Packet capture via 'show events alert' on 4.1(4)

Similar Messages

• 5585X-IPS SSM40 Event alert

  Hello,
  ASA Firewall is running in Active/Active mode. Below is the configuration of the firewall and IPS SSM module.
  We are not getting event on IPS sensor when we type "show event alerts".
  IPS configuration:
  ++++++++++++++++++++++
  IPS1#
  IPS1# sh configuration
  ! Current configuration last modified Tue Jul 02 07:19:13 2013
  ! Version 7.1(1)
  ! Host:
  !     Realm Keys          key1.0
  ! Signature Definition:
  !     Signature Update    S552.0   2011-03-07
  service interface
  exit
  service authentication
  exit
  service event-action-rules rules0
  exit
  service host
  network-settings
  host-ip 10.15.1.58/28,10.15.1.57
  host-name IPS1
  telnet-option disabled
  access-list 0.0.0.0/0
  dns-primary-server disabled
  dns-secondary-server disabled
  dns-tertiary-server disabled
  exit
  time-zone-settings
  offset 60
  standard-time-zone-name GMT+03:00
  exit
  exit
  service logger
  exit
  service network-access
  exit
  service notification
  exit
  service signature-definition sig0
  exit
  service ssh-known-hosts
  exit
  service trusted-certificates
  exit
  service web-server
  exit
  service anomaly-detection ad0
  exit
  service external-product-interface
  exit
  service health-monitor
  exit
  service global-correlation
  exit
  service analysis-engine
  virtual-sensor vs1
  description virtual-sensor-1
  anomaly-detection
  operational-mode learn
  exit
  physical-interface PortChannel0/0
  exit
  exit
  IPS1#
  ASA in system mode
  +++++++++++++++++++++++++++++++++++++++
  ASA-1/act/pri# sh run
  : Saved
  ASA Version 9.1(1) <system>
  hostname ASA-1
  enable password u14FkAnxI.kNNH7a encrypted
  no mac-address auto
  interface GigabitEthernet0/0
  description LAN Failover Interface
  interface GigabitEthernet0/1
  description STATE Failover Interface
  interface GigabitEthernet0/2
  interface GigabitEthernet0/3
  interface GigabitEthernet0/4
  shutdown
  interface GigabitEthernet0/5
  shutdown
  interface Management0/0
  interface Management0/1
  interface TenGigabitEthernet0/6
  channel-group 20 mode active
  interface TenGigabitEthernet0/7
  channel-group 20 mode active
  interface TenGigabitEthernet0/8
  channel-group 10 mode active
  interface TenGigabitEthernet0/9
  channel-group 10 mode active
  interface GigabitEthernet1/0
  shutdown
  interface GigabitEthernet1/1
  shutdown
  interface GigabitEthernet1/2
  shutdown
  interface GigabitEthernet1/3
  shutdown
  interface GigabitEthernet1/4
  shutdown
  interface GigabitEthernet1/5
  shutdown
  interface TenGigabitEthernet1/6
  shutdown
  interface TenGigabitEthernet1/7
  shutdown
  interface TenGigabitEthernet1/8
  shutdown
  interface TenGigabitEthernet1/9
  shutdown
  interface Port-channel10
  interface Port-channel10.96
  description "Inside-CTX-1"
  vlan 96
  interface Port-channel10.97
  description "Inside-CTX-2"
  vlan 97
  interface Port-channel20
  interface Port-channel20.98
  description "Outside-CTX-1"
  vlan 98
  interface Port-channel20.99
  description "Outside-CTX-2"
  vlan 99
  class default
    limit-resource All 0
    limit-resource Mac-addresses 65535
    limit-resource ASDM 5
    limit-resource SSH 5
    limit-resource Telnet 5
  boot system disk0:/asa911-smp-k8.bin
  ftp mode passive
  pager lines 24
  failover
  failover lan unit primary
  failover lan interface FOL GigabitEthernet0/0
  failover link STATEFULL-LINK GigabitEthernet0/1
  failover interface ip FOL 10.15.1.33 255.255.255.252 standby 10.15.1.34
  failover interface ip STATEFULL-LINK 10.15.1.37 255.255.255.252 standby 10.15.1.38
  failover group 1
    preempt
  failover group 2
    secondary
    preempt
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  console timeout 0
  tls-proxy maximum-session 1000
  admin-context admin
  context admin
    allocate-ips vs0 adminvs0
    config-url disk0:/admin.cfg
  context arm-1
    description ARM-1
    allocate-interface Management0/0 MGT
    allocate-interface Port-channel10.96 inside
    allocate-interface Port-channel20.98 outside
    allocate-ips vs1 arm-1vs1
    config-url disk0:/arm-1_Context.cfg
    join-failover-group 1
  context arm-2
    description ARM-2
    allocate-interface Management0/1 MGT
    allocate-interface Port-channel10.97 inside
    allocate-interface Port-channel20.99 outside
    allocate-ips vs1 arm-2vs1
    config-url disk0:/arm-2_Context.cfg
    join-failover-group 2
  prompt hostname context state priority
  no call-home reporting anonymous
  Cryptochecksum:ad532251aad3ca65f6da8f1ff0762816
  ASA in one arm context mode
  +++++++++++++++++++++++++++++++++++++++
  ASA-1/arm-1/act/pri# sh run
  : Saved
  ASA Version 9.1(1) <context>
  firewall transparent
  hostname arm-1
  enable password u14FkAnxI.kNNH7a encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface BVI1
  ip address 10.15.1.57 255.255.255.240
  interface MGT
  management-only
  nameif management
  security-level 0
  ip address 10.14.1.9 255.255.255.0 standby 10.14.1.10
  interface inside
  nameif inside
  bridge-group 1
  security-level 100
  interface outside
  nameif outside
  bridge-group 1
  security-level 0
  access-list global extended permit ip any any
  access-list out extended permit ip any any
  access-list in extended permit ip any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu management 1500
  mtu inside 1500
  mtu outside 1500
  monitor-interface inside
  monitor-interface outside
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  access-group in in interface inside
  access-group out in interface outside
  route inside 10.0.0.0 255.255.0.0 10.15.1.51 1
  route inside 10.0.10.45 255.255.255.255 10.15.1.51 1
  route outside 10.11.0.0 255.255.0.0 10.15.1.53 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 inside
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  crypto ipsec security-association pmtu-aging infinite
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 inside
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 30
  no threat-detection statistics tcp-intercept
  username admin password fMQ/rjnxl9Vwe9mv encrypted privilege 15
  class-map inspection_default
  match default-inspection-traffic
  class-map any
  match access-list global
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map IPS
  class any
    ips promiscuous fail-open sensor arm-1vs1
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  service-policy IPS interface outside
  Cryptochecksum:00b87b7c25f21d91cf5b90cb18c4d745
  : end
  +++++++++++++++++++++++++++++++++++++++++++++++++++++++
  Why we are not able to see any event on IPS. As MPF is configured on ASA and that ACL is gettin hit count?
  Regards,

  In the CLI enter the following command to see if any signatures are triggering, it could just be that you haven't had the right combination of signatures trigger to cause an actual event:
  show stat virtual-sensor | begin Per-Signature
  You could also enable Signature 2000 and that will usually generate events in a short time to ensure you have traffic configured correctly for inspection by the IDS.

• Can we capture the show/hide layer event in PS?

  Hi All..!!!
  I have a query to all Photoshop coders! Can we capture the click event of show/hide layers in Photoshop..? I needed to know in my code when the user has clicked the show/hide layer eye..!!
  Pls answer soon..!!
  Thanks!

  http://forums.adobe.com/thread/858391?tstart=0

• Ask the Expert: Packet Capture Capabilities of Cisco Routers and Switches

  With Rahul Rammanohar 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about packet capture capabilities of Cisco routers and switches.
  In May 2013, we created a video that included packet capture capabilities across multiple Cisco routers and switches. For each product, we began with a discussion about the theory of the capabilities, followed by an explanation of the commands, and we concluded with a demo on real devices. In this Ask the Expert event, you’re encouraged to ask questions about the packet capture capabilities of these Cisco devices:
  •       7600/6500: mini protocol analyzer (MPA), ELAM, and Netdr
  •       ASR9k: network processor capture
  •       7200/ISRs: embedded packet capture
  •       Cisco Nexus 7K, 5K, and 3K: Ethanalyzer
  •       Cisco Nexus 7K: ELAM
  •       CRS: show captured packets
  •       ASR1K: embedded packet capture
  More Information
  Blog URL: Packet Capture Capabilities of Cisco Routers and Switches
  Watch the Video:  https://supportforums.cisco.com/videos/6226
  Hitesh Kumar is a customer support engineer in the High-Touch Technical Services team at Cisco specializing in routing protocols. He has been supporting major service providers and enterprise customers in routing, Multiprotocol Label Switching (MPLS), multicast, and Layer 2 VPN (L2VPN) issues on routing platforms for more than three years. He has more than six years of experience in the IT industry and holds a CCIE certification (number 38757) in service. 
  Rahul Rammanohar is a technical leader with the High-Touch Technical Support Team in India. He handles escalations in the area of routing protocols and large-scale architectures for devices running Cisco IOS, IOS-XR, and IOS-XE Software. He has been supporting major service providers and large enterprise customers for routing, MPLS, multicast, and L2VPN issues on all routing platforms. He has more than 13 years of experience and holds a CCIE certification (number 13015) in routing/switching and service provider.
  Remember to use the rating system to let Hitesh and Rahul know if you have received an adequate response.  
  Because of the volume expected during this event, Hitesh and Rahul might not be able to answer each question. Remember that you can continue the conversation in the Service Provider, sub-community forum shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hello Erick
      Thanks for the topology. The trigger will be different for labelled  packet as you would need to mention the values of labels too in the  trigger.
       Below are two examples of one or two labels being  used, it depends on where you are capturing the packet in mplsvpn  scenario which will decide teh number of labels being imposed on the  packet.
  Trigger for one label. (if the router on which you are capturing the packet PHP is being performed)
  VPN label - 5678
  Source Address - 111.111.111.111
  Destination Address - 123.123.123.123
  show platform capture elam trigger dbus others if data = 0 0 0 0x88470162 0xE0000000 0 0 0x00006F6F 0x6F6F 7B7B 0x7B7B0000 [ 0 0 0 0xffffffff 0xf0000000 0 0 0x0000ffff 0xffffffff 0xffff0000 ]
  Trigger for two labels. (for other core routers)
  IGP label - 1234
  VPN label - 5678
  Source Address - 111.111.111.111
  Destination Address - 123.123.123.123
  show platform capture elam trigger dbus others if data = 0 0 0 0x8847004D 0x20000162 0xE0000000 0 0 0x00006F6F 0x6F6F7B7B 0x7B7B0000 [ 0 0 0 0xffffffff 0xf000ffff 0xf0000000 0 0 0x0000ffff 0xffffffff 0xffff0000 ]
      You can check the labels being used (by using show ip cef <> details) and covert their values to hex and change the trigger accordingly.
       I have changed the colors for better understanding. If you notice carefully in the trigger the values for ip address, labels have just been converted to their respective hex values which could be replaced.
       Please let me know if this helps.
  Thanks & Regards
  Hitesh & Rahul

• Pulling packet capture from IPS device

  I work for a MSP (Managed Services Provider), we currently are evaluating CSM for mgt of 50 IPS/IDSM devices. To make analysis more effective, want to be able to pull the packet capture from the device. We have our own correlation engine, so we do not need MARS. We want to grab the packet and then put a copy into our ticketing system so the analyst has the data right in front of them.
  Is the IP Log directory where the packet capture data is kept? Has anyone ever tried this before? What are the performance/health concerns with enabling packet captures for just high signatures? Does the IP log directory really "clean" itself out after a certain period of time?

  There are 4 event actions that can be used to capture packets.
  The produce-verbose-alert event action will encode the trigger packet as part of the alert itself. So with this event action the packet is already included in the alerts you are already pulling off the sensor. You just need to modify your tool to strip off this packet, decode it, and then add it to your ticketing system at the same time as you add the alert.
  This is where I would start.
  Using the produceVerboseAlert uses very little additional sensor resources. It has only a very small affect on sensor performance. Because each alert will be larger than normal it will reduce the total number of alerts that can be stored in the sensor's eventstore. But if your application is actively subscribing for these events, then the reduction in total number of alerts stored on the sensor should not cause you any issues. So adding this for all High alerts woulc be a good practice.
  The other 3 event actions are log-attacker-packets, log-pair-packets, and log-victim-packets. These event actions will trigger an IP Log (packet log) to be created (or increase the time for capture on an existing IP Log.
  The IP Log system is a collection of numbered files on the sensor. As event actions trigger new IP Logs to be created the sensor will pick one of those numbered files and begin writing packets to that file. The sensor retains an internal mapping of what packets are being written to each file. If no empty files exist, then the sensor will automatically overwrite the oldest IP Log file with the new IP Log file. Larger platforms have up to 512 of these numbered files, and smaller platforms may have as few as 128 or even 64 of these numbered files. Each file is 1 Megabyte in size and usually stored in RAM memory. With the limited number of files, the storage of these logs on the sensor is very short term. And so should be pulled off the sensor as soon as possible (just like what you are planning to implement). The sensor also has a usual limit of only writing 20 IP Log files at any one time.
  With these limitations on the IP Log files they shoudl be used sparingly. Configuring too many signatures or signatures that trigger often with these event actions can lead to problems. The IP Logs could easily be overwritten by newer IP Logs being triggered, and/or more than 20 could be requested at any one time which means some alerts won't be able to have an IP Log created.
  So IP Logging event actions should be limited to only those alerts where the additional data is manditory.
  Also understand that IP Logging can have a negative impact on sensor performance. If you plan on using IP Logging often, then consider using a sensor rated for higher speeds than what you will be monitoring.

• IPS packet captures-disk space

  I have been doing packet captures on High and Medium events and in the IME there is no obvious way to delete old captures. They don't take up alot space but I wanted to know if there is a way to view the disk capacity on the IPS and how I can delete old capture files from the IPS.

  Hi Jason,
       The ip logging functionality stores the logs in a circular buffer, so there is no need (and no supported way) to delete/manage the old log files - they will be overwritten then new logs necessitate it. 
  All of the information on ip logging can be found here:
  http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_ip_logging.html#wp1030704
  Also, unless you have a specific need for full stream captures for all high/medium events, you can use the "Produce Verbose Alert" action instead of the ip logging actions to capture the offending packet with significantly less resource utilization per alert.
  -JT

• Empty pcap file with Embedded Packet Capture

  Hello,
  I have configured the EPC in my CISCO 2901 CUBE for monitoring VOIP traffic.
  #First I configure the type of traffic I want to filter
  access-list 110 permit tcp any any eq 5060
  access-list 110 permit tcp any any eq 5061
  access-list 110 permit udp any any eq 5060
  access-list 110 permit udp any any eq 5061
  #Then my buffer (too big, I know..)
  monitor capture buffer buff-SIP5 size 2048 max-size 9500
  # I apply the access-list to the buffer
  monitor capture buffer buff-SIP5 filter access-list 110
  # Define the capture point, both interfaces, IN and OUT..
  monitor capture point ip cef SIP5 all both 
  #Associate capture point with buffer
  monitor capture point associate SIP5 buff-SIP5
  #Start the capture
  monitor capture point start SIP5
  #Stop it..
  monitor capture point stop SIP5
  #Check if you have what you need
  show monitor cap buffer buff-SIP5 dump
  #Export it using scp
  monitor capture buffer buff-SIP5 export scp://[email protected]:/SIP5.pcap
  I would like some help with these two issues:
  1) When I export it, my pcap file is empty...yet when I do a dump, I can see everything I need
  2) If I don't apply the access-list filter, I can see the SIP messages in the pcap file. However, I cannot see the messages that sends the SBC, only the ones that it receives.
  Thanks in advance,
  Gabriel

  I tried recreating the packet capture with no access-list filtering.
  show mon cap buff all para
  Capture buffer cap (circular buffer)
  Buffer Size : 1048576 bytes, Max Element Size : 68 bytes, Packets : 0
  Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
  Associated Capture Points:
  Name : cap, Status : Active
  Configuration:
  monitor capture buffer cap circular
  monitor capture point associate cap cap
  interface GigabitEthernet1/1/1
   description UPLINK TO 6513
   switchport mode trunk
  end

• How to display date for each packet in a Cisco ASA packet capture

  Hello,
  Quick question...On a Cisco ASA (v8.2) how does one show the date of each packet in a packet capture?
  When performing a packet capture from CLI you can do a "show capture testcapture" command and you can see that the time is at the beginning of each packet but how does one view the date as well as the time for each packet?  I know you can export the packet capture and it will show the date & time in wireshark but sometimes for just quick and dirty capture I'd like to view the capture from the CLI on the ASA itself without doing an export. 
  Sample capture below.  Time is displayed but not the date of the packet capture.  Issuing command "sh cap test detail" doesn't show the date either.  I checked on an ASA running v9 and it also doesn't show the date in the packet capture.
  ASA5505# sh cap test
     1: 08:51:56.112085 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x:  udp 404
     2: 08:52:18.111871 802.1Q vlan#12 P0 10.150.40.240.29082 > x.x.x.x.53:  udp 37
     3: 08:52:18.165366 802.1Q vlan#12 P0 y.y.y.y.53 > 10.150.40.240.29082:  udp 53
     4: 08:52:32.129235 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x4.500:  udp 404
     5: 08:52:37.111627 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x.500:  udp 404
     6: 08:52:49.111490 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x.500:  udp 404
  Thanks for any help.
  Joe

  Hi,
  I would suggest copying the capture from the ASA to some local host and opening the capture file with Wireshark to view the information
  For example
  copy /pcap capture:test tftp://x.x.x.x/test.pcap
  This should copy the current data in the capture to the mentioned location with the mentioned filename.
  I personally view the captures on the ASA CLI only if I am just confirming that some traffic comes to the firewall or when I am checking what happens to a TCP connection that can not be formed. Its a lot easier to go through bigger captures by copying them from the ASA and viewing them with an actual software meant for that purpose.
  Hope this helps :)
  - Jouni

• ACE Packet capture

  Hi, I have tried to do a packet capture on the ACE by following this doc -
  http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Troubleshooting_Guide_--_Overview_of_ACE_Troubleshooting#Capturing_Packets_in_Real_Time
  Issue is, the output is displayed in a hexa-decimal format (In red below) -
  ACE1# show capture CAP2414 detail
  0001: msg_type: PKT_RCV
  ace_id: 18173           action_flag: 0x13
  src_addr: 10.127.84.153            src_port: 58653
  dst_addr: 10.127.85.153            dst_port: 14109
  l3_protocol: 0          l4_protocol: 6
  message_hex_dump:
  0x0000: 0007 0104 0000 46fd 0000 0000 0a7f 5499  ......F.......T.
  0x0010: 0a7f 5599 0609 0033 e51d 371d 0000 0000  ..U....3..7.....
  0x0020: 0104 0000 05b4 0000 0000 46fd 1300 0000  ..........F.....
  0x0030: 0000 0000 0000 0000 0000 0000 0000 0000  ................
  0x0040: 0000 0000 0000 0001                      ........
  Even if I copy the CAP file to my laptop and open it in wireshark, I only see it showing source and destination MACs. (File attached)
  Can anyone please advise??

  Hi Kanwaljeet, the steps are -
  Step 1:
  access-list CAP line 8 extended permit ip host 10.127.84.152 host 10.127.85.152
  access-list CAP line 16 extended permit ip host 10.127.84.153 host 10.127.85.153
  Step 2:
  capture CAP interface all access-list CAP
  Step 3:
  capture CAP start
  Step 4:
  capture CAP stop
  Step 5:
  Copy capture CAP disk0:CAP
  Step 6:
  tftp the file CAP to the laptop and open in Wireshark

• MPLS L2VPN packet capture

  Hi,
  I want to capture packet on gi0/0 of PE1 in order to show customer that all his traffic is encapsulated and transmitted by L2VPN (ldp signaling) in his lab.
  CE1-----------(g0/1)PE1(g0/0)------------PE2-----------CE2
  PE1 and PE2 are Cisco3945 and L2VPN is working well. I tried cisco RITE(Router IP Traffic Export Packet Capture) feature, but the output was not what I expected. I tried both export mode and capture mode. Only LDP hello message I got, looks like RITE is only interested in IP packet. Monitor session wasn't effective as well because it is not a switch.
  Is there any other way/workaround to capture customer's traffic encapsulated in L2VPN?
  What I did on PE1 when I was trying RITE export mode:
  ip traffic-export profile test
  bidirectional
  interface GigabitEthernet0/2
  mac-address e411.5b44.3a6d
  interface GigabitEthernet0/2
  ip address 10.1.2.1 255.255.255.0
  interface GigabitEthernet0/0
  ip traffic-export apply test
  Gi0/2 connected my PC(10.1.2.2) with wireshark installed.
  Many thanks.
  Regards,
  Jerry Fan

  Thanks Shivlu. I tried, but failed. 'monitor capture' is only interested in ipv4 and ipv6. Maybe the IOS in Cisco3945 isn't same as the IOS in Cat6500 or Cisco7600 or GSR/CSR.
  See following:
  ===================================================================
  Router_MPS_TEST_A#monitor capture ?    
    buffer  Control Capture Buffers
    point   Control Capture Points
  Router_MPS_TEST_A#monitor capture po
  Router_MPS_TEST_A#monitor capture point ?
    associate     Associate capture point with capture buffer
    disassociate  Dis-associate capture point from capture buffer
    ip            IPv4
    ipv6          IPv6
    start         Enable Capture Point
    stop          Disable Capture Point
  Router_MPS_TEST_A#monitor capture point ip ?
    cef               IPv4 CEF
    process-switched  Process switched packets
  Router_MPS_TEST_A#monitor capture point ip p
  Router_MPS_TEST_A#monitor capture point ip process-switched ?
    WORD  Name of the Capture Point
  Router_MPS_TEST_A#monitor capture point ip process-switched test-point ?
    both     Inbound and outbound and packets
    from-us  Packets originating locally
    in       Inbound packets
    out      Outbound packets
  Router_MPS_TEST_A#monitor capture point ip process-switched test-point b
  Router_MPS_TEST_A#monitor capture point ip process-switched test-point both ?
  Router_MPS_TEST_A#monitor capture point ip process-switched test-point both
  ===================================================================
  At last, I have to insert a switch in the middle of two cisco3945 and configured port span. That worked very well. Anyway, many thanks for your advice.
  Jerry Fan

• Capture a keyboard event on af:panelGridLayout?

  Hi,
  <af:panelGridLayout> currently supports a client listener with mouse events.
  But I have a requirement where I need to capture keyboard events.
  I tried adding an invisible inputText component on the page and focus on it onclick of the panel.
  My assumption was that when the inputText is on focus, it should be able to capture keyboard events even though its invisible.
  This does not work. Please see code below. The "showAlert" javascript method never gets called.
  <af:inputText clientComponent="true" visible="false" value="dummy" id="keyLink">
       <af:clientListener method="showAlert" type="keyUp"/>
  </af:inputText>
  <af:panelGridLayout id="pgl3">
      <af:clientListener method="toggleRowSelection" type="click"/>
  </af:panelGridLayout>Javascript code:
  function showAlert(event) {
      alert("javascript event " + event.getKeyCode());
  function toggleRowSelection(event) {
      var source = event.getSource();
      var keyLink = source.findComponent("::keyLink");
      keyLink.focus();
      callServerMethod(event);
  };How do I achieve this?
  -Anitha

  "[email protected]" <[email protected]> wrote in message news:[email protected]..
  I have figured out how to add menu Item to an existing EXE program, but I have not yet been able to figure out how to capture there events.&nbsp; Any help would be greatly appreciated.
  It's not entirely clear what you are trying to acieve. I think you're trying to add menu items to an exsisting exe without recompiling it, from LabVIEW. If so the following applies.
  You have to hook the winproc. When a menu item is selected, windows send a message to the window's winproc. There are some API's that can be used to point the address of the winproc to another routine. This routine can do filtering, and then call the original routine.
  Note that LabVIEW doesn't (or didn't until LV7) use windows menu's, so when a LabVIEW (or exe created with LabVIEW) menu item is called, windows will not send anything. That is the price for platform independency.
  I think the OpenG site (or perhaps Winutils from NI) has some vi's to hook windows messages that are send to LabVIEW. Perhaps you can also use them hook another application.
  Regards,
  Wiebe.

• While capturing video shows up as Mp3..how do i fix this.

  This is the third time this has happened to me i now have a fairly new mac book pro ive been capturing footage from a Sony Z1 camera via firewire for months now.All of a sudden while capturing it shows up as mp3...can someone please help.

  Hi john...while capturing ..I can see the file type says mp3... When I press escape or stop it does not give the option to save ....the save as box doesn't come up ...it just pauses like I was just playing it.
  Sent from my iPad

• Trouble Capturing Packets with Embedded Packet Capture

  Hi All,
  I am trying to capture packets originating from a server to a host device across three switches:
  server -- 6513 -- 3850 -- 3550 -- host A
  I am doing a ping from the server to host A. The packet capture is being done on the 3850. This is my configuration:
  access-list 100 permit icmp host 192.168.101.6 host 192.168.100.188
  access-list 100 permit icmp host 192.168.100.188 host 192.168.101.6
  end
  monitor capture buffer TRACE
  monitor capture buffer TRACE filter access-list 100
  monitor capture point ip cef CAP g1/1/1 both
  montior capture point associate CAP TRACE
  monitor capture point start CAP
  I then issue a ping from the server to host A. Interface g1/1/1 is where the 6513 connects to the 3850. When I issue a show monitor capture buffer all parameters, there are no packets. If I remove the filter from the buffer I still do not see the packets.
  Does anyone have any advice here?

  I tried recreating the packet capture with no access-list filtering.
  show mon cap buff all para
  Capture buffer cap (circular buffer)
  Buffer Size : 1048576 bytes, Max Element Size : 68 bytes, Packets : 0
  Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
  Associated Capture Points:
  Name : cap, Status : Active
  Configuration:
  monitor capture buffer cap circular
  monitor capture point associate cap cap
  interface GigabitEthernet1/1/1
   description UPLINK TO 6513
   switchport mode trunk
  end

• Embedded Packet Capture Feature on IOS

  Hello, I have (4) 1841 routers and I am using c1841-adventerprisek9-mz.151-4.M7.bin IOS version.
  What I would like to do is use the embedded capture feature and what I get at the terminal is:
  R4#conf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  R4(config)#monitor ?
    event-trace  Tracing of system events
    session      Configure a SPAN session
  Capture is not an option. I need help on how the get the full features to work....
  Kind regards...

  Hello.
  The feature is supported on the platform/release.
  You need to exit configuration mode to use it.
  Please find details here - https://supportforums.cisco.com/document/139686/configuration-example-embedded-packet-capture-cisco-ios-and-ios-xe

• Packet Capture for VPN traffic

  Hi Team,
  Please help me to set ACL and capture for Remote Access VPN traffic.
  Requirement is to see how much traffic is flowing from that Source IP.
  Source : Remote Access VPN IP(Tunneled) 10.10.10.10
  Destination : any
  This is what I did which is not working
  access-list VPN extended permit tcp host 10.10.10.10 any
  capture CAP_VPN type raw-data access-list VPN interface OUTSIDE

  Hello,
  If you set up the capture with that access list, you are filtering just TCP traffic, therefore you won't be able to see UDP or ICMP traffic too, I would recommend you using the same ACL, though using IP:
  access-list VPN extended permit ip host 10.10.10.10 any 
  Capture CAP_VPN access-list VPN interface outside 
  Then with:
  show capture CAP_VPN
  You will be able to see the packet capture on the ASA, though you can export the capture to a packet sniffer as follow:
    https://<ip address of asa>/capture/<capname>/pcap   capname-->CAP
  For further details of captures you can find it on this link
  Let me know if you could get the information you were trying to reach.
  Please don´t forget to rate and mark as correct the helpful Post!
  David Castro,
  Regards,