Debugging TCP traffic
I have an access list as shown:
access-list 199 permit tcp host <ip address> any
What debugging command can I use so that I can see the TCP traffic from this specific list?
Thanks
Corey
There is an implicit part of the answer by Ankur and I think it helps to make it explicit. If you add the log keyword to the access list, then you also need to apply the access list to appropriate interface(s). And you would need to determine if there is any interaction between this access list and any other access lists that may be applied on any interface.
I believe that you were probably looking for the debug ip packet 199 as Ankur has said. This modifies the debug output and only shows traffic that matches the access list. This can be very effective in reducing the impact of a debug that is potentially very disruptive.
Also if you are telnetted to a router when you do this you will need to do terminal monitor so that you can see the debug output.
HTH
Rick
Similar Messages
-
I'm having issues with TCP traffic between my edge and my core. Using L2 redirection at my edge with a 4507 (l3) and L2 redirection at my core with a 6500Sup720. I have a dedicated VLAN for my WAE's at both sites.
I issue the 'sh tfo connection summary' on my Core WAE and I see the following:
Local-IP:Port Remote-IP:Port ConnType
HostAIP:45056 HostBIP:80 PT AD Int Error
Does anyone know what the 'PT AD Int Error' indicates?Michael,
We'll need to collect some additional information to determine what is going on. Can we start with the following (assuming you can reproduce the condition):
1. Change the disk logging level to 'debug':
conf
logg disk prior debug
end
2. Enable TFO AD debugging;
debug tfo conn auto
3. Disable the debug:
un all
4. Send me the syslog.txt file from the local1 directory.
Would it also be possible to collect a packet capture from the WAE showing this state?
Thanks,
Zach -
Switch sending tcp traffic to incorrect interface
Need help diagnosing a layer 2 networking issue. We had a report from an end user of slow file server access from his computer but local applications were responding normally. No one else was having issues in his area. Port mirrored the employees access port (Gi1/0/33) and noticed traffic from another computer crossing onto his port. Our design is to have one computer per port. This traffic was not intended for his computer as it was another employee opening and closing files on the file server (file server located on another switch). Checked MAC address table and his MAC address was the only one associated on the port. Traced the 2nd employees MAC address to a neighboring port (Gi1/0/35). Only MAC address associated on Gi1/0/35 was the 2nd employees. Cleared the mac address entry for Gi1/0/33 only and the extra traffic was eliminated immediately.
Why would a switch send tcp traffic to a port that a client does not communicate on? I asked the second employee if they noticed any issue in accessing the file server and none were reported. Switch is a 3750x with version 12.2.I've been double checking everything this morning and I feel we were not attacked. All the MAC addresses in my capture are valid system addresses. ISE does not show any authorized machines attempting to connect to the switch. We have DHCP snooping enabled throughout the organization. That was a great article to learn from though.
I've included a visio of the setup and a snippet of the wire capture and arp/mac tables as were captured during the incident. Traffic from the fileserver intended for employee 2 was flooding the port employee 1 was connected on. The destination MAC address of the packets were not meant for employee 1.
Default config for both ports:
switchport access vlan 101
switchport mode access
ip access-group ACL_DEFAULT in
authentication event fail action next-method
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
Am I missing something? Was this an attack? Was it a fluke? -
How do I do the following so I can get into my chess program??
The access to our new chess hall may be blocked by your
local firewall. You would need to reconfigure your firewall to open port 15010
for TCP traffic.This is not really Firefox related.
What you need to do here is to read the firewall manual which usually explains how to create a rule for what you want to do.
If you're using the Windows XP firewall, see this Microsoft article: http://windows.microsoft.com/en-US/windows-vista/Firewall-frequently-asked-questions -
IPhone app to intercept TCP traffic
Hi,
I would like to write an app for iPhone that will run in background and intercept all TCP traffic on iPhone generated by Safari browser.
Is it possible to write such an app? Any relevant links or articles would be much appreciated.
Anyone aware of similar app that runs on normal iPhone (not jailbreak)?
Thanks.
Ambi.>intercept all TCP traffic on iPhone generated by Safari browser.
Your app does not have access outside of it's own sandbox....it's a privacy thing and a good one too. -
I'm getting constant TCP traffic between my computer (192.168.1.101) and the Linksys wireless -G router gateway (192.168.1.1). I used Wireshark to inspect the traffic, and various "agents" on various ports are pushing data to park-agent on port 5431. Each time I start Wireshark, I seem to get a different agent sending data to park-agent:
taurus-wh (port 1610)
commonspace (1592)
danf-ak2 (1041)
tripwire (1169)
bmc-patiddb (1313)
I don't know how to fix this. Any help much appreciated. Thanks.http://www.pc-library.com/ports/tcp-udp-port/5431/ indicates this port may be used by Trojan.Win32.Vaklik.dr. I would advise making sure your Anti Virus/Anti Malware software is up to date, run a full system scan,and see if the problem stops. If not, you should seek help either from your AV software vendor, or from one of the numerous security sites on the internet.
Tomato 1.25vpn3.4 (SgtPepperKSU MOD) on a Buffalo WHR-HP-G54
D-Link DSM-320 (Wired)
Wii (Wireless) - PS3 (Wired), PSP (Wireless) - XBox360 (Wired)
SonyBDP-S360 (Wired)
Linksys NSLU2 Firmware Unslung 6.10 Beta unslung to a 2Gb thumb, w/1 Maxtor OneTouch III 200Gb
IOmega StorCenter ix2 1TB NAS
Linksys WVC54G w/FW V2.12EU
and assorted wired and wireless PCs and laptops -
Slow tcp traffic over ge0 interface
I have a server that while using ge0 for UDP traffic, it uses full bandwidth, but for tcp is slow as hell.... ttcp is showing how slow it is, into the kbps rather than mbps. I want to know if there is a specific patch to fix this.
I've been double checking everything this morning and I feel we were not attacked. All the MAC addresses in my capture are valid system addresses. ISE does not show any authorized machines attempting to connect to the switch. We have DHCP snooping enabled throughout the organization. That was a great article to learn from though.
I've included a visio of the setup and a snippet of the wire capture and arp/mac tables as were captured during the incident. Traffic from the fileserver intended for employee 2 was flooding the port employee 1 was connected on. The destination MAC address of the packets were not meant for employee 1.
Default config for both ports:
switchport access vlan 101
switchport mode access
ip access-group ACL_DEFAULT in
authentication event fail action next-method
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
Am I missing something? Was this an attack? Was it a fluke? -
Debugging HTTP traffic from iPad with Charles
Here's a great tip on how to use Charles on your Mac or PC to proxy HTTP traffic from your iPad so you can debug it.
http://www.ravelrumba.com/blog/ipad-http-debugging/Talking of debugging iPad, and Flash apps specifically, I only recently tried out the "Quick publishing for device debugging" option. When you do that, and run the app on the device, you can set Flash to be in a remote debugging session, and on the app screen you type in the IP address of your computer. You can then debug the running app in just the same way you would debug a swf running in your desktop browser. You don't even have to be connected by USB, it works across the wireless network.
-
I want to see what my associated users are connecting to [ip address] and what tcp port.
I see a command that is close to what I'm looking for....show tcp brief. This is what I get:
TCB Local Address Foreign Address (state)
00B1063C 10.1.1.15.23 laptop.am.4823 ESTAB
[This shows my laptop hitting the AP on port 23.]
The problem is that this is from the AP perspective, I'm looking for connection details from a user perspective.
Does anyone know if this is possible and if so what command would accomplish this?You will want to look into netflow
there are several commercial apps that do this as well as open source apps such as ntop.
You can also get such info along with even more detail using sniffer software.
The cisco wireless system has the ability to feed a sniffer app from the wireless directly.
if you are using 4.x wlc, you can feed it to airopeek, if you are using 5.x & above, you can point it at wireshark
http://www.cisco.com/en/US/docs/wireless/controller/4.2/command/reference/cli42c1.html#wp2465366 -
Set tcp ip debug issue! doesn't log!
Hi,
I have tried to debug tcp ip traffic but the usual logging doesn't
work.
I set the debugger to 1
use the net
set it to 0
unload conlog
view the conlog file
but it doesn't show any traffic at all.
Only logs the commands executed on system screen.
currently NW 6.0 sp3 on both servers (BM + fileserver)
Tried to find something on it on Craigs site but there was a
mentioning
from last year that it had a bug that should be fixed with sp1
Help apriciated,
Dom
Dominicus B
architect
Finland
www.abrakadabra.fi
Sent using Virtual Access 5.51 - download your freeware copy now
http://www.atlantic-coast.com/downloads/vasetup.exeIn article <[email protected]>, DomincusB wrote:
> Save the screen to a file?
>
Yes, press F1 on the logger screen and see the help content. F2
should
save to a file. With the latest patches for NetWare, you can specify
the file location and name as well.
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com *** -
Slow TCP performance for traffic routed by ACE module
Hi,
the customer uses two ACE20 modules in active-standby mode. The ACE load-balances servers correctly. But there is a problem with communication between servers in the different ACE contexts. When the customer uses FTP from one server in one context to the other server in other context the throughput through ACE is about 23 Mbps. It is routed traffic in ACE:-( See:
server1: / #ftp server2
Connected to server2.cent.priv.
220 server2.cent.priv FTP server (Version 4.2 Wed Apr 2 15:38:27 CDT 2008) ready.
Name (server2:root):
331 Password required for root.
Password:
230 User root logged in.
ftp> bin
200 Type set to I.
ftp> put "|dd if=/dev/zero bs=32k count=5000 " /dev/null
200 PORT command successful.
150 Opening data connection for /dev/null.
5000+0 records in.
5000+0 records out.
226 Transfer complete.
163840000 bytes sent in 6.612 seconds (2.42e+04 Kbytes/s)
local: |dd if=/dev/zero bs=32k count=5000 remote: /dev/null
ftp>
The output from show resource usage doesn't show any drops:
conc-connections 0 0 800000 1600000 0
mgmt-connections 10 54 10000 20000 0
proxy-connections 0 0 104858 209716 0
xlates 0 0 104858 209716 0
bandwidth 0 46228 50000000 225000000 0
throughput 0 1155 50000000 100000000 0
mgmt-traffic rate 0 45073 0 125000000 0
connections rate 0 9 100000 200000 0
ssl-connections rate 0 0 500 1000 0
mac-miss rate 0 0 200 400 0
inspect-conn rate 0 0 600 1200 0
acl-memory 7064 7064 7082352 14168883 0
sticky 6 6 419430 0 0
regexp 47 47 104858 209715 0
syslog buffer 794624 794624 418816 431104 0
syslog rate 0 31 10000 20000 0
There is parameter map configured with rebalance persistant for cookie insertion in the context.
Do you know how can I increase performance for TCP traffic which is not load-balanced, but routed by ACE? Thank you very much.
RomanDefault inactivity timeouts used by ACE are
icmp 2sec
tcp 3600sec
udp 120sec
With your config you will change inactivity for every protocol to 7500sec.If you want to change TCP timeout to 7500sec and keep the
other inactivity timeouts as they are now use following
parameter-map type connection GLOBAL-TCP
set timeout inactivity 600
parameter-map type connection GLOBAL-UDP
set timeout inactivity 120
parameter-map type connection GLOBAL-ICMP
set timeout inactivity 2
class-map match-all ALL-TCP
match port tcp any
class-map match-all ALL-UDP
match port tcp any
class-map match-all ALL-ICMP
match port tcp any
policy-map multi-match TIMEOUTS
class ALL-TCP
connection advanced GLOBAL-TCP
class ALL-UDP
connection advanced GLOBAL-UDP
class ALL-TCP
connection advanced GLOBAL-ICMP
and apply service-policy TIMEOUTS globally
Syed Iftekhar Ahmed -
Can you do a debug of TCP sessions in a FWSM?
Hello,
Is there any debug or show command to see when the tcp connections are opened or closed in an FWSM? I know that in the current versions of ASA for this you can do a "debug tcp", but there is any command on the FWSM to do something like this?
Thanks in advance.Hi Jeramel,
I'm not quite sure what you are looking for. Syslogs are your best bet for tracking when the FWSM creates and tearsdown a connection.
"show conn" will display the current connections passing through the FWSM, along with their state, and what inspections are applied to them.
"debug tcp" on the ASA is really showing some internal checks which the ASA is performing on the TCP packets. It should not be used on a loaded ASA. As it is very verbose.
What exactly are you looking to acheive?
Sincerely,
David. -
ASA5500: TCP state bypass for traffic, coming from IPsec tunnel
Hello!
We have problems on central firewall with restricting traffic coming from remote office from IPsec. (The network sheme is attached)
All branch offices are connected to central asa though IPsec.
The main aim is to rule access from branch offices only on the central firewall, NOT on each IPsec tunnel
According to the sheme:
172.16.1.0/24 is on of the branch office LANs
10.1.1.0/24 and 10.2.2.0/24 are central office LAN
The crypto ACL looks like permit ip 172.16.1.0/24 10.0.0.0/8
The aim is to
restrict access from 172.16.1.0/24 to 10.1.1.0/24
When packets are generated from host 10.1.1.10 to 172.16.1.0/24 all is ok - they are dropped by acl2
When packets are generated from 172.16.1.0/24 to 10.1.1.10 they are not dropped by any ACL - the reason is stateful firewall - traffic bypasses all access lists on a back path
I thought that TCP State Bypass feature can solve this problem and disable stateful firewall inspection for traffic coming from 172.16.1.0/24 to 10.1.1.0/24, but it didn't help.
The central asa 5500 is configured according to cisco doc http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html
access-list tcp_bypass_acl extended permit tcp 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0
class-map tcp_bypass_map
description "TCP traffic that bypasses stateful firewall"
match access-list tcp_bypass_acl
policy-map tcp_bypass_policy
class tcp_bypass_map
set connection advanced-options tcp-state-bypass
service-policy tcp_bypass_policy interface outside
service-policy tcp_bypass_policy interface inside
Does anyone know, how to make TCP State Bypass works properly?I understand the pain of creating diffrent crypto for diffrent tunnels but i never come across better solution. However TCP state bypass is not going to help in regards to restrict access. TCP state bypass is a way to for FW to act like router which does not do statefull and I dont think that fits in your scenario.
You can still control access on center site by using vpn-filters.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml
Thanks
Ajay -
Puedes un hace debugging de las sesiones TCP en un FWSM?
Hola,
Existe algun debug para ver las conexiones tcp que se van abriendo y cerrando en un FWSM? Se que las versiones actuales de ASA
para esto puedes hacer un "debug tcp", pero existe algun comando en el FWSM que haga algo similar a esto?
Saludos.You might have a higher chance for answers if you asked in english.
Rgds, MiKa -
Ignoring TCP handshake & Sequence Numbers for STT Traffic
Hi,
I have to pass STT traffic through a Cisco ASA (details on STT are here http://tools.ietf.org/html/draft-davie-stt).
STT traffic looks like TCP traffic (i.e. it uses IP protocol 6 and is sent to a specific destination port) but is stateless. It doesn't perform TCP handshake, i.e. TCP flags are used differently same goes for sequence numbers.
Is there any way to disable to regular TCP handshake and sequence numbers checks? I saw that there might be a chance to do something for the handshake with the embryotic connection limit but I'm not sure about the sequence numbers.
Assume ASA 8.6.
Thanks,
BenHi,
You can configure tcp state bypass only for this traffic, for the rest the firewall would check the tcp state of the packet, here is the doc:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml
Hope that helps.
Thanks,
Varun Rao
Security Team,
Cisco TAC
Maybe you are looking for
-
How do i make an image pause in a flash movie clip
Please can someone help me. I am trying to find out how to pause or stop an image in a basic flash movie clip, after it has entered from one side and before it exits the other side. I have been trying to work it out myself for three days but no joy.
-
Report customerwisebreak up of trade receivable account
can u give list of AR tables that helps to build report on customerwisebreak up of trade receivable account
-
Web.show_document() to display report in cache?
AS & DS 10.1.2.0.2. I try to use run_report_object to generate report in Forms. Report Destination Type: CACHE report status 'FINISHED' I checked cache <o-h>\reports\cache, the report is there. But nothing is show on screen. Do I HAVE TO use web.show
-
getting error message "cannot prepare project for publishing (-50)" and, subsequently, it won't publish the bloody thing. I have publsihed many videos previous to this one so I have no idea waht is going on. So, my question is -- WHAT IS GOING ON?!!
-
BAPI/Function Module for transaction PR05
Hi All, I am searching for BAPI/Function Module for tx PR05(Travel Expense Manager). Thanks.