packet display on WS-SVC-IDS2-BUN-K9 module

Answered Question
Jun 16th, 2009
User Badges:

Hi all!


I try to use CLI command "packet display" on WS-SVC-IDS2-BUN-K9 module.

If I put only interface name as an argument to the command:

packet display gigabitEthernet0/7

I will get a lot of packets. It's Ok.


But if I add expression argument I will receive nothing even with necessary traffic existing on wire:

packet display gigabitEthernet0/7 expression ip proto \icmp

packet display gigabitEthernet0/7 verbose expression dst host IP

packet display gigabitEthernet0/7 verbose expression dst port SOME-PORT


I tested the problem on 5.0(2) and on 6.2(1)E3. Results were almost the same.


On IPS-4255 all above mentioned command produced expected results.


I searched Cisco bug-tool and found nothing.


Can anybody check to reproduce it? Has anyone seen it?

Or maybe it's not a bug, but a feature. But I was not able to find its description.


Wait for an answer.


With best regards,

Maxim


Correct Answer by marcabal about 8 years 2 weeks ago

The packet command uses tpcdump under the covers. So the expression must be a valid expression for what tcpdump will understand.


If the packets are standard IP packets then the expression can be directly applied (which is likely what you see on your IPS-4255).

BUT if the packets have an 802.1q header (vlan header), then a special instruction must be added into the expression in order for tcpdump to know how to apply the rest of the expression. With the IDSM-2 it just happens that in most IDSM-2 deployments the packets will have 802.1q headers. The same problem will be seen on appliances running inline vlan pair configurations.


The keyword "vlan" has to be added to the expression so it knows to parse the 802.1q header before looking for the rest of the expression.


So you would want to try something like:

packet display gigabitethernet0/7 expression vlan ip proto \icmp


NOTE: A vlan number can also be added after the vlan keyword to restrict the tcpdump output to traffic on a single vlan.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
marcabal Tue, 06/16/2009 - 13:10
User Badges:
  • Cisco Employee,

The packet command uses tpcdump under the covers. So the expression must be a valid expression for what tcpdump will understand.


If the packets are standard IP packets then the expression can be directly applied (which is likely what you see on your IPS-4255).

BUT if the packets have an 802.1q header (vlan header), then a special instruction must be added into the expression in order for tcpdump to know how to apply the rest of the expression. With the IDSM-2 it just happens that in most IDSM-2 deployments the packets will have 802.1q headers. The same problem will be seen on appliances running inline vlan pair configurations.


The keyword "vlan" has to be added to the expression so it knows to parse the 802.1q header before looking for the rest of the expression.


So you would want to try something like:

packet display gigabitethernet0/7 expression vlan ip proto \icmp


NOTE: A vlan number can also be added after the vlan keyword to restrict the tcpdump output to traffic on a single vlan.



Maxim Zimovets Tue, 06/16/2009 - 21:30
User Badges:

Hello Marco!


Thank you for your answer. It gave me real direction to look.

But it's necessary to correct your command to the module. With your command:

packet display gigabitethernet0/7 expression vlan ip proto \icmp

device will produce error.

It's necessary to add AND between vlan and ip proto keywords. Something like that:

packet display gigabitethernet0/7 expression vlan and ip proto \icmp


I should also stress, that keyword vlan has to go first in the expression because it gives tcpdump bias to find real ip packet.


I suppose it's necessary to add this things to software configuration guide. Not all of the software users know about underlying staff (such as tcpdump).


With best regards,

Maxim

marcabal Wed, 06/17/2009 - 10:14
User Badges:
  • Cisco Employee,

Here is what we have listed in the User Guide:


expression-Packet-display filter expression.


This expression is passed directly to TCPDUMP and must meet the TCPDUMP expression syntax.




--------------------------------------------------------------------------------


Note The expression syntax is described in the TCPDUMP man page.



--------------------------------------------------------------------------------


Actions

This Discussion