mbruno
join:2003-07-03
Fruitland, MD
 ·Verizon Online DSL
 ·Comcast
|  [HELP] how to tell who is on your Cisco 871
hello all,
I need some help to see why my Cisco 871 router has been transferring data non-stop for the last 3 hours. So let me explain what I know so far. I have three devices plus a wireless device hanging off my router. I know the wireless device is secure because I can turn on my laptop and do a scan of the devices around my area and see it prompting for a username and password. The odds of someone getting the password is very slim.
The other three devices are my computer, wife's computer both has wireless turned off and a Tivo using a wired connection. If I log in to the console and do a sh arp I see all the devices in the arp table and if I do a sh users the only one listed is me from the console. If I unplug the tivo connection from the wall the data light of tx and rx stops and everything is normal.
So I think I found what is causing the data transfer but if I go to the tivo menu (while it is transferring data) it shows nothing being transfered from the internet or out going. so, what I would like to know is what Cisco command can I used to assure myself that it is indeed coming from that IP address (Tivo)? Also by the way I have http on the router turned off as well.
Thanks |
|
mbruno
join:2003-07-03
Fruitland, MD
·Verizon Online DSL
·Comcast
| Here is the config as well.
User Access Verification
Username: *******
Password:
orion#sh run
Building configuration...
Current configuration : 3442 bytes
!
! Last configuration change at 05:50:16 NewYork Sun May 11 2008 by mbruno
! NVRAM config last updated at 05:50:18 NewYork Sun May 11 2008 by mbruno
!
version 12.3
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname orion
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
no logging console
!
username ********* privilege 15 secret 5 ******.
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
ip cef
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.200 10.10.10.220
!
ip dhcp pool sdm-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
!
ip domain name bruno.org
ip ips po max-events 100
login on-failure log
login on-success log
no ftp-server write-enable
!
!
!
!
class-map match-all voice-traffic
match access-group 102
!
!
policy-map VOICE-POLICY
class voice-traffic
priority percent 70
class class-default
fair-queue
!
!
!
!
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface FastEthernet4
description $ETH-LAN$
mac-address 0016.3612.3775
bandwidth 3000
no ip address
ip nbar protocol-discovery
ip virtual-reassembly
service-policy output VOICE-POLICY
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname *****************
ppp chap password 7 **********
ppp pap sent-username ******* password 7 *********
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.10.10.204 21 71.200.102.158 21 extendable
!
logging history warnings
logging trap debugging
logging source-interface FastEthernet4
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 102 permit udp any any range 16384 32776
access-list 102 permit udp any any precedence critical
access-list 102 permit udp any any dscp ef
access-list 102 permit udp host 10.10.10.209 any
dialer-list 1 protocol ip permit
snmp-server community **************** RO
snmp-server enable traps tty
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps syslog
no cdp run
!
!
control-plane
!
!
line con 0
logging synchronous
login local
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
privilege level 15
login local
transport preferred all
transport input ssh
transport output all
!
scheduler max-task-time 5000
ntp clock-period 17175069
ntp server 206.246.118.250
ntp server 129.6.15.29
end
orion#sh users
Line User Host(s) Idle Location
* 0 con 0 mbruno idle 00:00:00
Interface User Mode Idle Peer Address
Vi1 PPPoE 00:00:07 10.31.4.1
orion# |
|
Gramzster
Click, Click
join:2002-07-02
London, ON
| reply to mbruno
If you use the command "show ip nat translations", that will inform you of all the active connections. Now it won't say how much bandwidth, but it will give you a slight idea of what is communicating over your network.
The other (and possibly better) option is you can enable NetFlow on your Vlan1 interface. This will identify the "top talkers" on the interface, which identifies the top protocols and destinations for traffic.
You can enable this by:
Then you can use "sh ip flow top-talkers", which will give you a list of who and what is generating traffic on your network. |
|
mbruno
join:2003-07-03
Fruitland, MD
·Verizon Online DSL
·Comcast
| thanks for the info. I have found out that it is coming from a range and one of the IP addresses is 66.114.49.40 which goes to a panther-express which is a delivery content going to the Tivo but I have no clue what is doing which worries me a little. is there anything else I can do to find for info on this? I do know it is defiantly going to the tivo box. |
|
Euphrates
join:2007-04-30
Bellingham, WA
| reply to mbruno
You can also try the following:
!
interface Vlan1
ip accounting output-packets
!
This will provide you with an output similar to this if you use the "show ip accounting" command:
Source Destination Packets Bytes
192.168.x.x 25 30594
192.168.x.x 42 15784
192.168.x.x 68 80018
The "Source" field being the public ip addresses and the "Destination" field being the internal ip address of the device communicating with that public ip. The other fields tell you how many packets and bytes of data was transferred. The data being transferred may just be keep-a-lives and program updates that are normal for this device. If over the course of what you feel is an appropriate amount of time you check this and notice that the data sizes aren't that large then it's probably just small updates and normal communication. If it is large then it may have been a large update. This command is good for seeing if the device is sending small or large amounts of traffic as well as what public ip address it is going to.
Another option, since you are using a Cisco 871. Is to configure a monitor port and put a computer with packet capturing software (Wireshark) on it. You can tell it to specifically capture packets for TiVo.
Let me know if you are interested in that approach and I can provide the commands. |
|
mbruno
join:2003-07-03
Fruitland, MD | Sure the more the better.
Thanks for the info! |
|
Euphrates
join:2007-04-30
Bellingham, WA
| reply to mbruno
Here it is:
monitor session 1 source interface Fa1 - 3 both
monitor session 1 destination interface Fa0
Basically, that says that both tx and rx traffic from interfaces Fa1 through Fa3 should be repeated on Fa0. Now if your TiVo is just on interface Fa2 for example then you can set it up like this:
monitor session 1 source interface Fa2 both
monitor session 1 destination interface Fa0
Once that is done, install Wireshark on a laptop/desktop machine and plug it into the destination interface (Fa0 in the case of this config) and give it a static ip address based off your network scheme.
Note: You won't be able to communicate on the network or internet with this machine while it is on that port because the port is a monitor port now. |
|
rsd99
join:2004-03-04
Phoenixville, PA | Is there a way i can monitor Fa4? it'll let me configure a monitor on the others, just not fa4 |
|
