ATM packet sniffing on a Cisco?

From: James W. Abendschan (jwaat_private)
Date: Mon Aug 06 2001 - 23:20:09 PDT

  • Next message: Lists: "Pwdump2 with UNICODE?"

    I had an opportunity recently to play with a Cisco 3600 in enable mode.
    The router had a fastethernet and an ATM interface; I tried lots of
    'debug fastethernet packets' and 'debug interface fastethernet 0/0'
    variations, but to no avail.
    The ATM interface, on the other hand, was a different story:
    foo233#show version
    Cisco Internetwork Operating System Software
    IOS (tm) 3600 Software (C3620-IS-M), Version 12.1(5)T7,  RELEASE SOFTWARE (fc1)
    [ ... ]
    foo233#debug atm packet interface ATM1/0.1
    foo233#terminal length 0
    foo233#show log
    [ ... ]
    1w1d: ATM1/0.1(O):
    VCD:0x1 VPI:0x1 VCI:0x20 DM:0x100 SAP:AAAA CTL:03 OUI:000000 TYPE:0800 Length:0x87
    1w1d: 45C0 007B 0055 0000 FF06 E49E DEAD BEEF D863 DAA1 0017 F42C 2077 E022 AA26
    1w1d: B281 5018 0F97 E6D4 0000 4154 4D20 7061 636B 6574 7320 6465 6275 6767 696E
    1w1d: 6720 6973 206F 6E0D 0A44 6973 706C 6179 696E 6720 7061 636B 6574 7320 6F6E
    1w1d: 2069 6E74 6572 6661 6365 2041 544D 312F 302E 3120 6F6E 6C79 0D0A 666F 6F32
    1w1d: 3333 2330
    1w1d: ATM1/0.1(I):
    VCD:0x1 VPI:0x1 VCI:0x20 Type:0x0 SAP:AAAA CTL:03 OUI:000000 TYPE:0800 Length:0x34
    1w1d: 4500 0028 A8B7 4000 3406 C84F D863 DAA1 DEAD BEEF F42C 0017 AA26 B281 2077
    1w1d: E022 5010 7FB8 08CD 0000
    [ ... ]
    I enlarged the log buffer & wrote an expect script that sat in a loop
        undebug atm packet interface ATM1/0.1
        show log
        clear logging
        debug atm packet interface ATM1/0.1
        sleep 10
    .. and logged the output to a file.  A perl script made the output readable.
    (script will eventually be @
    Through this, I was able to sniff ICMP, UDP and TCP, but it seemed to drop
    many packets.  As the self-sniff example above shows, the payload was not
    zeroed out; I was able to see many SNMP and DNS queries, and occasional
    HTTP GETs.
    Has anyone else played with this?
    ps: yes, I've read the very fine "THINGS TO DO IN CISCOLAND WHEN YOU'RE DEAD"
    ( ) .. GRE was not an option.
    Maybe next time :-)
    This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
    Service. For more information on SecurityFocus' SIA service which
    automatically alerts you to the latest security vulnerabilities please see:

    This archive was generated by hypermail 2b30 : Tue Aug 07 2001 - 15:17:42 PDT