2

How would one go about capturing OSPF traffic in Wireshark between two routers?

I'm looking to do something like this:

[RTR A] - - - [LAPTOP] - - - [RTR B]
THE DOCTOR
  • 185
  • 4
  • 14
  • 1
    If your laptop has two Ethernet interfaces you could create a bridge (br0) with say eth0 and eth1 combined in it, so the two routers can talk to each other through the laptop bridge interface, also if you are using Linux for example you could run tcpdump on eth0 and another tcpdump capture on eth1 to see what is coming in and out of both interface individually at the same time. I have no idea if you can run two separate captures in Wireshark though if you are using another OS, sorry. – jwbensley May 03 '13 at 19:44

6 Answers6

2

You have two options:

  • Insert a dual-homed device in bridging mode between the two routers so that you can watch the traffic passing between them, or
  • Configure a mirroring port on a switch that's also connected to one of the routers, and read the traffic from that port.

The second option is obviously the least disruptive, but might not be possible depending on your network topology.

Flup
  • 7,688
  • 1
  • 31
  • 43
1

Put a switch in between the routers and then use port mirroring to see the traffic. Caution: most port-mirroring implementations encapsulate the mirrored traffic inside a VLAN

Pascal Schmiel
  • 1,728
  • 12
  • 17
1

While there are several solutions offered by others here that may work, I ended up doing the following:

[RTR A] - - - [DUMB HUB] - - - [RTR B]
                   |
                   |
                   |
               [LAPTOP]

I stuck a dumb hub in between the two routers and then connected a laptop on another interface of the hub to capture the traffic in Wireshark.

THE DOCTOR
  • 185
  • 4
  • 14
0

Depending on your requirements, you could also use RITE (Traffic Export). This will send target packets on one interface to a MAC address on another interface.

http://blog.ipexpert.com/2010/07/01/router-ip-traffic-export-rite/

ip traffic-export profile EXPORT
 interface FastEthernet3/0
 bidirectional
 incoming access-list 100
 outgoing access-list 101
 mac-address 001d.6094.d09d
 incoming sample one-in-every 5
 outgoing sample one-in-every 5
!
interface FastEthernet1/0
 ip traffic-export apply EXPORT
!
access-list 100 permit tcp any any eq telnet
access-list 101 permit tcp any eq telnet any
Keller G
  • 644
  • 3
  • 6
0

You can do it with a passive network tap, assuming it's a 100mbit connection (or you are willing to make it a 100mbit connection).

This device gets inserted between the two devices. Then you get 2 ethernet ports to tap into - each one has the transmit pair from one device wired to receive on your laptop.

You need 2 network cards to capture both sides of the conversation. Newer versions of wireshark can handle capturing from multiple interfaces simultaneously.

There are plenty of guides on making them. The particular device I linked to will even downgrade gigabit connections to 100mbit, so it will still work, but might slow down the network.

The advantage of passive taps is that you are completely unable to transmit onto the network - the transmit pairs of your network cards aren't wired to anything. So you won't interfere with anything accidentally, or affect the results that you are looking for. They are also incredibly cheap and easy to make - all you really need are 4 cat5 punchdowns and a bit of wire to make a basic one.

Grant
  • 17,671
  • 14
  • 69
  • 101
0

Your question is tagged "Cisco" -- if these are Cisco routers, you can use IOS to capture packets right on the router. See https://supportforums.cisco.com/docs/DOC-5799 for details and some examples.

Mox
  • 415
  • 1
  • 3
  • 8
  • Thanks, but I am looking to use the filtering and statistical capabilities of Wireshark to create a traffic load profile. From what I can tell the IOS packet capture would be useful if I were troubleshooting something instead. – THE DOCTOR May 03 '13 at 20:35
  • As it describes in the link I included above, you can export an IOS packet capture in PCAP format. Then you can open it in Wireshark. – Mox May 17 '13 at 18:46