I try to use CLI command "packet display" on WS-SVC-IDS2-BUN-K9 module.
If I put only interface name as an argument to the command:
packet display gigabitEthernet0/7
I will get a lot of packets. It's Ok.
But if I add expression argument I will receive nothing even with necessary traffic existing on wire:
packet display gigabitEthernet0/7 expression ip proto \icmp
packet display gigabitEthernet0/7 verbose expression dst host IP
packet display gigabitEthernet0/7 verbose expression dst port SOME-PORT
I tested the problem on 5.0(2) and on 6.2(1)E3. Results were almost the same.
On IPS-4255 all above mentioned command produced expected results.
I searched Cisco bug-tool and found nothing.
Can anybody check to reproduce it? Has anyone seen it?
Or maybe it's not a bug, but a feature. But I was not able to find its description.
Wait for an answer.
With best regards,
The packet command uses tpcdump under the covers. So the expression must be a valid expression for what tcpdump will understand.
If the packets are standard IP packets then the expression can be directly applied (which is likely what you see on your IPS-4255).
BUT if the packets have an 802.1q header (vlan header), then a special instruction must be added into the expression in order for tcpdump to know how to apply the rest of the expression. With the IDSM-2 it just happens that in most IDSM-2 deployments the packets will have 802.1q headers. The same problem will be seen on appliances running inline vlan pair configurations.
The keyword "vlan" has to be added to the expression so it knows to parse the 802.1q header before looking for the rest of the expression.
So you would want to try something like:
packet display gigabitethernet0/7 expression vlan ip proto \icmp
NOTE: A vlan number can also be added after the vlan keyword to restrict the tcpdump output to traffic on a single vlan.