IP Traffic Export

IPTraffic Export

原始 IP 流量导出（RawIP Traffic Export）是一个轻量级的思科 IOS 软件特性，用于将到达到离开网络设备的 IP 数据包导出到外部设备。它使用指定的局域网接口来导出所捕获的 IP 数据包。其目标是将原始 IP 数据包以未修改的格式导出到指定设备（比如说数据包分析程序或 IDS 设备）。

 

原始 IP 流量导出的特性包括：

1. 通过过滤功能（使用 ACL），可以只导出感兴趣的流量。

2. 采样选项可以减少流量输出量。

3. 使用与目标主机相关的 MAC、802.1q 或者交换机间链路（Inter-Switch Link，ISL）地址（而不是 IP 地址）来指定执行导出的以太网端口。

4. 当特性激活或禁用时设置 syslog 信息。

 

Configuration

 

Router(config)#iptraffic-export profile CCIE

Router(conf-rite)# interface FastEthernet0/0

Router(conf-rite)# bidirectional

Router(conf-rite)#mac-address 0200.4C4F.4F50

 

Router(config)#interfaceFastEthernet0/1

Router(config-if)#ip address 192.168.1.1 255.255.255.0

Router(config-if)#ip traffic-export apply CCIE

 

验证配置

Router#show ip traffic-export

Router IP Traffic ExportParameters

Monitored Interface             FastEthernet0/1

        Export Interface                FastEthernet0/0

        Destination MAC address 0200.4c4f.4f50

        bi-directional traffic export is on

Output IP Traffic ExportInformation    Packets/BytesExported    0/0

        Packets Dropped           0

        Sampling Rate             one-in-every 1 packets

       No Access List configured

Input IP Traffic ExportInformation     Packets/BytesExported    14/1400

        Packets Dropped           0

        Sampling Rate             one-in-every 1 packets

        No Access List configured

        Profile CCIE is Active

 

Snifer设备获取到流量

Frame417: 114 bytes on wire (912 bits), 114 bytes captured (912 bits) on interface 0

EthernetII, Src: 02:00:4c:4f:4f:50 (02:00:4c:4f:4f:50), Dst: 02:00:4c:4f:4f:50(02:00:4c:4f:4f:50)

    Destination: 02:00:4c:4f:4f:50(02:00:4c:4f:4f:50)

    Source: 02:00:4c:4f:4f:50(02:00:4c:4f:4f:50)

    Type: IP (0x0800)

InternetProtocol Version 4, Src: 192.168.1.10 (192.168.1.10), Dst: 192.168.1.1(192.168.1.1)

    Version: 4

    Header Length: 20 bytes

    Differentiated Services Field: 0x00 (DSCP0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))

    Total Length: 100

    Identification: 0x0011 (17)

    Flags: 0x00

    Fragment offset: 0

    Time to live: 254

    Protocol: ICMP (1)

    Header checksum: 0x392c [correct]

    Source: 192.168.1.10 (192.168.1.10)

    Destination: 192.168.1.1 (192.168.1.1)

    [Source GeoIP: Unknown]

    [Destination GeoIP: Unknown]

InternetControl Message Protocol

    Type: 8 (Echo (ping) request)

    Code: 0

    Checksum: 0xeefd [correct]

    Identifier (BE): 5 (0x0005)

    Identifier (LE): 1280 (0x0500)

    Sequence number (BE): 0 (0x0000)

    Sequence number (LE): 0 (0x0000)

    Data (72 bytes)

 

使用ACL过滤流量

Router(config)#ip access-listextended telnet

Router(config-ext-nacl)#permittcp any any eq telnet

 

Router(config)#ip traffic-exportprofile CCIE

Router(conf-rite)#interfaceFastEthernet0/0

Router(conf-rite)#incomingaccess-list telnet

Router(conf-rite)#mac-address0200.4C4F.4F50

 

Router(config)#interfaceFastEthernet0/1

Router(config-if)# ip address192.168.1.1 255.255.255.0

Router(config-if)# iptraffic-export apply CCIE

 

验证配置

Router#show ip traffic-export

Router IP Traffic ExportParameters

Monitored Interface             FastEthernet0/1

        Export Interface                FastEthernet0/0

        Destination MAC address 0200.4c4f.4f50

        bi-directional traffic export is on

Output IP Traffic ExportInformation    Packets/BytesExported    0/0

        Packets Dropped           0

       Sampling Rate             one-in-every 1 packets

        No Access List configured

Input IP Traffic ExportInformation     Packets/BytesExported    45/1865

        Packets Dropped           115

        Sampling Rate             one-in-every 1 packets

        AccessList        telnet [named extended IP]

        Profile CCIE is Active

 

http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t11/ht_rawip.html

--------------------------------------------------------------------------------------------------------------------------------------