cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1671
Views
0
Helpful
5
Replies

ACE Packet capture

sandevsingh
Level 1
Level 1

Hi, I have tried to do a packet capture on the ACE by following this doc -

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Troubleshooting_Guide_--_Overview_of_ACE_Troubleshooting#Capturing_Packets_in_Real_Time

Issue is, the output is displayed in a hexa-decimal format (In red below) -

ACE1# show capture CAP2414 detail

0001: msg_type: PKT_RCV

ace_id: 18173           action_flag: 0x13

src_addr: 10.127.84.153            src_port: 58653

dst_addr: 10.127.85.153            dst_port: 14109

l3_protocol: 0          l4_protocol: 6

message_hex_dump:

0x0000: 0007 0104 0000 46fd 0000 0000 0a7f 5499  ......F.......T.

0x0010: 0a7f 5599 0609 0033 e51d 371d 0000 0000  ..U....3..7.....

0x0020: 0104 0000 05b4 0000 0000 46fd 1300 0000  ..........F.....

0x0030: 0000 0000 0000 0000 0000 0000 0000 0000  ................

0x0040: 0000 0000 0000 0001                      ........

Even if I copy the CAP file to my laptop and open it in wireshark, I only see it showing source and destination MACs. (File attached)

Can anyone please advise??

5 Replies 5

Kanwaljeet Singh
Cisco Employee
Cisco Employee

Hi,

Normally after you run a pcap and you save it in disk and then import file from there to your laptop and open in wireshark it should show you the normal output as you see normally with packet capture done on your machine?

Which version of ACE are you running? Have you tried in another version?

Regards,

Kanwal

Hi, I have done exactly the same. We have the ACE module (PID: ACE20-MOD-K9) running ver A2.3 (6a). I cannot try another version as the device is in production. Does it do the same for you? If you open my attached .docx file, I am not getting the desired information as source IP and dest IP.

Hi Sandev,

We take pcaps all the time and have never faced issue like that. We see some packets missing or file not copying but never such an issue. Can you send me the exact steps you are doing and access list that you have set up?

Regards,

Kanwal

Hi Kanwaljeet, the steps are -

Step 1:

access-list CAP line 8 extended permit ip host 10.127.84.152 host 10.127.85.152

access-list CAP line 16 extended permit ip host 10.127.84.153 host 10.127.85.153

Step 2:

capture CAP interface all access-list CAP

Step 3:

capture CAP start

Step 4:

capture CAP stop

Step 5:

Copy capture CAP disk0:CAP

Step 6:

tftp the file CAP to the laptop and open in Wireshark

Hi Sandev,

The steps look fine. Is it possible to send me the CAP file that i can open in wireshark?

Regards,

Kanwal

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: