Packet capture via 'show events alert' on 4.1(4)
Grettings all. I have an IDSM2 running 4.1(4g). When looking at events via 'show events alert' I notice that some signatures have packet capture info, other do not. Trying to figure out what determines this??
Example, Long SMTP Command(sigID 3109, subsigID 1) 'show events alert' has packet capture info. Looked at the following
1.
(config-vsc-virtualSensor)# SERVICE.SMTP
(config-vsc-virtualSensor-SER)# show settings
CapturePacket: False <defaulted>
2.
config-vsc-virtualSensor)# SERVICE.SMTP
config-vsc-virtualSensor-SER)# signatures siGID 3109
(config-vsc-virtualSensor-SER-sig)# show settings
CapturePacket: False <defaulted>
3.
config-vsc-virtualSensor-SER)# signatures siGID 3109 subSig 1
config-vsc-virtualSensor-SER-sig)# show settings
CapturePacket: False <defaulted>
=========
Again...trying to determine where/how the option to get packet capture for this sigID is set. Thanks for any help.
It looks like you are in the right place and checking the correct setting.
Were the alerts you are looking at generated during a period of time that CapturePacket had been set to True? Changing this setting will only affect new alerts being generated, and not old alerts previously stored on the sensor.
A few other things to check:
Try executing "show conf" and look for any tunings on Sig 3109.
There is a very small possibility of the config being out of sync. Doing a show conf should show you the config currently being used by the sensor.
Execute "show events" and verify that the SigID is 3109 and the SubSig is 1 or 0. If it is another subsig like 2, then you will need to separately edit the settings for that subsig.
Marco
Similar Messages
-
Hello,
ASA Firewall is running in Active/Active mode. Below is the configuration of the firewall and IPS SSM module.
We are not getting event on IPS sensor when we type "show event alerts".
IPS configuration:
++++++++++++++++++++++
IPS1#
IPS1# sh configuration
! Current configuration last modified Tue Jul 02 07:19:13 2013
! Version 7.1(1)
! Host:
! Realm Keys key1.0
! Signature Definition:
! Signature Update S552.0 2011-03-07
service interface
exit
service authentication
exit
service event-action-rules rules0
exit
service host
network-settings
host-ip 10.15.1.58/28,10.15.1.57
host-name IPS1
telnet-option disabled
access-list 0.0.0.0/0
dns-primary-server disabled
dns-secondary-server disabled
dns-tertiary-server disabled
exit
time-zone-settings
offset 60
standard-time-zone-name GMT+03:00
exit
exit
service logger
exit
service network-access
exit
service notification
exit
service signature-definition sig0
exit
service ssh-known-hosts
exit
service trusted-certificates
exit
service web-server
exit
service anomaly-detection ad0
exit
service external-product-interface
exit
service health-monitor
exit
service global-correlation
exit
service analysis-engine
virtual-sensor vs1
description virtual-sensor-1
anomaly-detection
operational-mode learn
exit
physical-interface PortChannel0/0
exit
exit
IPS1#
ASA in system mode
+++++++++++++++++++++++++++++++++++++++
ASA-1/act/pri# sh run
: Saved
ASA Version 9.1(1) <system>
hostname ASA-1
enable password u14FkAnxI.kNNH7a encrypted
no mac-address auto
interface GigabitEthernet0/0
description LAN Failover Interface
interface GigabitEthernet0/1
description STATE Failover Interface
interface GigabitEthernet0/2
interface GigabitEthernet0/3
interface GigabitEthernet0/4
shutdown
interface GigabitEthernet0/5
shutdown
interface Management0/0
interface Management0/1
interface TenGigabitEthernet0/6
channel-group 20 mode active
interface TenGigabitEthernet0/7
channel-group 20 mode active
interface TenGigabitEthernet0/8
channel-group 10 mode active
interface TenGigabitEthernet0/9
channel-group 10 mode active
interface GigabitEthernet1/0
shutdown
interface GigabitEthernet1/1
shutdown
interface GigabitEthernet1/2
shutdown
interface GigabitEthernet1/3
shutdown
interface GigabitEthernet1/4
shutdown
interface GigabitEthernet1/5
shutdown
interface TenGigabitEthernet1/6
shutdown
interface TenGigabitEthernet1/7
shutdown
interface TenGigabitEthernet1/8
shutdown
interface TenGigabitEthernet1/9
shutdown
interface Port-channel10
interface Port-channel10.96
description "Inside-CTX-1"
vlan 96
interface Port-channel10.97
description "Inside-CTX-2"
vlan 97
interface Port-channel20
interface Port-channel20.98
description "Outside-CTX-1"
vlan 98
interface Port-channel20.99
description "Outside-CTX-2"
vlan 99
class default
limit-resource All 0
limit-resource Mac-addresses 65535
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
pager lines 24
failover
failover lan unit primary
failover lan interface FOL GigabitEthernet0/0
failover link STATEFULL-LINK GigabitEthernet0/1
failover interface ip FOL 10.15.1.33 255.255.255.252 standby 10.15.1.34
failover interface ip STATEFULL-LINK 10.15.1.37 255.255.255.252 standby 10.15.1.38
failover group 1
preempt
failover group 2
secondary
preempt
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
console timeout 0
tls-proxy maximum-session 1000
admin-context admin
context admin
allocate-ips vs0 adminvs0
config-url disk0:/admin.cfg
context arm-1
description ARM-1
allocate-interface Management0/0 MGT
allocate-interface Port-channel10.96 inside
allocate-interface Port-channel20.98 outside
allocate-ips vs1 arm-1vs1
config-url disk0:/arm-1_Context.cfg
join-failover-group 1
context arm-2
description ARM-2
allocate-interface Management0/1 MGT
allocate-interface Port-channel10.97 inside
allocate-interface Port-channel20.99 outside
allocate-ips vs1 arm-2vs1
config-url disk0:/arm-2_Context.cfg
join-failover-group 2
prompt hostname context state priority
no call-home reporting anonymous
Cryptochecksum:ad532251aad3ca65f6da8f1ff0762816
ASA in one arm context mode
+++++++++++++++++++++++++++++++++++++++
ASA-1/arm-1/act/pri# sh run
: Saved
ASA Version 9.1(1) <context>
firewall transparent
hostname arm-1
enable password u14FkAnxI.kNNH7a encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface BVI1
ip address 10.15.1.57 255.255.255.240
interface MGT
management-only
nameif management
security-level 0
ip address 10.14.1.9 255.255.255.0 standby 10.14.1.10
interface inside
nameif inside
bridge-group 1
security-level 100
interface outside
nameif outside
bridge-group 1
security-level 0
access-list global extended permit ip any any
access-list out extended permit ip any any
access-list in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group in in interface inside
access-group out in interface outside
route inside 10.0.0.0 255.255.0.0 10.15.1.51 1
route inside 10.0.10.45 255.255.255.255 10.15.1.51 1
route outside 10.11.0.0 255.255.0.0 10.15.1.53 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
no threat-detection statistics tcp-intercept
username admin password fMQ/rjnxl9Vwe9mv encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
class-map any
match access-list global
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map IPS
class any
ips promiscuous fail-open sensor arm-1vs1
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
service-policy IPS interface outside
Cryptochecksum:00b87b7c25f21d91cf5b90cb18c4d745
: end
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
Why we are not able to see any event on IPS. As MPF is configured on ASA and that ACL is gettin hit count?
Regards,In the CLI enter the following command to see if any signatures are triggering, it could just be that you haven't had the right combination of signatures trigger to cause an actual event:
show stat virtual-sensor | begin Per-Signature
You could also enable Signature 2000 and that will usually generate events in a short time to ensure you have traffic configured correctly for inspection by the IDS. -
Can we capture the show/hide layer event in PS?
Hi All..!!!
I have a query to all Photoshop coders! Can we capture the click event of show/hide layers in Photoshop..? I needed to know in my code when the user has clicked the show/hide layer eye..!!
Pls answer soon..!!
Thanks!http://forums.adobe.com/thread/858391?tstart=0
-
Ask the Expert: Packet Capture Capabilities of Cisco Routers and Switches
With Rahul Rammanohar
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about packet capture capabilities of Cisco routers and switches.
In May 2013, we created a video that included packet capture capabilities across multiple Cisco routers and switches. For each product, we began with a discussion about the theory of the capabilities, followed by an explanation of the commands, and we concluded with a demo on real devices. In this Ask the Expert event, you’re encouraged to ask questions about the packet capture capabilities of these Cisco devices:
• 7600/6500: mini protocol analyzer (MPA), ELAM, and Netdr
• ASR9k: network processor capture
• 7200/ISRs: embedded packet capture
• Cisco Nexus 7K, 5K, and 3K: Ethanalyzer
• Cisco Nexus 7K: ELAM
• CRS: show captured packets
• ASR1K: embedded packet capture
More Information
Blog URL: Packet Capture Capabilities of Cisco Routers and Switches
Watch the Video: https://supportforums.cisco.com/videos/6226
Hitesh Kumar is a customer support engineer in the High-Touch Technical Services team at Cisco specializing in routing protocols. He has been supporting major service providers and enterprise customers in routing, Multiprotocol Label Switching (MPLS), multicast, and Layer 2 VPN (L2VPN) issues on routing platforms for more than three years. He has more than six years of experience in the IT industry and holds a CCIE certification (number 38757) in service.
Rahul Rammanohar is a technical leader with the High-Touch Technical Support Team in India. He handles escalations in the area of routing protocols and large-scale architectures for devices running Cisco IOS, IOS-XR, and IOS-XE Software. He has been supporting major service providers and large enterprise customers for routing, MPLS, multicast, and L2VPN issues on all routing platforms. He has more than 13 years of experience and holds a CCIE certification (number 13015) in routing/switching and service provider.
Remember to use the rating system to let Hitesh and Rahul know if you have received an adequate response.
Because of the volume expected during this event, Hitesh and Rahul might not be able to answer each question. Remember that you can continue the conversation in the Service Provider, sub-community forum shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.Hello Erick
Thanks for the topology. The trigger will be different for labelled packet as you would need to mention the values of labels too in the trigger.
Below are two examples of one or two labels being used, it depends on where you are capturing the packet in mplsvpn scenario which will decide teh number of labels being imposed on the packet.
Trigger for one label. (if the router on which you are capturing the packet PHP is being performed)
VPN label - 5678
Source Address - 111.111.111.111
Destination Address - 123.123.123.123
show platform capture elam trigger dbus others if data = 0 0 0 0x88470162 0xE0000000 0 0 0x00006F6F 0x6F6F 7B7B 0x7B7B0000 [ 0 0 0 0xffffffff 0xf0000000 0 0 0x0000ffff 0xffffffff 0xffff0000 ]
Trigger for two labels. (for other core routers)
IGP label - 1234
VPN label - 5678
Source Address - 111.111.111.111
Destination Address - 123.123.123.123
show platform capture elam trigger dbus others if data = 0 0 0 0x8847004D 0x20000162 0xE0000000 0 0 0x00006F6F 0x6F6F7B7B 0x7B7B0000 [ 0 0 0 0xffffffff 0xf000ffff 0xf0000000 0 0 0x0000ffff 0xffffffff 0xffff0000 ]
You can check the labels being used (by using show ip cef <> details) and covert their values to hex and change the trigger accordingly.
I have changed the colors for better understanding. If you notice carefully in the trigger the values for ip address, labels have just been converted to their respective hex values which could be replaced.
Please let me know if this helps.
Thanks & Regards
Hitesh & Rahul -
Pulling packet capture from IPS device
I work for a MSP (Managed Services Provider), we currently are evaluating CSM for mgt of 50 IPS/IDSM devices. To make analysis more effective, want to be able to pull the packet capture from the device. We have our own correlation engine, so we do not need MARS. We want to grab the packet and then put a copy into our ticketing system so the analyst has the data right in front of them.
Is the IP Log directory where the packet capture data is kept? Has anyone ever tried this before? What are the performance/health concerns with enabling packet captures for just high signatures? Does the IP log directory really "clean" itself out after a certain period of time?There are 4 event actions that can be used to capture packets.
The produce-verbose-alert event action will encode the trigger packet as part of the alert itself. So with this event action the packet is already included in the alerts you are already pulling off the sensor. You just need to modify your tool to strip off this packet, decode it, and then add it to your ticketing system at the same time as you add the alert.
This is where I would start.
Using the produceVerboseAlert uses very little additional sensor resources. It has only a very small affect on sensor performance. Because each alert will be larger than normal it will reduce the total number of alerts that can be stored in the sensor's eventstore. But if your application is actively subscribing for these events, then the reduction in total number of alerts stored on the sensor should not cause you any issues. So adding this for all High alerts woulc be a good practice.
The other 3 event actions are log-attacker-packets, log-pair-packets, and log-victim-packets. These event actions will trigger an IP Log (packet log) to be created (or increase the time for capture on an existing IP Log.
The IP Log system is a collection of numbered files on the sensor. As event actions trigger new IP Logs to be created the sensor will pick one of those numbered files and begin writing packets to that file. The sensor retains an internal mapping of what packets are being written to each file. If no empty files exist, then the sensor will automatically overwrite the oldest IP Log file with the new IP Log file. Larger platforms have up to 512 of these numbered files, and smaller platforms may have as few as 128 or even 64 of these numbered files. Each file is 1 Megabyte in size and usually stored in RAM memory. With the limited number of files, the storage of these logs on the sensor is very short term. And so should be pulled off the sensor as soon as possible (just like what you are planning to implement). The sensor also has a usual limit of only writing 20 IP Log files at any one time.
With these limitations on the IP Log files they shoudl be used sparingly. Configuring too many signatures or signatures that trigger often with these event actions can lead to problems. The IP Logs could easily be overwritten by newer IP Logs being triggered, and/or more than 20 could be requested at any one time which means some alerts won't be able to have an IP Log created.
So IP Logging event actions should be limited to only those alerts where the additional data is manditory.
Also understand that IP Logging can have a negative impact on sensor performance. If you plan on using IP Logging often, then consider using a sensor rated for higher speeds than what you will be monitoring. -
IPS packet captures-disk space
I have been doing packet captures on High and Medium events and in the IME there is no obvious way to delete old captures. They don't take up alot space but I wanted to know if there is a way to view the disk capacity on the IPS and how I can delete old capture files from the IPS.
Hi Jason,
The ip logging functionality stores the logs in a circular buffer, so there is no need (and no supported way) to delete/manage the old log files - they will be overwritten then new logs necessitate it.
All of the information on ip logging can be found here:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_ip_logging.html#wp1030704
Also, unless you have a specific need for full stream captures for all high/medium events, you can use the "Produce Verbose Alert" action instead of the ip logging actions to capture the offending packet with significantly less resource utilization per alert.
-JT -
Empty pcap file with Embedded Packet Capture
Hello,
I have configured the EPC in my CISCO 2901 CUBE for monitoring VOIP traffic.
#First I configure the type of traffic I want to filter
access-list 110 permit tcp any any eq 5060
access-list 110 permit tcp any any eq 5061
access-list 110 permit udp any any eq 5060
access-list 110 permit udp any any eq 5061
#Then my buffer (too big, I know..)
monitor capture buffer buff-SIP5 size 2048 max-size 9500
# I apply the access-list to the buffer
monitor capture buffer buff-SIP5 filter access-list 110
# Define the capture point, both interfaces, IN and OUT..
monitor capture point ip cef SIP5 all both
#Associate capture point with buffer
monitor capture point associate SIP5 buff-SIP5
#Start the capture
monitor capture point start SIP5
#Stop it..
monitor capture point stop SIP5
#Check if you have what you need
show monitor cap buffer buff-SIP5 dump
#Export it using scp
monitor capture buffer buff-SIP5 export scp://[email protected]:/SIP5.pcap
I would like some help with these two issues:
1) When I export it, my pcap file is empty...yet when I do a dump, I can see everything I need
2) If I don't apply the access-list filter, I can see the SIP messages in the pcap file. However, I cannot see the messages that sends the SBC, only the ones that it receives.
Thanks in advance,
GabrielI tried recreating the packet capture with no access-list filtering.
show mon cap buff all para
Capture buffer cap (circular buffer)
Buffer Size : 1048576 bytes, Max Element Size : 68 bytes, Packets : 0
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : cap, Status : Active
Configuration:
monitor capture buffer cap circular
monitor capture point associate cap cap
interface GigabitEthernet1/1/1
description UPLINK TO 6513
switchport mode trunk
end -
How to display date for each packet in a Cisco ASA packet capture
Hello,
Quick question...On a Cisco ASA (v8.2) how does one show the date of each packet in a packet capture?
When performing a packet capture from CLI you can do a "show capture testcapture" command and you can see that the time is at the beginning of each packet but how does one view the date as well as the time for each packet? I know you can export the packet capture and it will show the date & time in wireshark but sometimes for just quick and dirty capture I'd like to view the capture from the CLI on the ASA itself without doing an export.
Sample capture below. Time is displayed but not the date of the packet capture. Issuing command "sh cap test detail" doesn't show the date either. I checked on an ASA running v9 and it also doesn't show the date in the packet capture.
ASA5505# sh cap test
1: 08:51:56.112085 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x: udp 404
2: 08:52:18.111871 802.1Q vlan#12 P0 10.150.40.240.29082 > x.x.x.x.53: udp 37
3: 08:52:18.165366 802.1Q vlan#12 P0 y.y.y.y.53 > 10.150.40.240.29082: udp 53
4: 08:52:32.129235 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x4.500: udp 404
5: 08:52:37.111627 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x.500: udp 404
6: 08:52:49.111490 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x.500: udp 404
Thanks for any help.
JoeHi,
I would suggest copying the capture from the ASA to some local host and opening the capture file with Wireshark to view the information
For example
copy /pcap capture:test tftp://x.x.x.x/test.pcap
This should copy the current data in the capture to the mentioned location with the mentioned filename.
I personally view the captures on the ASA CLI only if I am just confirming that some traffic comes to the firewall or when I am checking what happens to a TCP connection that can not be formed. Its a lot easier to go through bigger captures by copying them from the ASA and viewing them with an actual software meant for that purpose.
Hope this helps :)
- Jouni -
Hi, I have tried to do a packet capture on the ACE by following this doc -
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Troubleshooting_Guide_--_Overview_of_ACE_Troubleshooting#Capturing_Packets_in_Real_Time
Issue is, the output is displayed in a hexa-decimal format (In red below) -
ACE1# show capture CAP2414 detail
0001: msg_type: PKT_RCV
ace_id: 18173 action_flag: 0x13
src_addr: 10.127.84.153 src_port: 58653
dst_addr: 10.127.85.153 dst_port: 14109
l3_protocol: 0 l4_protocol: 6
message_hex_dump:
0x0000: 0007 0104 0000 46fd 0000 0000 0a7f 5499 ......F.......T.
0x0010: 0a7f 5599 0609 0033 e51d 371d 0000 0000 ..U....3..7.....
0x0020: 0104 0000 05b4 0000 0000 46fd 1300 0000 ..........F.....
0x0030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0040: 0000 0000 0000 0001 ........
Even if I copy the CAP file to my laptop and open it in wireshark, I only see it showing source and destination MACs. (File attached)
Can anyone please advise??Hi Kanwaljeet, the steps are -
Step 1:
access-list CAP line 8 extended permit ip host 10.127.84.152 host 10.127.85.152
access-list CAP line 16 extended permit ip host 10.127.84.153 host 10.127.85.153
Step 2:
capture CAP interface all access-list CAP
Step 3:
capture CAP start
Step 4:
capture CAP stop
Step 5:
Copy capture CAP disk0:CAP
Step 6:
tftp the file CAP to the laptop and open in Wireshark -
Hi,
I want to capture packet on gi0/0 of PE1 in order to show customer that all his traffic is encapsulated and transmitted by L2VPN (ldp signaling) in his lab.
CE1-----------(g0/1)PE1(g0/0)------------PE2-----------CE2
PE1 and PE2 are Cisco3945 and L2VPN is working well. I tried cisco RITE(Router IP Traffic Export Packet Capture) feature, but the output was not what I expected. I tried both export mode and capture mode. Only LDP hello message I got, looks like RITE is only interested in IP packet. Monitor session wasn't effective as well because it is not a switch.
Is there any other way/workaround to capture customer's traffic encapsulated in L2VPN?
What I did on PE1 when I was trying RITE export mode:
ip traffic-export profile test
bidirectional
interface GigabitEthernet0/2
mac-address e411.5b44.3a6d
interface GigabitEthernet0/2
ip address 10.1.2.1 255.255.255.0
interface GigabitEthernet0/0
ip traffic-export apply test
Gi0/2 connected my PC(10.1.2.2) with wireshark installed.
Many thanks.
Regards,
Jerry FanThanks Shivlu. I tried, but failed. 'monitor capture' is only interested in ipv4 and ipv6. Maybe the IOS in Cisco3945 isn't same as the IOS in Cat6500 or Cisco7600 or GSR/CSR.
See following:
===================================================================
Router_MPS_TEST_A#monitor capture ?
buffer Control Capture Buffers
point Control Capture Points
Router_MPS_TEST_A#monitor capture po
Router_MPS_TEST_A#monitor capture point ?
associate Associate capture point with capture buffer
disassociate Dis-associate capture point from capture buffer
ip IPv4
ipv6 IPv6
start Enable Capture Point
stop Disable Capture Point
Router_MPS_TEST_A#monitor capture point ip ?
cef IPv4 CEF
process-switched Process switched packets
Router_MPS_TEST_A#monitor capture point ip p
Router_MPS_TEST_A#monitor capture point ip process-switched ?
WORD Name of the Capture Point
Router_MPS_TEST_A#monitor capture point ip process-switched test-point ?
both Inbound and outbound and packets
from-us Packets originating locally
in Inbound packets
out Outbound packets
Router_MPS_TEST_A#monitor capture point ip process-switched test-point b
Router_MPS_TEST_A#monitor capture point ip process-switched test-point both ?
Router_MPS_TEST_A#monitor capture point ip process-switched test-point both
===================================================================
At last, I have to insert a switch in the middle of two cisco3945 and configured port span. That worked very well. Anyway, many thanks for your advice.
Jerry Fan -
Capture a keyboard event on af:panelGridLayout?
Hi,
<af:panelGridLayout> currently supports a client listener with mouse events.
But I have a requirement where I need to capture keyboard events.
I tried adding an invisible inputText component on the page and focus on it onclick of the panel.
My assumption was that when the inputText is on focus, it should be able to capture keyboard events even though its invisible.
This does not work. Please see code below. The "showAlert" javascript method never gets called.
<af:inputText clientComponent="true" visible="false" value="dummy" id="keyLink">
<af:clientListener method="showAlert" type="keyUp"/>
</af:inputText>
<af:panelGridLayout id="pgl3">
<af:clientListener method="toggleRowSelection" type="click"/>
</af:panelGridLayout>Javascript code:
function showAlert(event) {
alert("javascript event " + event.getKeyCode());
function toggleRowSelection(event) {
var source = event.getSource();
var keyLink = source.findComponent("::keyLink");
keyLink.focus();
callServerMethod(event);
};How do I achieve this?
-Anitha"[email protected]" <[email protected]> wrote in message news:[email protected]..
I have figured out how to add menu Item to an existing EXE program, but I have not yet been able to figure out how to capture there events. Any help would be greatly appreciated.
It's not entirely clear what you are trying to acieve. I think you're trying to add menu items to an exsisting exe without recompiling it, from LabVIEW. If so the following applies.
You have to hook the winproc. When a menu item is selected, windows send a message to the window's winproc. There are some API's that can be used to point the address of the winproc to another routine. This routine can do filtering, and then call the original routine.
Note that LabVIEW doesn't (or didn't until LV7) use windows menu's, so when a LabVIEW (or exe created with LabVIEW) menu item is called, windows will not send anything. That is the price for platform independency.
I think the OpenG site (or perhaps Winutils from NI) has some vi's to hook windows messages that are send to LabVIEW. Perhaps you can also use them hook another application.
Regards,
Wiebe. -
While capturing video shows up as Mp3..how do i fix this.
This is the third time this has happened to me i now have a fairly new mac book pro ive been capturing footage from a Sony Z1 camera via firewire for months now.All of a sudden while capturing it shows up as mp3...can someone please help.
Hi john...while capturing ..I can see the file type says mp3... When I press escape or stop it does not give the option to save ....the save as box doesn't come up ...it just pauses like I was just playing it.
Sent from my iPad -
Trouble Capturing Packets with Embedded Packet Capture
Hi All,
I am trying to capture packets originating from a server to a host device across three switches:
server -- 6513 -- 3850 -- 3550 -- host A
I am doing a ping from the server to host A. The packet capture is being done on the 3850. This is my configuration:
access-list 100 permit icmp host 192.168.101.6 host 192.168.100.188
access-list 100 permit icmp host 192.168.100.188 host 192.168.101.6
end
monitor capture buffer TRACE
monitor capture buffer TRACE filter access-list 100
monitor capture point ip cef CAP g1/1/1 both
montior capture point associate CAP TRACE
monitor capture point start CAP
I then issue a ping from the server to host A. Interface g1/1/1 is where the 6513 connects to the 3850. When I issue a show monitor capture buffer all parameters, there are no packets. If I remove the filter from the buffer I still do not see the packets.
Does anyone have any advice here?I tried recreating the packet capture with no access-list filtering.
show mon cap buff all para
Capture buffer cap (circular buffer)
Buffer Size : 1048576 bytes, Max Element Size : 68 bytes, Packets : 0
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : cap, Status : Active
Configuration:
monitor capture buffer cap circular
monitor capture point associate cap cap
interface GigabitEthernet1/1/1
description UPLINK TO 6513
switchport mode trunk
end -
Embedded Packet Capture Feature on IOS
Hello, I have (4) 1841 routers and I am using c1841-adventerprisek9-mz.151-4.M7.bin IOS version.
What I would like to do is use the embedded capture feature and what I get at the terminal is:
R4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R4(config)#monitor ?
event-trace Tracing of system events
session Configure a SPAN session
Capture is not an option. I need help on how the get the full features to work....
Kind regards...Hello.
The feature is supported on the platform/release.
You need to exit configuration mode to use it.
Please find details here - https://supportforums.cisco.com/document/139686/configuration-example-embedded-packet-capture-cisco-ios-and-ios-xe -
Packet Capture for VPN traffic
Hi Team,
Please help me to set ACL and capture for Remote Access VPN traffic.
Requirement is to see how much traffic is flowing from that Source IP.
Source : Remote Access VPN IP(Tunneled) 10.10.10.10
Destination : any
This is what I did which is not working
access-list VPN extended permit tcp host 10.10.10.10 any
capture CAP_VPN type raw-data access-list VPN interface OUTSIDEHello,
If you set up the capture with that access list, you are filtering just TCP traffic, therefore you won't be able to see UDP or ICMP traffic too, I would recommend you using the same ACL, though using IP:
access-list VPN extended permit ip host 10.10.10.10 any
Capture CAP_VPN access-list VPN interface outside
Then with:
show capture CAP_VPN
You will be able to see the packet capture on the ASA, though you can export the capture to a packet sniffer as follow:
https://<ip address of asa>/capture/<capname>/pcap capname-->CAP
For further details of captures you can find it on this link
Let me know if you could get the information you were trying to reach.
Please don´t forget to rate and mark as correct the helpful Post!
David Castro,
Regards,
Maybe you are looking for
-
How to consume XML Gateway WS from a remote Oracle DB (10g)?
Hi, I'm currently looking into consuming EBS web services, particularly the XML Gateway service from a remote database. For ease of use, I'm also using an Oracle 10g database. It seems there are several ways to skin a cat though. Hope you can help. 1
-
People Search question in Ent Search 2013
There's a recommendation for breaking our s3://My_Site_host_URL into its own Content Source for People Search How does the Seach know to connect Standard Names (ex: AnneW or A. Weiler below) to document search. Do I have to map that in Managed Proper
-
How to insert a whole page of figure into text
software: Pages 09' 4.2 For example, I have three pages of text with page number 1, 2, 3. Now I need to insert a page of figure between page 1 and 2 and give the figure a page number 2 while the original text in page 2 and 3 are changed to 3 and 4. A
-
Header condition in invoice for calculating pallet cost
Hey, Based on the number of handling units in the delivery we would like to invoice the customer for this. We have set up an header/item/group condition (fixed rate) for this. In the calculation schema we have assigned a formula to the condition. The
-
Siebel CRMOD Webservice - Logical OR between fields
Hi, Has anyone applied a logical OR between different fields in the CRMOD web-service? If yes, can you pls post how to achieve this. Regards, Guru