Reading Network Traffic Remotely with an Auvik Box and Wireshark
On this holiday weekend I wanted to share a nifty trick I came up with the other day. I was working on migrating local DHCP services to centralized DHCP services for one of our clients and I had the unique tasks of identifying the DHCP options that were being handed out for different DHCP scopes that we did not have management access to (we had no way to see in the backend what DHCP options were configured in the server). So I came up with this solution to find them out directly.
This can be used to troubleshoot issues with multicast, OSPF neighborships between layer 3 switches, and a whole lot more!
This trick doesn't have to be done with an Auvik box, really it can be done with any device that you have RMM (remote monitoring and management) access to. It's just easy to do this with an Auvik box because often it is a device that no one is actively using and you can cause a momentary disruption on it.
Prerequisites:
RMM accessible device
-could be an Auvik collector or another PC
If you are going to use an Auvik collector for this make sure to turn off the "device disconnected" alerts for the device and reenable them after your testing
VPN access to the switch the Auvik collector is attached to (this way you don't have to send someone on-site if you can't revert the port configuration)
-test in advance that you have management access to the switch before making these changes (and that no ACLs might be blocking connection
(optional) MAC address of a device that you are looking for DHCP discover messages from (this will make it easier to identify the correct packets)
WARNING:
This is not something that you would want to do with an Auvik collector that is a VM hosted on a server with other VMs as you will overload the NIC and possibly disrupt service to those other VMs.
If the Auvik collector or PC is old or not modern, potentially you could make the computer freeze by sending many packets to its NIC and may need to reboot it to bring it back online
Process
1.) Identify the ports the Auvik collector and the device that you are trying to detect traffic from are connected on.
-To do this you can ping the Auvik collector, check the ARP table and cross-reference the MAC address table, or just search the MAC address table for the MAC address of the subject device
-This will still work even if the subject device is on another switch.
***But you would not want to perform this on a switch that the Auvik collector is not directly connected to!
2.) Once you have the ports identified, make sure that Wireshark is installed and running on the Auvik collector. Bring it up to the page identifying the NIC of the device.
3.) Once Wireshark is running (capturing), make sure that no mirror session exists in the running config for the sessions that you will create (so that you are aren't overwriting current configuration).
On a Cisco device the port config can look like this:
Switch# show run | i monitor
Switch#
Then mirror from the port where the subject device connects to the Auvik collector's port (so that the Auvik collector will receive any packets that are incoming to it's port)
Switch# config t
Switch(config)# monitor session 1 source interface GigabitEthernet1/0/3
Switch(config)# monitor session 1 destination interface GigabitEthernet2/0/7
Switch(config)#
At this point you will lose connectivity to your Auvik collector and you will need to be accessing your switch by VPN.
4.) Bounce the interface of the subject device to trigger its sending DHCP discover messages.
Switch(config)# interface GigabitEthernet1/0/3
Switch(config)# shut
Switch(config)# no shut
5.) After waiting for a moment to make sure the proper packets were sent, emove the monitor session configuration. This will allow you to reconnect to your Auvik collector.
Switch(config)# no monitor session 1
You can verify that the configuration was removed as well.
Switch(config)# do sh run | i monitor
Switch(config)#
6.) In a moment you will be able to reach your Auvik collector again. When you can access it, stop the Wireshark capture.
7.) Filter the capture for the protocol in question (such as DHCP). In the packets captured for that protocol you will see the details like options.
8.) Don't forget to turn alerts back on for "device disconnected".
The commands needed will be slightly different depending on what vendor switch you are using.
You can use this for reference with Cisco switches: https://community.cisco.com/t5/networking-knowledge-base/how-to-configure-port-monitoring-span-on-a-catalyst-2940-2950/ta-p/3132032
Thanks for reading! I hope this helps you and saves you a little time! Comment below if you have any questions and I will respond!
Comments
Post a Comment