How to know what policy is dropping a packet via CLI

Unanswered Question
Jan 12th, 2010
User Badges:

Hi all:

I would like to know if there is a tool, command or whatever (not ASDM) in order to know if the FWSM is dropping a packet.

I tried with capture command with the type acl-drop all option but the appliances doesn't show anything even creating an specific access-list that drops my connections.

With the normal capture neither shows if a packet is being dropped, only shows the packet but no more information. Through ASDM is impossible to see nothing with real monitoring o buffer and filtering by my IP, although it must show my dropping packets, it doesn't.

Thanks a lot,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Panos Kampanakis Tue, 01/12/2010 - 13:10
User Badges:
  • Cisco Employee,


The FWSM doesn't have a packet tracer feature like the ASA.

Also the ASP drop capture are only for control traffic.

The existing conns packets are processed in hardware so the functionality is not the same and the cpu cannot give you answer with one command.

Your best bet is syslogs at level 7.

I hope it helps.


Kureli Sankar Tue, 01/12/2010 - 19:41
User Badges:
  • Cisco Employee,

sh np all stats | e : 0

Will give you quite a bit of output.  Note the "space" after the ":".  If you sent 1000 pings with timeout 0 from a host, you can use the output to see if any counter went up by a thousand.

You can clear the counter by issuing "clear np all stats".


Francisco Del Cura Wed, 01/13/2010 - 07:37
User Badges:

PK, what do you mean with syslog at level 7?.

-KS, there are a huge traffic passing through the FWSM, I tried the command you said but it's very difficult to know if the interesting traffic is being drooped.

Thanks for your replies,



This Discussion