Re: [PEN-TEST] ios/cisco packet sniffer...

[Joe Shaw <jshaw () INSYNC NET>]

On Sat, 25 Nov 2000, van der Kooij, Hugo wrote:

> > One good way to do a packet dump on a Cisco is:
> >
> >     router(config)#access-list 199 permit ip <source> <mask> <destination> <mask>
> >     router(config)#access-list 199 permit ip <destination> <mask> <source> <mask>
> >     router(config)#end
> >     router# debug ip packet 199 dump
> >
> > Will dump packets destined to and from 192.168.0.1.
>
> Don't use it too liberal. Your router is now left for DoS attack. Unless
> you have a high CPU vs bandwidhth ratio a simple portscan will render your
> router useless. (Customer thought he was smart. However I shot his router
> straight out of the sky the moment I started a noisy test.)

Actually, using debugging alone can bring a Cisco to it's knees if you are
not careful.  The best way to try and hinder someone dropping your router
at this or any point, like in a small packet flood which will generally
send the CPU through the roof, is to institute process scheduling.  I
believe it only works on 7200 and up platforms running IOS 11.2 and later,
but it is useful.  The best part about it is that it's very tweakable.

--
Joseph W. Shaw
Sr. Network Security Specialist for Big Company not to be named.
I have public opinions, and they have public relations.