Debug command

Answered Question
Feb 21st, 2007

Any manual of how to use debug command specific to a packet or IP address. Since it take lot of memory if I run that randomly.

I have this problem too.
0 votes
Correct Answer by vitripat about 9 years 7 months ago

We dont need to apply this access-list on any interface. It is completely independent of existing access-lists on device. The sole pupose of these ACLs is to match the traffic we need to capture by using them in the capture command.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.
vitripat Thu, 02/22/2007 - 03:45

Debug command was the old way of capturing the packets. This command has been deprecated in 7.x versions. There is a better way available to capture the packets. For that we can use the "capture" command. Here is an example-

suppose there is a host a.a.a.a on the inside interface of PIX/ASA and I need to capture all the outbound packets from this host. For this, I can apply captures using folloaing commands-

-> access-list capi permit ip host a.a.a.a any

-> capture cpi access-list capi buffer 1000000 packet-length 1518 interface inside

Using access-list gives me more strength and granularity to capture only the packets I need. Later I use that access-list in the capture command. To download the capture files, I need to point my browser to-

https://interface_ip/capture/cpi/pcap

(assuming PDM/ASDM is installed)

You can also use "copy" command to transfer the capture file to a tftp server.

Link for capture command-

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_txt/c.htm#wp1950270

Link for copy command-

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_txt/c.htm#wp1970556

Hope this is helpful.

Regards,

Vibhor.

sivakumar.ks Thu, 02/22/2007 - 19:23

Hi ,

Thanks for your response. Do we need to apply accesslist exclusively to an interface. Do the above access-list capi is independent of exisiting access-list.

Regards,

siva

Correct Answer
vitripat Thu, 02/22/2007 - 20:02

We dont need to apply this access-list on any interface. It is completely independent of existing access-lists on device. The sole pupose of these ACLs is to match the traffic we need to capture by using them in the capture command.

Actions

This Discussion