07-17-2008 11:11 AM - edited 03-11-2019 06:16 AM
I'm having problems capturing traffic leaving an interface on a FWSM. It only shows the traffic inbound to the interface. Has anyone found a way to get this working?
07-17-2008 11:24 AM
can you post the SPAN /monitor config.
07-17-2008 11:46 AM
:))
Could you post your capture configuration?
07-17-2008 11:56 AM
Sure. thanks! I know I could use the same ACL, but I'm using two for testing..disregard the reset. I just telnet'd to port 3389. It's the initial ack from 10.50.1.66 etc that's not showing on the JTC-BB interface. The initial SYN is not showing on the ESX-ILO interface etc. Also icmp echo requests will show leaving an interface, just not tcp.
access-list in extended permit ip host 10.50.1.66 any
access-list in extended permit ip any host 10.50.1.66
access-list out extended permit ip host 10.50.1.66 any
access-list out extended permit ip any host 10.50.1.66
capture inside type raw-data access-list in interface JTC-BB
capture outside type raw-data access-list out interface ESX-ILO
FWSM-6003/bastion# sh cap inside
3 packets captured
1: 18:34:23.2310907230 802.1Q vlan#229 P0 10.130.34.226.2645 > 10.50.1.66.3389: S 1500397783:1500397783(0) win 65535
2: 18:34:23.2310907260 802.1Q vlan#229 P0 10.130.34.226.2645 > 10.50.1.66.3389: . ack 4212524028 win 65535
3: 18:34:26.2310909840 802.1Q vlan#229 P0 10.130.34.226.2645 > 10.50.1.66.3389: P 1500397784:1500397786(2) ack 4212524028 win 65535
FWSM-6003/bastion# sh cap outside
2 packets captured
1: 18:34:23.2310907230 802.1Q vlan#234 P0 10.50.1.66.3389 > 10.130.34.226.2645: S 4212524027:4212524027(0) ack 2671557974 win 16384
2: 18:34:26.2310909840 802.1Q vlan#234 P0 10.50.1.66.3389 > 10.130.34.226.2645: R 4212524028:4212524028(0) ack 2671557976 win 0
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: