Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Good command to see dropped traffic?

Hi,

can anyone offer any advice on what is the best way of seeing traffic that gets dropped on an interface. For example if you run tcpdump on an interface for a host you can see all traffic that hits the interface. whats the best way to achieve this with an interface on a pix/asa

thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Good command to see dropped traffic?

Yup, please have a look at the links, both have examples with outputs.

Regards

Farrukh

6 REPLIES

Re: Good command to see dropped traffic?

You can use the capture command like this:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807c35e7.shtml#s3

I think it also supports the asp-drop keyword for drops only.

Regards

Farrukh

Re: Good command to see dropped traffic?

Community Member

Re: Good command to see dropped traffic?

Yeah I am familiar with the capture command. so I guess to debug packets being dropped by the outside interface you need some details about destination/source address, apply and acl to the interface and capture packets for that acl? this would be considered the best way to get this info? My only concern about that is it coudl be a potential security risk. if you put an acl on the outside interface to allow 1.2.3.4 in to an internal host for IP just so you can capture the packets you are punching a hole in your firewall and you wouldnt want to forget to take it off after troubleshooting. correct?

Re: Good command to see dropped traffic?

No this not correct, it does not open a hole on the interface. Your capture ACLs and interface ACLS are separate.

The ACL is just used to match what has to be captured.

Regards

Farrukh

Community Member

Re: Good command to see dropped traffic?

Ok so you create the capture acl but dont apply it to an interface. then you just run capture on the interface and specify the capture acl you have created that is not applied on any interface?

Re: Good command to see dropped traffic?

Yup, please have a look at the links, both have examples with outputs.

Regards

Farrukh

144
Views
0
Helpful
6
Replies
CreatePlease to create content