identifying traffic which is matching an ACL

Unanswered Question
Aug 13th, 2008
User Badges:

I have a customer whom has a "permit ip any any statement" configured at the end of an ACL on his inside Firewall. This same statement is not configured on the Firewall that is on the OUtside Perimeter of the network.

Each time I have tried to remove the "permit ip any any " statement , eventually the Mail system will break.

I need to capture what traffic is being passed by this statement, but am not sure how to do so, as the capture command can specify an ACL, but not an individual line from an ACL.

Has anyone ever filtered somehow on just one line of a configured ACL and captured the traffic?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (4 ratings)
Collin Clark Wed, 08/13/2008 - 09:04
User Badges:
  • Purple, 4500 points or more

You can put the keyword "log" at the end of the line. Any traffic that matches it will be logged to the buffer/console/vty/syslog (if you have it configured). What I would do is make another ACL statement above that one that has the mail sever IP and log that one only. Logging on an 'IP any any' will generate a lot of log. Like you stated you could capture, just create a new ACL and point the capture to it (it does not have to be applied to an interface to work). Again I would restrict that ACL to the mail server instead of all traffic.

Good luck and I hope that helps.

Kevin Melton Wed, 08/13/2008 - 10:06
User Badges:

Yes it does seem like this is working. What is interesting is that i see traffic in the capture that should in fact be matching line statements which are configured within the ACL i have applied to an interface to allow the traffic. But I am not getting any hits on the ACL. any idea why this behavior may be occuring?

Also, can you tell me what the letters "P" and "F" mean in the following trace packets from the capture?

90: 13:00:48.094004 > P 4063017374:4063017902(528) ack 995364230 win 64576

91: 13:00:48.106775 > P 4063017902:4063017908(6) ack 995364323 win 64483

92: 13:00:48.107050 > F 4063017908:4063017908(0) ack 995364396 win 64411


Collin Clark Wed, 08/13/2008 - 10:46
User Badges:
  • Purple, 4500 points or more

It's hard to tell without seeing the config, it could be any number of things. I'm not sure what P,F,or S stands for. I'd bet something with the TCP state, but I don't know for sure

Collin Clark Wed, 08/13/2008 - 10:52
User Badges:
  • Purple, 4500 points or more

S stands for TCP SYN, R stands for TCP RESET

robertson.michael Wed, 08/13/2008 - 11:34
User Badges:
  • Silver, 250 points or more

The "P" indicates the TCP PSH flag is set. Likewise, the "F" indicates a TCP FIN.

Hope that helps.



This Discussion