Debugging TCP traffic

I have an access list as shown:
access-list 199 permit tcp host <ip address> any
What debugging command can I use so that I can see the TCP traffic from this specific list?
Thanks

Corey
There is an implicit part of the answer by Ankur and I think it helps to make it explicit. If you add the log keyword to the access list, then you also need to apply the access list to appropriate interface(s). And you would need to determine if there is any interaction between this access list and any other access lists that may be applied on any interface.
I believe that you were probably looking for the debug ip packet 199 as Ankur has said. This modifies the debug output and only shows traffic that matches the access list. This can be very effective in reducing the impact of a debug that is potentially very disruptive.
Also if you are telnetted to a router when you do this you will need to do terminal monitor so that you can see the debug output.
HTH
Rick

Similar Messages

  • WAAS - Dropping TCP Traffic

    I'm having issues with TCP traffic between my edge and my core. Using L2 redirection at my edge with a 4507 (l3) and L2 redirection at my core with a 6500Sup720. I have a dedicated VLAN for my WAE's at both sites.
    I issue the 'sh tfo connection summary' on my Core WAE and I see the following:
    Local-IP:Port Remote-IP:Port ConnType
    HostAIP:45056 HostBIP:80 PT AD Int Error
    Does anyone know what the 'PT AD Int Error' indicates?

    Michael,
    We'll need to collect some additional information to determine what is going on. Can we start with the following (assuming you can reproduce the condition):
    1. Change the disk logging level to 'debug':
    conf
    logg disk prior debug
    end
    2. Enable TFO AD debugging;
    debug tfo conn auto
    3. Disable the debug:
    un all
    4. Send me the syslog.txt file from the local1 directory.
    Would it also be possible to collect a packet capture from the WAE showing this state?
    Thanks,
    Zach

  • Switch sending tcp traffic to incorrect interface

    Need help diagnosing a layer 2 networking issue. We had a report from an end user of slow file server access from his computer but local applications were responding normally. No one else was having issues in his area. Port mirrored the employees access port (Gi1/0/33) and noticed traffic from another computer crossing onto his port. Our design is to have one computer per port. This traffic was not intended for his computer as it was another employee opening and closing files on the file server (file server located on another switch). Checked MAC address table and his MAC address was the only one associated on the port. Traced the 2nd employees MAC address to a neighboring port (Gi1/0/35). Only MAC address associated on Gi1/0/35 was the 2nd employees. Cleared the mac address entry for Gi1/0/33 only and the extra traffic was eliminated immediately. 
    Why would a switch send tcp traffic to a port that a client does not communicate on? I asked the second employee if they noticed any issue in accessing the file server and none were reported.  Switch is a 3750x with version 12.2. 

    I've been double checking everything this morning and I feel we were not attacked. All the MAC addresses in my capture are valid system addresses. ISE does not show any authorized machines attempting to connect to the switch. We have DHCP snooping enabled throughout the organization. That was a great article to learn from though.
    I've included a visio of the setup and a snippet of the wire capture and arp/mac tables as were captured during the incident. Traffic from the fileserver intended for employee 2 was flooding the port employee 1 was connected on. The destination MAC address of the packets were not meant for employee 1. 
    Default config for both ports:
     switchport access vlan 101
     switchport mode access
     ip access-group ACL_DEFAULT in
     authentication event fail action next-method
     authentication host-mode multi-auth
     authentication open
     authentication order dot1x mab
     authentication priority dot1x mab
     authentication port-control auto
     authentication violation restrict
     mab
     snmp trap mac-notification change added
     snmp trap mac-notification change removed
     dot1x pae authenticator
     dot1x timeout tx-period 10
     spanning-tree portfast
     spanning-tree bpduguard enable
    Am I missing something? Was this an attack? Was it a fluke? 

  • The access to our new chess hall may be blocked by your local firewall. You would need to reconfigure your firewall to open port 15010 for TCP traffic.

    How do I do the following so I can get into my chess program??
    The access to our new chess hall may be blocked by your
    local firewall. You would need to reconfigure your firewall to open port 15010
    for TCP traffic.

    This is not really Firefox related.
    What you need to do here is to read the firewall manual which usually explains how to create a rule for what you want to do.
    If you're using the Windows XP firewall, see this Microsoft article: http://windows.microsoft.com/en-US/windows-vista/Firewall-frequently-asked-questions

  • IPhone app to intercept TCP traffic

    Hi,
    I would like to write an app for iPhone that will run in background and intercept all TCP traffic on iPhone generated by Safari browser.
    Is it possible to write such an app? Any relevant links or articles would be much appreciated.
    Anyone aware of similar app that runs on normal iPhone (not jailbreak)?
    Thanks.
    Ambi.

    >intercept all TCP traffic on iPhone generated by Safari browser.
    Your app does not have access outside of it's own sandbox....it's a privacy thing and a good one too.

  • Constant TCP traffic on LAN

    I'm getting constant TCP traffic between my computer (192.168.1.101) and the Linksys wireless -G router gateway (192.168.1.1). I used Wireshark to inspect the traffic, and various "agents" on various ports are pushing data to park-agent on port 5431. Each time I start Wireshark, I seem to get a different agent sending data to park-agent:
    taurus-wh (port 1610)
    commonspace (1592)
    danf-ak2 (1041)
    tripwire (1169)
    bmc-patiddb (1313)
    I don't know how to fix this. Any help much appreciated. Thanks.

    http://www.pc-library.com/ports/tcp-udp-port/5431/ indicates this port may be used by Trojan.Win32.Vaklik.dr. I would advise making sure your Anti Virus/Anti Malware software is up to date, run a full system scan,and see if the problem stops. If not, you should seek help either from your AV software vendor, or from one of the numerous security sites on the internet.
    Tomato 1.25vpn3.4 (SgtPepperKSU MOD) on a Buffalo WHR-HP-G54
    D-Link DSM-320 (Wired)
    Wii (Wireless) - PS3 (Wired), PSP (Wireless) - XBox360 (Wired)
    SonyBDP-S360 (Wired)
    Linksys NSLU2 Firmware Unslung 6.10 Beta unslung to a 2Gb thumb, w/1 Maxtor OneTouch III 200Gb
    IOmega StorCenter ix2 1TB NAS
    Linksys WVC54G w/FW V2.12EU
    and assorted wired and wireless PCs and laptops

  • Slow tcp traffic over ge0 interface

    I have a server that while using ge0 for UDP traffic, it uses full bandwidth, but for tcp is slow as hell.... ttcp is showing how slow it is, into the kbps rather than mbps. I want to know if there is a specific patch to fix this.

    I've been double checking everything this morning and I feel we were not attacked. All the MAC addresses in my capture are valid system addresses. ISE does not show any authorized machines attempting to connect to the switch. We have DHCP snooping enabled throughout the organization. That was a great article to learn from though.
    I've included a visio of the setup and a snippet of the wire capture and arp/mac tables as were captured during the incident. Traffic from the fileserver intended for employee 2 was flooding the port employee 1 was connected on. The destination MAC address of the packets were not meant for employee 1. 
    Default config for both ports:
     switchport access vlan 101
     switchport mode access
     ip access-group ACL_DEFAULT in
     authentication event fail action next-method
     authentication host-mode multi-auth
     authentication open
     authentication order dot1x mab
     authentication priority dot1x mab
     authentication port-control auto
     authentication violation restrict
     mab
     snmp trap mac-notification change added
     snmp trap mac-notification change removed
     dot1x pae authenticator
     dot1x timeout tx-period 10
     spanning-tree portfast
     spanning-tree bpduguard enable
    Am I missing something? Was this an attack? Was it a fluke? 

  • Debugging HTTP traffic from iPad with Charles

    Here's a great tip on how to use Charles on your Mac or PC to proxy HTTP traffic from your iPad so you can debug it.
    http://www.ravelrumba.com/blog/ipad-http-debugging/

    Talking of debugging iPad, and Flash apps specifically, I only recently tried out the "Quick publishing for device debugging" option. When you do that, and run the app on the device, you can set Flash to be in a remote debugging session, and on the app screen you type in the IP address of your computer. You can then debug the running app in just the same way you would debug a swf running in your desktop browser. You don't even have to be connected by USB, it works across the wireless network.

  • Displaying client tcp traffic

    I want to see what my associated users are connecting to [ip address] and what tcp port.
    I see a command that is close to what I'm looking for....show tcp brief. This is what I get:
    TCB Local Address Foreign Address (state)
    00B1063C 10.1.1.15.23 laptop.am.4823 ESTAB
    [This shows my laptop hitting the AP on port 23.]
    The problem is that this is from the AP perspective, I'm looking for connection details from a user perspective.
    Does anyone know if this is possible and if so what command would accomplish this?

    You will want to look into netflow
    there are several commercial apps that do this as well as open source apps such as ntop.
    You can also get such info along with even more detail using sniffer software.
    The cisco wireless system has the ability to feed a sniffer app from the wireless directly.
    if you are using 4.x wlc, you can feed it to airopeek, if you are using 5.x & above, you can point it at wireshark
    http://www.cisco.com/en/US/docs/wireless/controller/4.2/command/reference/cli42c1.html#wp2465366

  • Set tcp ip debug issue! doesn't log!

    Hi,
    I have tried to debug tcp ip traffic but the usual logging doesn't
    work.
    I set the debugger to 1
    use the net
    set it to 0
    unload conlog
    view the conlog file
    but it doesn't show any traffic at all.
    Only logs the commands executed on system screen.
    currently NW 6.0 sp3 on both servers (BM + fileserver)
    Tried to find something on it on Craigs site but there was a
    mentioning
    from last year that it had a bug that should be fixed with sp1
    Help apriciated,
    Dom
    Dominicus B
    architect
    Finland
    www.abrakadabra.fi
    Sent using Virtual Access 5.51 - download your freeware copy now
    http://www.atlantic-coast.com/downloads/vasetup.exe

    In article <[email protected]>, DomincusB wrote:
    > Save the screen to a file?
    >
    Yes, press F1 on the logger screen and see the help content. F2
    should
    save to a file. With the latest patches for NetWare, you can specify
    the file location and name as well.
    Craig Johnson
    Novell Support Connection SysOp
    *** For a current patch list, tips, handy files and books on
    BorderManager, go to http://www.craigjconsulting.com ***

  • Slow TCP performance for traffic routed by ACE module

    Hi,
    the customer uses two ACE20 modules in active-standby mode. The ACE load-balances servers correctly. But there is a problem with communication between servers in the different ACE contexts. When the customer uses FTP from one server in one context to the other server in other context the throughput through ACE is about 23 Mbps. It is routed traffic in ACE:-(  See:
    server1: / #ftp server2
    Connected to server2.cent.priv.
    220 server2.cent.priv FTP server (Version 4.2 Wed Apr 2 15:38:27 CDT 2008) ready.
    Name (server2:root):
    331 Password required for root.
    Password:
    230 User root logged in.
    ftp> bin
    200 Type set to I.
    ftp> put "|dd if=/dev/zero bs=32k count=5000 " /dev/null
    200 PORT command successful.
    150 Opening data connection for /dev/null.
    5000+0 records in.
    5000+0 records out.
    226 Transfer complete.
    163840000 bytes sent in 6.612 seconds (2.42e+04 Kbytes/s)
    local: |dd if=/dev/zero bs=32k count=5000  remote: /dev/null
    ftp>
    The output from show resource usage doesn't show any drops:
    conc-connections              0          0     800000    1600000          0
      mgmt-connections             10         54      10000      20000          0
      proxy-connections             0          0     104858     209716          0
      xlates                        0          0     104858     209716          0
      bandwidth                     0      46228   50000000  225000000          0
        throughput                  0       1155   50000000  100000000          0
        mgmt-traffic rate           0      45073          0  125000000          0
      connections rate              0          9     100000     200000          0
      ssl-connections rate          0          0        500       1000          0
      mac-miss rate                 0          0        200        400          0
      inspect-conn rate             0          0        600       1200          0
      acl-memory                 7064       7064    7082352   14168883          0
      sticky                        6          6     419430          0          0
      regexp                       47         47     104858     209715          0
      syslog buffer            794624     794624     418816     431104          0
      syslog rate                   0         31      10000      20000          0
    There is parameter map configured with rebalance persistant for cookie insertion in the context.
    Do you know how can I increase performance for TCP traffic which is not load-balanced, but routed by ACE? Thank you very much.
    Roman

    Default inactivity timeouts used by ACE are
    icmp 2sec
    tcp 3600sec
    udp 120sec
    With your config you will change inactivity for every protocol to 7500sec.If you want to change TCP timeout to 7500sec and keep the
    other inactivity timeouts as they are now use following
    parameter-map type connection GLOBAL-TCP
    set timeout inactivity 600
    parameter-map type connection GLOBAL-UDP
    set timeout inactivity 120
    parameter-map type connection GLOBAL-ICMP
    set timeout inactivity 2
    class-map match-all ALL-TCP
    match port tcp any
    class-map match-all ALL-UDP
    match port tcp any
    class-map match-all ALL-ICMP
    match port tcp any
    policy-map multi-match TIMEOUTS
    class ALL-TCP
    connection advanced GLOBAL-TCP
    class ALL-UDP
    connection advanced GLOBAL-UDP
    class ALL-TCP
    connection advanced GLOBAL-ICMP
    and apply service-policy TIMEOUTS globally
    Syed Iftekhar Ahmed

  • Can you do a debug of TCP sessions in a FWSM?

    Hello,
    Is there any debug or show command to see when the tcp connections are opened or closed in an FWSM? I know that in the current versions of ASA for this you can do a "debug tcp", but there is any command on the FWSM to do something like this?
    Thanks in advance.

    Hi Jeramel,
    I'm not quite sure what you are looking for.  Syslogs are your best bet for tracking when the FWSM creates and tearsdown a connection. 
    "show conn" will display the current connections passing through the FWSM, along with their state, and what inspections are applied to them.
    "debug tcp" on the ASA is really showing some internal checks which the ASA is performing on the TCP packets.  It should not be used on a loaded ASA.  As it is very verbose. 
    What exactly are you looking to acheive?
    Sincerely,
    David.

  • ASA5500: TCP state bypass for traffic, coming from IPsec tunnel

    Hello!
    We have problems on central firewall with restricting traffic coming from remote office from IPsec. (The network sheme is attached)
    All branch offices are connected to central asa though IPsec.
    The main aim is to rule access from branch offices only on the central firewall, NOT on each IPsec tunnel
    According to the sheme:
    172.16.1.0/24 is on of the branch office LANs
    10.1.1.0/24 and 10.2.2.0/24 are central office LAN
    The crypto ACL looks like  permit ip 172.16.1.0/24 10.0.0.0/8
    The aim is to
    restrict access from 172.16.1.0/24 to 10.1.1.0/24
    When packets are generated from host 10.1.1.10 to 172.16.1.0/24 all is ok -  they are dropped by acl2
    When packets are generated from 172.16.1.0/24 to 10.1.1.10 they are not dropped by any ACL - the reason is stateful firewall - traffic bypasses all access lists on a back path
    I thought that TCP State Bypass feature can solve this problem and disable stateful firewall inspection for traffic coming from 172.16.1.0/24 to 10.1.1.0/24, but it didn't help.
    The central asa 5500 is configured according to cisco doc http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html
    access-list tcp_bypass_acl extended permit tcp 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0
    class-map tcp_bypass_map
    description "TCP traffic that bypasses stateful firewall"
    match access-list tcp_bypass_acl
    policy-map tcp_bypass_policy
    class tcp_bypass_map
    set connection advanced-options tcp-state-bypass
    service-policy tcp_bypass_policy interface outside
    service-policy tcp_bypass_policy interface inside
    Does anyone know, how to make TCP State Bypass works properly?

    I understand the pain of creating diffrent crypto for diffrent tunnels but i never come across better solution. However TCP state bypass is not going to help in regards to restrict access. TCP state bypass is a way to for FW to act like router which does not do statefull and I dont think that fits in your scenario.
    You can still control access on center site by using vpn-filters.
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml
    Thanks
    Ajay

  • Puedes un hace debugging de las sesiones TCP en un FWSM?

    Hola,
    Existe algun debug para ver las conexiones tcp que se van abriendo y cerrando en un FWSM? Se que las versiones actuales de ASA
    para esto puedes hacer un "debug tcp", pero existe algun comando en el FWSM que haga algo similar a esto?
    Saludos.

    You might have a higher chance for answers if you asked in english.
    Rgds,  MiKa

  • Ignoring TCP handshake & Sequence Numbers for STT Traffic

    Hi,
    I have to pass STT traffic through a Cisco ASA (details on STT are here http://tools.ietf.org/html/draft-davie-stt).
    STT traffic looks like TCP traffic (i.e. it uses IP protocol 6 and is sent to a specific destination port) but is stateless. It doesn't perform TCP handshake, i.e. TCP flags are used differently same goes for sequence numbers.
    Is there any way to disable to regular TCP handshake and sequence numbers checks? I saw that there might be a chance to do something for the handshake with the embryotic connection limit but I'm not sure about the sequence numbers.
    Assume ASA 8.6.
    Thanks,
    Ben

    Hi,
    You can configure tcp state bypass only for this traffic, for the rest the firewall would check the tcp state of the packet, here is the doc:
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml
    Hope  that helps.
    Thanks,
    Varun Rao
    Security Team,
    Cisco TAC

Maybe you are looking for