I have several IPS devices (4250 and IDMS2). I am trying to capture some specific live data. I am using the packet display command. When I add the expression command to the IDSM2, I get no data displayed versus a similar command on the 4250 displays data as expected. The command I am using is...
packet display gi0/7 expression host 10.10.0.1
On the IDSM2, if I omit the expression (display all), plenty of data is captured (to much).
Is there something about the IDSM that does not display/handle expressions? The 4250 and IDSM2 are running the same version 6.0 sig level 302.
Thanks for the help.
The typical difference between a 4250 and IDSM-2 is that the IDSM-2 typically monitors 802.1q trunk packets while the 4250 generally sees packets without 802.1q trunk headers (connected to an access port rather than a trunk port).
If the 4250 had also been receiving 802.1q trunk packets then the same issue would also be seen on the 4250.
The problem is that the filter is being applied without taking into account the trunk header, and so the packets are not being seen as IP packets and the IP Address is not in the position in the packet where the filter is expecting it.
So you need to add the following at the front of your filter: "vlan and". This tells the filter to expect an 802.1q trunk header and look for the IP header after that.
So for your command you would use:
"packet display Gi0/7 expression vlan and host 10.10.0.1"
NOTE: You can extend this further and even limit the fitlering to a specific vlan by adding the vlan number after the vlan option.
"packet display Gi0/7 expression vlan 201 and host 10.10.0.1"
So the cause is not unique to the IDSM-2 (it affects all sensors monitoring trunk packets), and is not unique to a software version.
It is a limitation in how filters work within the packet command.
The packet command is actually just a CLI wrapper around tcpdump, and so the expression is passed to tcpdump. The limitation is in how tcpdump's filters work.
You can search the web for more information on the filters within tcpdump. You will see a similar limitation also exists for filtering mpls packets.