working with Cisco's TAC the (third)
tech reproduced the problem.  

I've asked Cisco to supply me a Bug ID.

Frank

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Frank Bulk
Sent: Friday, February 29, 2008 10:34 PM
To: Wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] Decoding packets from a Cisco's "ip
traffic-export" flow

I must be missing something obvious, so hopefully there's an easy answer.
I'm testing Cisco's "ip traffic-export" (http://tinyurl.com/3yalw4) feature
on a spare 7206VXR.  I've configured the "ip traffic export profile" to
monitor a PPPoE client on a WinXP laptop which is terminated onto one of the
router's Ethernet interface and am exporting the traffic out the router's
other Ethernet interface to my workstation equipped with Wireshark.  I've
applied the profile to the Virtual-Template.  To keep my tests simple, I'm
just sending a ping from the laptop the router.

The packets are showing up in Wireshark my workstation, but the packets
aren't decoding to show that they are a ping.  I see the payload of the ping
in the data section, but it's like the "ip traffic export" feature added
another header.  But the documentation says, "The unaltered IP packets are
exported on a single LAN or VLAN interface, thereby, easing deployment of
protocol analyzers and monitoring devices."

Does anyone have experience with this Cisco feature and explain to me if I'm
doing something wrong, or if I need to somehow create a filter that take
this into account?

Regards,

Frank

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users