cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
331
Views
0
Helpful
3
Replies

FWSM 3.1(4) capture only showing traffic inbound to an interface

clayton-price
Level 1
Level 1

I'm having problems capturing traffic leaving an interface on a FWSM. It only shows the traffic inbound to the interface. Has anyone found a way to get this working?

3 Replies 3

can you post the SPAN /monitor config.

a.alekseev
Level 7
Level 7

:))

Could you post your capture configuration?

Sure. thanks! I know I could use the same ACL, but I'm using two for testing..disregard the reset. I just telnet'd to port 3389. It's the initial ack from 10.50.1.66 etc that's not showing on the JTC-BB interface. The initial SYN is not showing on the ESX-ILO interface etc. Also icmp echo requests will show leaving an interface, just not tcp.

access-list in extended permit ip host 10.50.1.66 any

access-list in extended permit ip any host 10.50.1.66

access-list out extended permit ip host 10.50.1.66 any

access-list out extended permit ip any host 10.50.1.66

capture inside type raw-data access-list in interface JTC-BB

capture outside type raw-data access-list out interface ESX-ILO

FWSM-6003/bastion# sh cap inside

3 packets captured

1: 18:34:23.2310907230 802.1Q vlan#229 P0 10.130.34.226.2645 > 10.50.1.66.3389: S 1500397783:1500397783(0) win 65535

2: 18:34:23.2310907260 802.1Q vlan#229 P0 10.130.34.226.2645 > 10.50.1.66.3389: . ack 4212524028 win 65535

3: 18:34:26.2310909840 802.1Q vlan#229 P0 10.130.34.226.2645 > 10.50.1.66.3389: P 1500397784:1500397786(2) ack 4212524028 win 65535

FWSM-6003/bastion# sh cap outside

2 packets captured

1: 18:34:23.2310907230 802.1Q vlan#234 P0 10.50.1.66.3389 > 10.130.34.226.2645: S 4212524027:4212524027(0) ack 2671557974 win 16384

2: 18:34:26.2310909840 802.1Q vlan#234 P0 10.50.1.66.3389 > 10.130.34.226.2645: R 4212524028:4212524028(0) ack 2671557976 win 0

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: