Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

capture packet / ip logging

What is the best way to capture packets as well as display them for signatures.

I need to see the packets that cuase the ICMP hard DoS sig 2157 to fire. From the Cisco IDS Install and Configuration guide version 4.x it talks about enabling packet capture to true as well as Event action, but no clear instructions on which to use or if both need to be configured.

  • Intrusion Prevention Systems/IDS
4 REPLIES
Bronze

Re: capture packet / ip logging

If you want to capture the packets that caused the signature to fire, then you must enable the "log" option as the EventAction in the signature. When the IDS detects an attack based on this signature, it creates an IP log.

There is also an "IP logging" feature in the IDS that is used to capture the packets for a duration of time. This capture is time or size (bytes) based and is not based on signature.

New Member

Re: capture packet / ip logging

Thank you for the reply. I had opened a case with Cisco and they gave me the same information as well as additional info on packet capture, i.e. how to copy and read the files.

New Member

Re: capture packet / ip logging

Could you, please, share the additional info with us?

Thanks,

New Member

Re: capture packet / ip logging

You should be able to scp from a linux/unix box to get the files off the IDS. Would require scp'ing with the service account and knowing the directory where the files are stored. Not sure if that is a supported feature or not.

150
Views
0
Helpful
4
Replies