Packet Capture on a EVC (service instance)
Hi all,
I am trying to capture packets on a ASR i have tried the monitor sess type command and specified the source vlan but there is no traffic capture.
Does anyone know how to do this?
Is it possible?
cheers
Kev
Hello Kev
You can do it via ERSPAN. you will get the CLI for the service instance in the XE 3.5 image due in november i guess...
Cheers!!!
Vinit
Similar Messages
-
Q-in-Q on an EVC/Service Instance
Hi
I want to take a bunch of VLANs from an interface, trunk them through my network, and spit them out on another end. Sounds like simple Q-in-Q to me.
Problem is one end is a 3600X, and the other is a 4900M. The 4900M is simple. The problem I have is with the 3600X and the EVC. Let's say I want to take VLAN 10 from a customer, and carry it on my network as VLAN 100. I will take them from a port on my 3600X and then carry VLAN 100 along with another bunch of unrelated VLANs through my network.
Can I configure a service instance on the customer facing port encapsulating their VLANs (let's say VLAN 10 for this example), then carry the internal VLAN (100) through on my trunks?
Example, 3600X:
interface GigabitEthernet0/1
description FACING CUSTOMER NETWORK
switchport trunk allowed vlan none
switchport mode trunk
service instance 1 ethernet
encapsulation dot1q 10
bridge-domain 100
interface GigabitEthernet0/2
description FACING SERVICE PROVIDER CLOUD
switchport trunk allowed vlan 100
switchport mode trunk
Then the 4900M will be:
interface GigabitEthernet0/1
description FACING CUSTOMER NETWORK
switchport access vlan 100
switchport mode dot1q-tunnel
interface GigabitEthernet0/2
description FACING SERVICE PROVIDER CLOUD
switchport trunk allowed vlan 100
switchport mode trunk
This doesn't work. I've tried various configs on the 3600 but can't get it working. I am not sure how to config the EVC properly - on the 3600X I suspect I also have to configure a service instance on the trunk facing into the cloud? This unfortunately isn't preferable as I want this to function as a basic, normal trunk (it has about 50 other VLANs on it).
Cheers for any help!Not sure in 4900M, I would have to test it, but in ME switch, I believe you would have to push a tag because it seems you don't care about which VLAN it comes in.
So for example, your encapsulation would be anything.
service instance 1 ethernet
encapsulation dot1q 1 - 4094
rewrite ingress tag push dot1q 100 symmetric
This would push a second VLAN (100) in a tagged frame that reaches the port.
The symmetric would pop it when sending out of that interface so the inner VLAN would be kept. -
Java packet capturing libraries ... ?
HI All,
actually i need to write some packet capturing code on solaris i have tried Jpcap library but there are some compilation issues on solaris .
is there any other library which i can use for packet capturing except Jpcap ?
thankstcpdump hhhmmmmm... it actually can't work for me ....
i am using Package "ch.ethz.ssh2" for ssh because i have to ssh to another server and run the snoop command on it.
Ok, lets look at this code . can we find anything else for me
<%@ page import="java.io.BufferedReader" %>
<%@ page import="java.io.File" %>
<%@ page import="java.io.IOException" %>
<%@ page import="java.io.InputStream" %>
<%@ page import="java.io.InputStreamReader" %>
<%@ page import="ch.ethz.ssh2.Connection" %>
<%@ page import="ch.ethz.ssh2.Session" %>
<%@ page import="ch.ethz.ssh2.StreamGobbler" %>
<%@ page import="java.io.BufferedWriter" %>
<%@ page import="java.io.OutputStreamWriter" %>
<%@ page import="java.io.PrintWriter" %>
<%@ page import="ch.ethz.ssh2.SCPClient" %>
<%@ page import="ch.ethz.ssh2.SFTPv3Client" %>
<%@ page import="java.util.*" %>
<%@ page import="java.io.FileInputStream" %>
<%@ page import="java.io.BufferedInputStream" %>
<%@page contentType="text/html" pageEncoding="UTF-8"%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>JSP Page</title>
</head>
<%
String hosts = request.getParameter("hostname");
String packets = request.getParameter("packets");
String q =request.getParameter("q");
String str="";
String hostname = "127.1.1.1";
String username = "root";
File keyfile = new File("/root/ssh/id_dsa"); // or "~/.ssh/id_dsa"
String keyfilePass = "pass";
try
/* Create a connection instance */
Connection conn = new Connection(hostname);
/* Now connect */
conn.connect();
/* Authenticate */
boolean isAuthenticated = conn.authenticateWithPublicKey(username, keyfile, keyfilePass);
if (isAuthenticated == false)
throw new IOException("Authentication failed.");
/* Create a session */
Session sess = conn.openSession();
sess.execCommand("snoop -d bge0 -o /export/myhome/file.cap -c "+ packets +" host "+hosts +" ");
InputStream stdout = new StreamGobbler(sess.getStdout());
BufferedReader br = new BufferedReader(new InputStreamReader(stdout));
System.out.println("Here is some information about the remote host:");
while (true)
String line = br.readLine();
if (line == null)
break;
System.out.println(line);
/* Close this session */
sess.close();
/* Close the connection */
conn.close();
catch (IOException e)
e.printStackTrace(System.err);
//System.exit(2);
%>
</html>problem with this code is when code reach the below line command starts running on remote server unitll it captures number of packets ..
sess.execCommand("snoop -d bge0 -o /export/myhome/file.cap -c "+ packets +" host "+hosts +" ");what i want to do is to run that command for some time for example: i want to run the command for 10 minutes but unfortunately there is no argument for time in snoop command. so can't exit the command on time basis ....
any suggestions how can i fix that problem ? -
Ask the Expert: Packet Capture Capabilities of Cisco Routers and Switches
With Rahul Rammanohar
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about packet capture capabilities of Cisco routers and switches.
In May 2013, we created a video that included packet capture capabilities across multiple Cisco routers and switches. For each product, we began with a discussion about the theory of the capabilities, followed by an explanation of the commands, and we concluded with a demo on real devices. In this Ask the Expert event, you’re encouraged to ask questions about the packet capture capabilities of these Cisco devices:
• 7600/6500: mini protocol analyzer (MPA), ELAM, and Netdr
• ASR9k: network processor capture
• 7200/ISRs: embedded packet capture
• Cisco Nexus 7K, 5K, and 3K: Ethanalyzer
• Cisco Nexus 7K: ELAM
• CRS: show captured packets
• ASR1K: embedded packet capture
More Information
Blog URL: Packet Capture Capabilities of Cisco Routers and Switches
Watch the Video: https://supportforums.cisco.com/videos/6226
Hitesh Kumar is a customer support engineer in the High-Touch Technical Services team at Cisco specializing in routing protocols. He has been supporting major service providers and enterprise customers in routing, Multiprotocol Label Switching (MPLS), multicast, and Layer 2 VPN (L2VPN) issues on routing platforms for more than three years. He has more than six years of experience in the IT industry and holds a CCIE certification (number 38757) in service.
Rahul Rammanohar is a technical leader with the High-Touch Technical Support Team in India. He handles escalations in the area of routing protocols and large-scale architectures for devices running Cisco IOS, IOS-XR, and IOS-XE Software. He has been supporting major service providers and large enterprise customers for routing, MPLS, multicast, and L2VPN issues on all routing platforms. He has more than 13 years of experience and holds a CCIE certification (number 13015) in routing/switching and service provider.
Remember to use the rating system to let Hitesh and Rahul know if you have received an adequate response.
Because of the volume expected during this event, Hitesh and Rahul might not be able to answer each question. Remember that you can continue the conversation in the Service Provider, sub-community forum shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.Hello Erick
Thanks for the topology. The trigger will be different for labelled packet as you would need to mention the values of labels too in the trigger.
Below are two examples of one or two labels being used, it depends on where you are capturing the packet in mplsvpn scenario which will decide teh number of labels being imposed on the packet.
Trigger for one label. (if the router on which you are capturing the packet PHP is being performed)
VPN label - 5678
Source Address - 111.111.111.111
Destination Address - 123.123.123.123
show platform capture elam trigger dbus others if data = 0 0 0 0x88470162 0xE0000000 0 0 0x00006F6F 0x6F6F 7B7B 0x7B7B0000 [ 0 0 0 0xffffffff 0xf0000000 0 0 0x0000ffff 0xffffffff 0xffff0000 ]
Trigger for two labels. (for other core routers)
IGP label - 1234
VPN label - 5678
Source Address - 111.111.111.111
Destination Address - 123.123.123.123
show platform capture elam trigger dbus others if data = 0 0 0 0x8847004D 0x20000162 0xE0000000 0 0 0x00006F6F 0x6F6F7B7B 0x7B7B0000 [ 0 0 0 0xffffffff 0xf000ffff 0xf0000000 0 0 0x0000ffff 0xffffffff 0xffff0000 ]
You can check the labels being used (by using show ip cef <> details) and covert their values to hex and change the trigger accordingly.
I have changed the colors for better understanding. If you notice carefully in the trigger the values for ip address, labels have just been converted to their respective hex values which could be replaced.
Please let me know if this helps.
Thanks & Regards
Hitesh & Rahul -
ME3600-ME3800: service-instance & bridge-domain syntax
Hello,
what is the best practice for the configuration of L3VPN on Cisco ME3XXX ?
Old Syntax:
interface GigabitEthernet0/1
switchport trunk allowed vlan none
switchport mode trunk
service instance 2 ethernet
encapsulation dot1q 3
rewrite ingress tag pop 1 symmetric
bridge-domain 4
interface vlan 4
vrf forwarding L3VPN-1
ip address 2.2.2.1 255.255.255.0
New Syntax:
interface GigabitEthernet0/1
switchport trunk allowed vlan none
switchport mode trunk
service instance 2 ethernet
encapsulation dot1q 3
rewrite ingress tag pop 1 symmetric
bridge-domain 4
member GigabitEthernet0/1 service-instance 2
interface vlan 4
vrf forwarding L3VPN-1
ip address 2.2.2.1 255.255.255.0
The new syntax is very much similar to the new syntax for L2VPN, see:
http://www.cisco.com/en/US/docs/switches/metro/me3600x_3800x/software/design/guide/ME3600x_Design_Guide.pdf
I'm soon sending in the field some more ME3600, so I'd like to start right.
Best Regards
AndreaHello.
You might have confused service instance configuration and usual switchport mode trunk.
Please refer figure 11-10 in the document http://www.cisco.com/c/en/us/td/docs/switches/metro/me3600x_3800x/software/release/12-2_52_ey/configuration/guide/3800x3600xscg/swevc.html
>But there is a typo - per description it should be "enc doat1q 20" under service instance 9on the picture).
Also under Figure 11-2 we have following example:
QinQ is also supported when sending packets between an EFP and a switchport trunk, because the switchport trunk is implicitly defined as rewrite ingress tag pop 1 symmetric. The same external behavior as Method 1 can be achieved with this configuration:
Switch (config)# interface gigabitethernet0/1
Switch (config-if)# service instance 1 Ethernet
Switch (config-if-srv)# encapsulation dot1q 1-100
Switch (config-if-srv)# bridge-domain 30
Switch (config)# interface gigabitethernet0/2
Switch (config-if)# switchport mode trunk
Again, service instance 1 on Gigabit Ethernet port 0/1 is configured with the VLAN encapsulations used by the customer: C-VLANs 1-100. These are forwarded on bridge-domain 30. The service provider facing port is configured as a trunk port. The trunk port implicitly pushes a tag matching the bridge-domain that the packet is forwarded on (in this case S-VLAN 30). -
Service instance command is not as documented
Hi,
I use Cisco 7609 with IOS 15.0(1)S1 and with ES+ module.
I try to configure a service instance, but the only possible commands I get are:
Router-1(config-if)#ser insta 22eth
Router-1(config-if-srv)#?
Ethernet EFP configuration commands:
default Set a command to its defaults
ethernet Configure ether lmi parameters
exit Exit from ETHER EFP configuration mode
no Negate a command or set its defaults
I need the "encapsulation ... " command.
Could someone explain what is the problem? ES+ module supports EVC-style configuration and Cisco official documentation claims that the above mentioned command IS supported.
Thanks,
Yoav.Hello Yoav
Yes indeed it should be supported .. Is it possible to try different IOS if it is a lab router
NPE-1(config-if)#ser in 10 ethernet
NPE-1(config-if-srv)#?
Ethernet EFP configuration commands:
default Set a command to its defaults
description Service instance specific description
encapsulation Configure ethernet frame match criteria
errdisable Configure error disable
ethernet ethernet
exit Exit from ETHER EFP configuration mode
group Join a service group
ip Interface Internet Protocol config commands
l2protocol Configure l2 control protocol processing
mac Commands for MAC Address-based features
no Negate a command or set its defaults
service-policy Attach a policy-map to an EFP
shutdown Take the Service Instance out of Service
snmp Modify SNMP service instance parameters
weight Assign a weight to an EFP
NPE-1(config-if-srv)#
Regards
Sherif Ismail -
ME 3800 X - QinQ across service instance
I realize a test rig of ME-3800-X.
I use the MPLS and QinQ.
EoMPLS for pseudowire is Ok in test rig.
QinQ also.
In fact, everything is ok.
But, in documentation, it is not said that we can forward the frame QinQ across a Service Instance.
Header:vlan+eth+data >>ingress 3800 -A >> evc bridge-domain 100 >>>>>> Vlan 100 and rewite imposition and Xconnect to B>>
egress 3800 -A >> Eompls+QinQ+Vlan+eth+data >>>>
|
|
BACKBONE MPLS
|
|
>>>ingress 3800- B >>>> Vlan 100 (not rewite) + xconnect to A >>>> evc bridge-domain 100 >>>>egress 3800 - B > Header QinQ+ETH+DATA
It has QinQ frames within the bridge domaine not frame Vlan.
Question:
Is what I can do this even if the documentation does not indicate.
Thanks for your comment.
I am french, sorry for my bad english language.
Cdlt,Hello Cdlt.
but what is the question? Is it something like "how come that even if my configuration does not match the guide my setup is working?"
Is that one?
Also, does it work when your config is matching the EVC guide instead (the one in green on your pdf)?
Quick notation is that even if the configuration is not matching the guide the final result is the same as you moved the pop operation of the outmost dot1q tag from the ingress PE (the one on top) to egress one by configuring 'platform rewrite imposition tag push 1 symmetric' on the SVIs.
So you either strip the qinq tag on ingress or on egress the frame looks like the same way when the last mpls label is popped.
Does this answer to your question or am I still missing the point?
Riccardo -
Service instance and trunk ports
hi I have the following configuration:
interface Port-channel1
description SHN-AX1-1-2-CNRY
switchport trunk allowed vlan none
switchport mode trunk
load-interval 30
no keepalive
service instance 1 ethernet
encapsulation untagged
l2protocol peer lacp
bridge-domain 1
service instance 2 ethernet
description IDP_VLAN_2
encapsulation dot1q 2
bridge-domain 3998
service instance 3 ethernet
description BBR_VLAN
encapsulation dot1q 420
bridge-domain 3998
service instance 4 ethernet
description MGMT_VLAN
encapsulation dot1q 95
bridge-domain 3998
service instance 5 ethernet
description STATIC_VLAN
encapsulation dot1q 3641,3644,3777,3291
bridge-domain 3998
service instance 6 ethernet
description SME_VLAN
encapsulation dot1q 2098,2339
bridge-domain 3998
interface Port-channel1
description SHN-AX1-1-2-CNRY
switchport trunk allowed vlan none
switchport mode trunk
load-interval 30
no keepalive
service instance 1 ethernet
encapsulation untagged
l2protocol peer lacp
bridge-domain 1
service instance 2 ethernet
description IDP_VLAN_2
encapsulation dot1q 2
bridge-domain 3998
service instance 3 ethernet
description BBR_VLAN
encapsulation dot1q 420
bridge-domain 3998
service instance 4 ethernet
description MGMT_VLAN
encapsulation dot1q 95
bridge-domain 3998
service instance 5 ethernet
description STATIC_VLAN
encapsulation dot1q 3641,3644,3777,3291
bridge-domain 3998
service instance 6 ethernet
description SME_VLAN
encapsulation dot1q 2098,2339
bridge-domain 3998
interface GigabitEthernet0/1
switchport trunk allowed vlan none
switchport mode trunk
channel-group 1 mode on
interface GigabitEthernet0/2
switchport trunk allowed vlan none
switchport mode trunk
channel-group 1 mode on
interface Port-channel12
description SHN-AGG-BX1
switchport trunk allowed vlan 34,50,76,3998
switchport mode trunk
mtu 9000
interface GigabitEthernet0/23
switchport trunk allowed vlan 34,3998
switchport mode trunk
mtu 9000
channel-group 12 mode active
interface GigabitEthernet0/24
switchport trunk allowed vlan 34,3998
switchport mode trunk
mtu 9000
channel-group 12 mode active
the input interfaces are gigEth0/1 and gigEth0/2 and the output interfaces are gigEth0/23 and gigEth0/24.
the ingress traffic at the input port has a single tag and the ingress traffic at the output port has two tags.
please explain me, where tags would be pushed/popped and why??
thank you.Hello.
You might have confused service instance configuration and usual switchport mode trunk.
Please refer figure 11-10 in the document http://www.cisco.com/c/en/us/td/docs/switches/metro/me3600x_3800x/software/release/12-2_52_ey/configuration/guide/3800x3600xscg/swevc.html
>But there is a typo - per description it should be "enc doat1q 20" under service instance 9on the picture).
Also under Figure 11-2 we have following example:
QinQ is also supported when sending packets between an EFP and a switchport trunk, because the switchport trunk is implicitly defined as rewrite ingress tag pop 1 symmetric. The same external behavior as Method 1 can be achieved with this configuration:
Switch (config)# interface gigabitethernet0/1
Switch (config-if)# service instance 1 Ethernet
Switch (config-if-srv)# encapsulation dot1q 1-100
Switch (config-if-srv)# bridge-domain 30
Switch (config)# interface gigabitethernet0/2
Switch (config-if)# switchport mode trunk
Again, service instance 1 on Gigabit Ethernet port 0/1 is configured with the VLAN encapsulations used by the customer: C-VLANs 1-100. These are forwarded on bridge-domain 30. The service provider facing port is configured as a trunk port. The trunk port implicitly pushes a tag matching the bridge-domain that the packet is forwarded on (in this case S-VLAN 30). -
Service-name meaning in the service instance command
Hi,
in the Cisco 7600 we have the following command to configure a service instance:
service instance id ethernet [service-name]
Searching information for the meaning of the service-name option I didn't find nothing..
Do you know what service-name do and when (or why) it might be configured?
Often the service instance configuration is
service instance 100 ethernet without any service-name
thx
RiccardoHi,
Router(config-if-srv)#service instance id {Ethernet [service-name]}
Creates an service instance (instantiation of an EVC) on an interface. It sets the device into the config-if-srv sub-mode.
http://www.cisco.com/en/US/products/hw/routers/ps368/products_configuration_guide_chapter09186a00807f3f7e.html -
Hi.
I would like to know is there a command to see traffic througput over service instance?
Thank youHello.
You might have confused service instance configuration and usual switchport mode trunk.
Please refer figure 11-10 in the document http://www.cisco.com/c/en/us/td/docs/switches/metro/me3600x_3800x/software/release/12-2_52_ey/configuration/guide/3800x3600xscg/swevc.html
>But there is a typo - per description it should be "enc doat1q 20" under service instance 9on the picture).
Also under Figure 11-2 we have following example:
QinQ is also supported when sending packets between an EFP and a switchport trunk, because the switchport trunk is implicitly defined as rewrite ingress tag pop 1 symmetric. The same external behavior as Method 1 can be achieved with this configuration:
Switch (config)# interface gigabitethernet0/1
Switch (config-if)# service instance 1 Ethernet
Switch (config-if-srv)# encapsulation dot1q 1-100
Switch (config-if-srv)# bridge-domain 30
Switch (config)# interface gigabitethernet0/2
Switch (config-if)# switchport mode trunk
Again, service instance 1 on Gigabit Ethernet port 0/1 is configured with the VLAN encapsulations used by the customer: C-VLANs 1-100. These are forwarded on bridge-domain 30. The service provider facing port is configured as a trunk port. The trunk port implicitly pushes a tag matching the bridge-domain that the packet is forwarded on (in this case S-VLAN 30). -
Pulling packet capture from IPS device
I work for a MSP (Managed Services Provider), we currently are evaluating CSM for mgt of 50 IPS/IDSM devices. To make analysis more effective, want to be able to pull the packet capture from the device. We have our own correlation engine, so we do not need MARS. We want to grab the packet and then put a copy into our ticketing system so the analyst has the data right in front of them.
Is the IP Log directory where the packet capture data is kept? Has anyone ever tried this before? What are the performance/health concerns with enabling packet captures for just high signatures? Does the IP log directory really "clean" itself out after a certain period of time?There are 4 event actions that can be used to capture packets.
The produce-verbose-alert event action will encode the trigger packet as part of the alert itself. So with this event action the packet is already included in the alerts you are already pulling off the sensor. You just need to modify your tool to strip off this packet, decode it, and then add it to your ticketing system at the same time as you add the alert.
This is where I would start.
Using the produceVerboseAlert uses very little additional sensor resources. It has only a very small affect on sensor performance. Because each alert will be larger than normal it will reduce the total number of alerts that can be stored in the sensor's eventstore. But if your application is actively subscribing for these events, then the reduction in total number of alerts stored on the sensor should not cause you any issues. So adding this for all High alerts woulc be a good practice.
The other 3 event actions are log-attacker-packets, log-pair-packets, and log-victim-packets. These event actions will trigger an IP Log (packet log) to be created (or increase the time for capture on an existing IP Log.
The IP Log system is a collection of numbered files on the sensor. As event actions trigger new IP Logs to be created the sensor will pick one of those numbered files and begin writing packets to that file. The sensor retains an internal mapping of what packets are being written to each file. If no empty files exist, then the sensor will automatically overwrite the oldest IP Log file with the new IP Log file. Larger platforms have up to 512 of these numbered files, and smaller platforms may have as few as 128 or even 64 of these numbered files. Each file is 1 Megabyte in size and usually stored in RAM memory. With the limited number of files, the storage of these logs on the sensor is very short term. And so should be pulled off the sensor as soon as possible (just like what you are planning to implement). The sensor also has a usual limit of only writing 20 IP Log files at any one time.
With these limitations on the IP Log files they shoudl be used sparingly. Configuring too many signatures or signatures that trigger often with these event actions can lead to problems. The IP Logs could easily be overwritten by newer IP Logs being triggered, and/or more than 20 could be requested at any one time which means some alerts won't be able to have an IP Log created.
So IP Logging event actions should be limited to only those alerts where the additional data is manditory.
Also understand that IP Logging can have a negative impact on sensor performance. If you plan on using IP Logging often, then consider using a sensor rated for higher speeds than what you will be monitoring. -
Has anyone successfully used a source-port or destination-port filter in a packet-capture command on a waas? Anytime I try to filter on any port # I capture no packets. If I however remove the port # and run a packet-capture I capture packets and see the traffic my filter should have caught. I'm not sure if I'm looking at a bug since it seems straightforward.
packet-capture interface gigabitEthernet 0/0 source-port 1494 file-size 50000 capctx
Cisco Wide Area Application Services (universal-k9) Software Release 5.1.1d (build b7 Aug 19 2013)
Version: oe7571-5.1.1d.7
thank you,
BillThank you Srinivasa. I tried the tcpdump, but get the same behavior. As soon as I remove the filter all the packets come pouring in. I've tried different ports such as 445, but with the same results, 0 packets.
pa-harr-0-7571a#tcpdump -i eth0 -s 3200 tcp port 1494 -w ctxcapnew.pcap
Note : The tcpdump and tethereal CLIs are planned to be deprecated in a future release. The use of 'packet-capture' CLI is recommended.
tcpdump: Setting virtual memory/file size limit to 524288000
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 3200 bytes
0 packets captured
12 packets received by filter
0 packets dropped by kernel
pa-harr-0-7571a#tcpdump -i eth0 -s 3200 -w ctxcapnew1.pcap
Note : The tcpdump and tethereal CLIs are planned to be deprecated in a future release. The use of 'packet-capture' CLI is recommended.
tcpdump: Setting virtual memory/file size limit to 524288000
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 3200 bytes
225215 packets captured
225222 packets received by filter
0 packets dropped by kernel
Update on this:
tethereal seems to be the only utility that works with a filter. The command below performed as expected, which is odd since it's advertised as working with 4.0 and earlier and I'm running 5.1.1d where I'm warned that tethereal and tcpdump are soon to be deprecated; hopefully not before the issue with packet-capture not working with filters is resolved.
tethereal -i eth0 -s 1600 -w dump.cap -R "tcp.port == 1494" -
Packet capture via 'show events alert' on 4.1(4)
Grettings all. I have an IDSM2 running 4.1(4g). When looking at events via 'show events alert' I notice that some signatures have packet capture info, other do not. Trying to figure out what determines this??
Example, Long SMTP Command(sigID 3109, subsigID 1) 'show events alert' has packet capture info. Looked at the following
1.
(config-vsc-virtualSensor)# SERVICE.SMTP
(config-vsc-virtualSensor-SER)# show settings
CapturePacket: False <defaulted>
2.
config-vsc-virtualSensor)# SERVICE.SMTP
config-vsc-virtualSensor-SER)# signatures siGID 3109
(config-vsc-virtualSensor-SER-sig)# show settings
CapturePacket: False <defaulted>
3.
config-vsc-virtualSensor-SER)# signatures siGID 3109 subSig 1
config-vsc-virtualSensor-SER-sig)# show settings
CapturePacket: False <defaulted>
=========
Again...trying to determine where/how the option to get packet capture for this sigID is set. Thanks for any help.It looks like you are in the right place and checking the correct setting.
Were the alerts you are looking at generated during a period of time that CapturePacket had been set to True? Changing this setting will only affect new alerts being generated, and not old alerts previously stored on the sensor.
A few other things to check:
Try executing "show conf" and look for any tunings on Sig 3109.
There is a very small possibility of the config being out of sync. Doing a show conf should show you the config currently being used by the sensor.
Execute "show events" and verify that the SigID is 3109 and the SubSig is 1 or 0. If it is another subsig like 2, then you will need to separately edit the settings for that subsig.
Marco -
In CLI mode version 5.x, we run "packet capture" command to capture xx packets of an x.x.x.x IP address. Logon to service, searching thought directories but could not find the file that packet
capture created. Please advise file name and directory this command created.
TIA.
SimoneYou will find the capture file here:
/usr/cids/idsRoot/var/packet-file -
Etherchannel Issues when i apply service-instance
I am trying to do etherchannel between two ports of ME3600 and two ports of Cisco Switch 3400 with either Pagp or LACP. If the ports are with a simple configuration (trunk ports) the etherchannel is up and running properly. But when i apply a simple service instance at port-channel at ME3600, the etherchannel doesnt work properly.
But when the etherchannel is configured with the MODE ON everything is Ok. Is it possible to do evc on port-channel (Pagp/Lacp)?
Thank you All,
Merytry to remove all ur data not with a back up but manually by syncing your phone with your pc so in this step u can save only your contats and callender in outlook and your photos and videos in a folder
and then restore your iphone again
this can help you to do not backup your settings because maybe there's something wrong with it
Maybe you are looking for
-
HDATE feature with quota generation
Hi: Currently, I am referencing date type 'SD' in IT0041 using feature HDATE (determining entry date) for calculating seniority in generating absence quotas. A customer is requesting a new date type, 'AL', to be created and we begin generating their
-
I am trying to connect my Macbook pro 2010 to my Samsung HDTV using a mini display port to hdtv cable. Trying to play a slide show in IPhoto but I only get sound with no picture. Does anyone have any suggestions?
-
HT203296 No solution listed for 27" iMac running 2.7 GHz Intel Core i5
I have a 27" iMac, Mid 2011. Model Identifier iMac12,2 The processor is a 2.7 GHz Intel Core i5. I am running OS X Lion 10.7.3 (11D50) Boot ROM Version is IM121.0047.B1F SMC Version (system) is 1.72f2 I have installed Parallels Desktop 7 for Mac Buil
-
Portal Backing file -- ClassNotFoundException
I am using weblogic8.1 SP3. I try to give a backing file for .portal desktop. I put this backing file, PortalBacking.java in the portal project root directory which is the same directory as .portal file. And give PortalBacking.java in Backing File pr
-
Can't delete or empty trashcan.
I can't delete an app from my macbook pro without it telling me it can't read or write the file, so it just sits in my trashcan preventing me from deleting other files quickly. I've tried using the terminal but it just tells me the directory doesnt e