packet capture on server in dmz

Unanswered Question
Jul 9th, 2009

Hi all

is it correct that when I do a packet capture on my webserver in the dmz, I never see the true public destinationip address, I only ever see the destination as the interface of my dmz when the traffic is going back to the web, why is this ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
johnspaulding Thu, 07/09/2009 - 08:22

You can do a packet capture with the following commands


create an extended access-list matching the traffic src/dst or type of traffic.

access-list ex CAPTURE permit tcp host host

under global config


than do a show capture to view the output

Hope this helps

carl_townshend Fri, 07/10/2009 - 00:43

hi there

when traffic from outside the firewall comes into my dmz gets natted, Am I right in saying that the source address from outside does not change, for some reason when I do a packet capture on the dmz net server, i always see the source as the dmz interface and the destination the server, in which case when the traffic goes back to the destination, how does it know where to go?? I would expect the source to be kept intact, or would it get changed to the firewall interface, how does it know where to send it back to?? would this be in the state table ?

johnspaulding Fri, 07/10/2009 - 05:49

Could you post the capture output that you doing?

But yes if the traffic is getting Nat'd from outside to DMZ the source should be the Nat'd ip address. Ip depends on the set up.


This Discussion