Packet capture on IPS 5x
In CLI mode version 5.x, we run "packet capture" command to capture xx packets of an x.x.x.x IP address. Logon to service, searching thought directories but could not find the file that packet
capture created. Please advise file name and directory this command created.
TIA.
Simone
You will find the capture file here:
/usr/cids/idsRoot/var/packet-file
Similar Messages
-
Pulling packet capture from IPS device
I work for a MSP (Managed Services Provider), we currently are evaluating CSM for mgt of 50 IPS/IDSM devices. To make analysis more effective, want to be able to pull the packet capture from the device. We have our own correlation engine, so we do not need MARS. We want to grab the packet and then put a copy into our ticketing system so the analyst has the data right in front of them.
Is the IP Log directory where the packet capture data is kept? Has anyone ever tried this before? What are the performance/health concerns with enabling packet captures for just high signatures? Does the IP log directory really "clean" itself out after a certain period of time?There are 4 event actions that can be used to capture packets.
The produce-verbose-alert event action will encode the trigger packet as part of the alert itself. So with this event action the packet is already included in the alerts you are already pulling off the sensor. You just need to modify your tool to strip off this packet, decode it, and then add it to your ticketing system at the same time as you add the alert.
This is where I would start.
Using the produceVerboseAlert uses very little additional sensor resources. It has only a very small affect on sensor performance. Because each alert will be larger than normal it will reduce the total number of alerts that can be stored in the sensor's eventstore. But if your application is actively subscribing for these events, then the reduction in total number of alerts stored on the sensor should not cause you any issues. So adding this for all High alerts woulc be a good practice.
The other 3 event actions are log-attacker-packets, log-pair-packets, and log-victim-packets. These event actions will trigger an IP Log (packet log) to be created (or increase the time for capture on an existing IP Log.
The IP Log system is a collection of numbered files on the sensor. As event actions trigger new IP Logs to be created the sensor will pick one of those numbered files and begin writing packets to that file. The sensor retains an internal mapping of what packets are being written to each file. If no empty files exist, then the sensor will automatically overwrite the oldest IP Log file with the new IP Log file. Larger platforms have up to 512 of these numbered files, and smaller platforms may have as few as 128 or even 64 of these numbered files. Each file is 1 Megabyte in size and usually stored in RAM memory. With the limited number of files, the storage of these logs on the sensor is very short term. And so should be pulled off the sensor as soon as possible (just like what you are planning to implement). The sensor also has a usual limit of only writing 20 IP Log files at any one time.
With these limitations on the IP Log files they shoudl be used sparingly. Configuring too many signatures or signatures that trigger often with these event actions can lead to problems. The IP Logs could easily be overwritten by newer IP Logs being triggered, and/or more than 20 could be requested at any one time which means some alerts won't be able to have an IP Log created.
So IP Logging event actions should be limited to only those alerts where the additional data is manditory.
Also understand that IP Logging can have a negative impact on sensor performance. If you plan on using IP Logging often, then consider using a sensor rated for higher speeds than what you will be monitoring. -
IPS packet captures-disk space
I have been doing packet captures on High and Medium events and in the IME there is no obvious way to delete old captures. They don't take up alot space but I wanted to know if there is a way to view the disk capacity on the IPS and how I can delete old capture files from the IPS.
Hi Jason,
The ip logging functionality stores the logs in a circular buffer, so there is no need (and no supported way) to delete/manage the old log files - they will be overwritten then new logs necessitate it.
All of the information on ip logging can be found here:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_ip_logging.html#wp1030704
Also, unless you have a specific need for full stream captures for all high/medium events, you can use the "Produce Verbose Alert" action instead of the ip logging actions to capture the offending packet with significantly less resource utilization per alert.
-JT -
Java packet capturing libraries ... ?
HI All,
actually i need to write some packet capturing code on solaris i have tried Jpcap library but there are some compilation issues on solaris .
is there any other library which i can use for packet capturing except Jpcap ?
thankstcpdump hhhmmmmm... it actually can't work for me ....
i am using Package "ch.ethz.ssh2" for ssh because i have to ssh to another server and run the snoop command on it.
Ok, lets look at this code . can we find anything else for me
<%@ page import="java.io.BufferedReader" %>
<%@ page import="java.io.File" %>
<%@ page import="java.io.IOException" %>
<%@ page import="java.io.InputStream" %>
<%@ page import="java.io.InputStreamReader" %>
<%@ page import="ch.ethz.ssh2.Connection" %>
<%@ page import="ch.ethz.ssh2.Session" %>
<%@ page import="ch.ethz.ssh2.StreamGobbler" %>
<%@ page import="java.io.BufferedWriter" %>
<%@ page import="java.io.OutputStreamWriter" %>
<%@ page import="java.io.PrintWriter" %>
<%@ page import="ch.ethz.ssh2.SCPClient" %>
<%@ page import="ch.ethz.ssh2.SFTPv3Client" %>
<%@ page import="java.util.*" %>
<%@ page import="java.io.FileInputStream" %>
<%@ page import="java.io.BufferedInputStream" %>
<%@page contentType="text/html" pageEncoding="UTF-8"%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>JSP Page</title>
</head>
<%
String hosts = request.getParameter("hostname");
String packets = request.getParameter("packets");
String q =request.getParameter("q");
String str="";
String hostname = "127.1.1.1";
String username = "root";
File keyfile = new File("/root/ssh/id_dsa"); // or "~/.ssh/id_dsa"
String keyfilePass = "pass";
try
/* Create a connection instance */
Connection conn = new Connection(hostname);
/* Now connect */
conn.connect();
/* Authenticate */
boolean isAuthenticated = conn.authenticateWithPublicKey(username, keyfile, keyfilePass);
if (isAuthenticated == false)
throw new IOException("Authentication failed.");
/* Create a session */
Session sess = conn.openSession();
sess.execCommand("snoop -d bge0 -o /export/myhome/file.cap -c "+ packets +" host "+hosts +" ");
InputStream stdout = new StreamGobbler(sess.getStdout());
BufferedReader br = new BufferedReader(new InputStreamReader(stdout));
System.out.println("Here is some information about the remote host:");
while (true)
String line = br.readLine();
if (line == null)
break;
System.out.println(line);
/* Close this session */
sess.close();
/* Close the connection */
conn.close();
catch (IOException e)
e.printStackTrace(System.err);
//System.exit(2);
%>
</html>problem with this code is when code reach the below line command starts running on remote server unitll it captures number of packets ..
sess.execCommand("snoop -d bge0 -o /export/myhome/file.cap -c "+ packets +" host "+hosts +" ");what i want to do is to run that command for some time for example: i want to run the command for 10 minutes but unfortunately there is no argument for time in snoop command. so can't exit the command on time basis ....
any suggestions how can i fix that problem ? -
Ask the Expert: Packet Capture Capabilities of Cisco Routers and Switches
With Rahul Rammanohar
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about packet capture capabilities of Cisco routers and switches.
In May 2013, we created a video that included packet capture capabilities across multiple Cisco routers and switches. For each product, we began with a discussion about the theory of the capabilities, followed by an explanation of the commands, and we concluded with a demo on real devices. In this Ask the Expert event, you’re encouraged to ask questions about the packet capture capabilities of these Cisco devices:
• 7600/6500: mini protocol analyzer (MPA), ELAM, and Netdr
• ASR9k: network processor capture
• 7200/ISRs: embedded packet capture
• Cisco Nexus 7K, 5K, and 3K: Ethanalyzer
• Cisco Nexus 7K: ELAM
• CRS: show captured packets
• ASR1K: embedded packet capture
More Information
Blog URL: Packet Capture Capabilities of Cisco Routers and Switches
Watch the Video: https://supportforums.cisco.com/videos/6226
Hitesh Kumar is a customer support engineer in the High-Touch Technical Services team at Cisco specializing in routing protocols. He has been supporting major service providers and enterprise customers in routing, Multiprotocol Label Switching (MPLS), multicast, and Layer 2 VPN (L2VPN) issues on routing platforms for more than three years. He has more than six years of experience in the IT industry and holds a CCIE certification (number 38757) in service.
Rahul Rammanohar is a technical leader with the High-Touch Technical Support Team in India. He handles escalations in the area of routing protocols and large-scale architectures for devices running Cisco IOS, IOS-XR, and IOS-XE Software. He has been supporting major service providers and large enterprise customers for routing, MPLS, multicast, and L2VPN issues on all routing platforms. He has more than 13 years of experience and holds a CCIE certification (number 13015) in routing/switching and service provider.
Remember to use the rating system to let Hitesh and Rahul know if you have received an adequate response.
Because of the volume expected during this event, Hitesh and Rahul might not be able to answer each question. Remember that you can continue the conversation in the Service Provider, sub-community forum shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.Hello Erick
Thanks for the topology. The trigger will be different for labelled packet as you would need to mention the values of labels too in the trigger.
Below are two examples of one or two labels being used, it depends on where you are capturing the packet in mplsvpn scenario which will decide teh number of labels being imposed on the packet.
Trigger for one label. (if the router on which you are capturing the packet PHP is being performed)
VPN label - 5678
Source Address - 111.111.111.111
Destination Address - 123.123.123.123
show platform capture elam trigger dbus others if data = 0 0 0 0x88470162 0xE0000000 0 0 0x00006F6F 0x6F6F 7B7B 0x7B7B0000 [ 0 0 0 0xffffffff 0xf0000000 0 0 0x0000ffff 0xffffffff 0xffff0000 ]
Trigger for two labels. (for other core routers)
IGP label - 1234
VPN label - 5678
Source Address - 111.111.111.111
Destination Address - 123.123.123.123
show platform capture elam trigger dbus others if data = 0 0 0 0x8847004D 0x20000162 0xE0000000 0 0 0x00006F6F 0x6F6F7B7B 0x7B7B0000 [ 0 0 0 0xffffffff 0xf000ffff 0xf0000000 0 0 0x0000ffff 0xffffffff 0xffff0000 ]
You can check the labels being used (by using show ip cef <> details) and covert their values to hex and change the trigger accordingly.
I have changed the colors for better understanding. If you notice carefully in the trigger the values for ip address, labels have just been converted to their respective hex values which could be replaced.
Please let me know if this helps.
Thanks & Regards
Hitesh & Rahul -
Cisco Prime and WLC packet capture error - Request Timed Out
Hello,
We have a Cisco Prime installation (2.2.0) and a WLC (Cisco 5508)
I’ve been trying to test the wireless packet capture function, but have now run into problems, a quick rundown of my actions so far:
Selected a wireless access point in Prime and clicked ‘Packet Capture’
Did a packet capture saving to the PI, the capture worked fine
Could not find any way to delete the packet capture
Selected a wireless access point in Prime and clicked ‘Packet Capture’
Did a packet capture saving to an FTP server, the capture worked fine
The 1st capture had finished (10 minute capture) before testing the second
The 2nd capture has also finished and saved the files to the FTP server as specified
Now though I cannot capture from any access point as when I click ‘Packet Capture’ I get the error:
“Request Timed out. Error in getting data from server.”
The error is ‘instant’ as in no delay indicating something actually timing out.
So the 2 problems I have are:
How do I fix the ‘request timed out’ error above
How do I delete old packet captures from the PI
I hope someone can help as I can’t find any info on either of the problems.
Cheers
AdrianI think I've solved (2) by deleting the files from the FTP directory on the prime box through SSH.
So I'm now just stuck on the timed out error. -
Empty pcap file with Embedded Packet Capture
Hello,
I have configured the EPC in my CISCO 2901 CUBE for monitoring VOIP traffic.
#First I configure the type of traffic I want to filter
access-list 110 permit tcp any any eq 5060
access-list 110 permit tcp any any eq 5061
access-list 110 permit udp any any eq 5060
access-list 110 permit udp any any eq 5061
#Then my buffer (too big, I know..)
monitor capture buffer buff-SIP5 size 2048 max-size 9500
# I apply the access-list to the buffer
monitor capture buffer buff-SIP5 filter access-list 110
# Define the capture point, both interfaces, IN and OUT..
monitor capture point ip cef SIP5 all both
#Associate capture point with buffer
monitor capture point associate SIP5 buff-SIP5
#Start the capture
monitor capture point start SIP5
#Stop it..
monitor capture point stop SIP5
#Check if you have what you need
show monitor cap buffer buff-SIP5 dump
#Export it using scp
monitor capture buffer buff-SIP5 export scp://[email protected]:/SIP5.pcap
I would like some help with these two issues:
1) When I export it, my pcap file is empty...yet when I do a dump, I can see everything I need
2) If I don't apply the access-list filter, I can see the SIP messages in the pcap file. However, I cannot see the messages that sends the SBC, only the ones that it receives.
Thanks in advance,
GabrielI tried recreating the packet capture with no access-list filtering.
show mon cap buff all para
Capture buffer cap (circular buffer)
Buffer Size : 1048576 bytes, Max Element Size : 68 bytes, Packets : 0
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : cap, Status : Active
Configuration:
monitor capture buffer cap circular
monitor capture point associate cap cap
interface GigabitEthernet1/1/1
description UPLINK TO 6513
switchport mode trunk
end -
How to display date for each packet in a Cisco ASA packet capture
Hello,
Quick question...On a Cisco ASA (v8.2) how does one show the date of each packet in a packet capture?
When performing a packet capture from CLI you can do a "show capture testcapture" command and you can see that the time is at the beginning of each packet but how does one view the date as well as the time for each packet? I know you can export the packet capture and it will show the date & time in wireshark but sometimes for just quick and dirty capture I'd like to view the capture from the CLI on the ASA itself without doing an export.
Sample capture below. Time is displayed but not the date of the packet capture. Issuing command "sh cap test detail" doesn't show the date either. I checked on an ASA running v9 and it also doesn't show the date in the packet capture.
ASA5505# sh cap test
1: 08:51:56.112085 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x: udp 404
2: 08:52:18.111871 802.1Q vlan#12 P0 10.150.40.240.29082 > x.x.x.x.53: udp 37
3: 08:52:18.165366 802.1Q vlan#12 P0 y.y.y.y.53 > 10.150.40.240.29082: udp 53
4: 08:52:32.129235 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x4.500: udp 404
5: 08:52:37.111627 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x.500: udp 404
6: 08:52:49.111490 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x.500: udp 404
Thanks for any help.
JoeHi,
I would suggest copying the capture from the ASA to some local host and opening the capture file with Wireshark to view the information
For example
copy /pcap capture:test tftp://x.x.x.x/test.pcap
This should copy the current data in the capture to the mentioned location with the mentioned filename.
I personally view the captures on the ASA CLI only if I am just confirming that some traffic comes to the firewall or when I am checking what happens to a TCP connection that can not be formed. Its a lot easier to go through bigger captures by copying them from the ASA and viewing them with an actual software meant for that purpose.
Hope this helps :)
- Jouni -
Hi, I have tried to do a packet capture on the ACE by following this doc -
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Troubleshooting_Guide_--_Overview_of_ACE_Troubleshooting#Capturing_Packets_in_Real_Time
Issue is, the output is displayed in a hexa-decimal format (In red below) -
ACE1# show capture CAP2414 detail
0001: msg_type: PKT_RCV
ace_id: 18173 action_flag: 0x13
src_addr: 10.127.84.153 src_port: 58653
dst_addr: 10.127.85.153 dst_port: 14109
l3_protocol: 0 l4_protocol: 6
message_hex_dump:
0x0000: 0007 0104 0000 46fd 0000 0000 0a7f 5499 ......F.......T.
0x0010: 0a7f 5599 0609 0033 e51d 371d 0000 0000 ..U....3..7.....
0x0020: 0104 0000 05b4 0000 0000 46fd 1300 0000 ..........F.....
0x0030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0040: 0000 0000 0000 0001 ........
Even if I copy the CAP file to my laptop and open it in wireshark, I only see it showing source and destination MACs. (File attached)
Can anyone please advise??Hi Kanwaljeet, the steps are -
Step 1:
access-list CAP line 8 extended permit ip host 10.127.84.152 host 10.127.85.152
access-list CAP line 16 extended permit ip host 10.127.84.153 host 10.127.85.153
Step 2:
capture CAP interface all access-list CAP
Step 3:
capture CAP start
Step 4:
capture CAP stop
Step 5:
Copy capture CAP disk0:CAP
Step 6:
tftp the file CAP to the laptop and open in Wireshark -
Multiple context mode, how to download the packet capture file
Hi guys,
Is there a way to download the packet capture file from a specific context? I know that I used to use https://<ASA_IP>/admin/capture/<capture> to download it if it is just one context.
The ASA uses mgmt 0/0 for management and it is connected in a separate OOB network. Only this network has TFTP servers for uploading the capture file. The context in question is in transparent mode. Its IP doesn't have access to any TFTP server.
Thanks!
DifanHello Difan,
Please refer the following document.
https://supportforums.cisco.com/document/69281/asa-using-packet-capture-troubleshoot-asa-firewall-configuration-and-scenarios
Also what version of the ASA code are you using?
Regards,
Jai Ganesh K -
Details about the packet capture output bits...
Hi Mates,
If we take the packet capture output, we will get similar output as follows:
Please explain the significance of the highlighted bits values. (S,P,F and . )
If tehre is ny doc related to them, appreciate to share.
Thanks & Regards
RamanaS SYN
P PUSH
F FIN
http://www.firewall.cx/networking-topics/protocols/tcp/136-tcp-flag-options.html
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com -
Hi,
I want to capture packet on gi0/0 of PE1 in order to show customer that all his traffic is encapsulated and transmitted by L2VPN (ldp signaling) in his lab.
CE1-----------(g0/1)PE1(g0/0)------------PE2-----------CE2
PE1 and PE2 are Cisco3945 and L2VPN is working well. I tried cisco RITE(Router IP Traffic Export Packet Capture) feature, but the output was not what I expected. I tried both export mode and capture mode. Only LDP hello message I got, looks like RITE is only interested in IP packet. Monitor session wasn't effective as well because it is not a switch.
Is there any other way/workaround to capture customer's traffic encapsulated in L2VPN?
What I did on PE1 when I was trying RITE export mode:
ip traffic-export profile test
bidirectional
interface GigabitEthernet0/2
mac-address e411.5b44.3a6d
interface GigabitEthernet0/2
ip address 10.1.2.1 255.255.255.0
interface GigabitEthernet0/0
ip traffic-export apply test
Gi0/2 connected my PC(10.1.2.2) with wireshark installed.
Many thanks.
Regards,
Jerry FanThanks Shivlu. I tried, but failed. 'monitor capture' is only interested in ipv4 and ipv6. Maybe the IOS in Cisco3945 isn't same as the IOS in Cat6500 or Cisco7600 or GSR/CSR.
See following:
===================================================================
Router_MPS_TEST_A#monitor capture ?
buffer Control Capture Buffers
point Control Capture Points
Router_MPS_TEST_A#monitor capture po
Router_MPS_TEST_A#monitor capture point ?
associate Associate capture point with capture buffer
disassociate Dis-associate capture point from capture buffer
ip IPv4
ipv6 IPv6
start Enable Capture Point
stop Disable Capture Point
Router_MPS_TEST_A#monitor capture point ip ?
cef IPv4 CEF
process-switched Process switched packets
Router_MPS_TEST_A#monitor capture point ip p
Router_MPS_TEST_A#monitor capture point ip process-switched ?
WORD Name of the Capture Point
Router_MPS_TEST_A#monitor capture point ip process-switched test-point ?
both Inbound and outbound and packets
from-us Packets originating locally
in Inbound packets
out Outbound packets
Router_MPS_TEST_A#monitor capture point ip process-switched test-point b
Router_MPS_TEST_A#monitor capture point ip process-switched test-point both ?
Router_MPS_TEST_A#monitor capture point ip process-switched test-point both
===================================================================
At last, I have to insert a switch in the middle of two cisco3945 and configured port span. That worked very well. Anyway, many thanks for your advice.
Jerry Fan -
Trouble Capturing Packets with Embedded Packet Capture
Hi All,
I am trying to capture packets originating from a server to a host device across three switches:
server -- 6513 -- 3850 -- 3550 -- host A
I am doing a ping from the server to host A. The packet capture is being done on the 3850. This is my configuration:
access-list 100 permit icmp host 192.168.101.6 host 192.168.100.188
access-list 100 permit icmp host 192.168.100.188 host 192.168.101.6
end
monitor capture buffer TRACE
monitor capture buffer TRACE filter access-list 100
monitor capture point ip cef CAP g1/1/1 both
montior capture point associate CAP TRACE
monitor capture point start CAP
I then issue a ping from the server to host A. Interface g1/1/1 is where the 6513 connects to the 3850. When I issue a show monitor capture buffer all parameters, there are no packets. If I remove the filter from the buffer I still do not see the packets.
Does anyone have any advice here?I tried recreating the packet capture with no access-list filtering.
show mon cap buff all para
Capture buffer cap (circular buffer)
Buffer Size : 1048576 bytes, Max Element Size : 68 bytes, Packets : 0
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : cap, Status : Active
Configuration:
monitor capture buffer cap circular
monitor capture point associate cap cap
interface GigabitEthernet1/1/1
description UPLINK TO 6513
switchport mode trunk
end -
Embedded Packet Capture Feature on IOS
Hello, I have (4) 1841 routers and I am using c1841-adventerprisek9-mz.151-4.M7.bin IOS version.
What I would like to do is use the embedded capture feature and what I get at the terminal is:
R4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R4(config)#monitor ?
event-trace Tracing of system events
session Configure a SPAN session
Capture is not an option. I need help on how the get the full features to work....
Kind regards...Hello.
The feature is supported on the platform/release.
You need to exit configuration mode to use it.
Please find details here - https://supportforums.cisco.com/document/139686/configuration-example-embedded-packet-capture-cisco-ios-and-ios-xe -
Packet captures on CLI, ASDM, or CSM?
just wondering what the best practice is for performing packet captures...
ASDM cleans up any ACLs that are built on the packet capture wizard, so I guess this is OK... But when you use the CLI, the ACLs you create stick around, so wouldn't they get cleaned up on the next policy push from CSM?...
I'm new to CSM...
ThanksPacket tracer bug fixed in ASDM 7.3(1.101). Verified. Works.
https://tools.cisco.com/bugsearch/bug/CSCuq40844
Maybe you are looking for
-
I have a free agent desk 500 GB external hard drive. Since updating my iMac OS to Mountain Lion it no longer backs up through Time Maching like it did in the past. Now, after completing its work it says, "Unable to complete backup. An error occurr
-
Call JavaScript function when my Condition is true in JSP
Hi all, in my jsp i wanna call a javascript function (user defined) when a particular condition si met. How to go about it ? Can anyone plz help me out. Help appreciated.
-
i had to restore my laptop to 'out of the box' condition. It's a year and a half old. After a few days of installing all the required updates I can't get SP7 to take. It says successful installation and to reboot. It goes through the blue screens
-
I am probably missing something easy but just can't think of it. I have been trying to open an .xls spreadsheet on my iMac. Numbers says the file can't be opened it is encrypted. How can I open this file and convert it to a Numbers document? I am u
-
While opening a VI the VI is looking for itself - endless loop
A have a VI called "DermaSR". If I open the VI Labview is looking for the included SubVI. And then the following message appears: "Please find the VI named "DermaSR" And then I have a problem. I can select DermaSR and nothing happens. Except: The mes