Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
664
Views
0
Helpful
3
Replies

packet display on WS-SVC-IDS2-BUN-K9 module

Go to solution
Maxim Zimovets
Level 1
Level 1

‎06-16-2009 12:22 PM - edited ‎03-10-2019 04:40 AM

Hi all!

I try to use CLI command "packet display" on WS-SVC-IDS2-BUN-K9 module.

If I put only interface name as an argument to the command:

packet display gigabitEthernet0/7

I will get a lot of packets. It's Ok.

But if I add expression argument I will receive nothing even with necessary traffic existing on wire:

packet display gigabitEthernet0/7 expression ip proto \icmp

packet display gigabitEthernet0/7 verbose expression dst host IP

packet display gigabitEthernet0/7 verbose expression dst port SOME-PORT

I tested the problem on 5.0(2) and on 6.2(1)E3. Results were almost the same.

On IPS-4255 all above mentioned command produced expected results.

I searched Cisco bug-tool and found nothing.

Can anybody check to reproduce it? Has anyone seen it?

Or maybe it's not a bug, but a feature. But I was not able to find its description.

Wait for an answer.

With best regards,

Maxim

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎06-16-2009 01:10 PM

The packet command uses tpcdump under the covers. So the expression must be a valid expression for what tcpdump will understand.

If the packets are standard IP packets then the expression can be directly applied (which is likely what you see on your IPS-4255).

BUT if the packets have an 802.1q header (vlan header), then a special instruction must be added into the expression in order for tcpdump to know how to apply the rest of the expression. With the IDSM-2 it just happens that in most IDSM-2 deployments the packets will have 802.1q headers. The same problem will be seen on appliances running inline vlan pair configurations.

The keyword "vlan" has to be added to the expression so it knows to parse the 802.1q header before looking for the rest of the expression.

So you would want to try something like:

packet display gigabitethernet0/7 expression vlan ip proto \icmp

NOTE: A vlan number can also be added after the vlan keyword to restrict the tcpdump output to traffic on a single vlan.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎06-16-2009 01:10 PM

The packet command uses tpcdump under the covers. So the expression must be a valid expression for what tcpdump will understand.

If the packets are standard IP packets then the expression can be directly applied (which is likely what you see on your IPS-4255).

BUT if the packets have an 802.1q header (vlan header), then a special instruction must be added into the expression in order for tcpdump to know how to apply the rest of the expression. With the IDSM-2 it just happens that in most IDSM-2 deployments the packets will have 802.1q headers. The same problem will be seen on appliances running inline vlan pair configurations.

The keyword "vlan" has to be added to the expression so it knows to parse the 802.1q header before looking for the rest of the expression.

So you would want to try something like:

packet display gigabitethernet0/7 expression vlan ip proto \icmp

NOTE: A vlan number can also be added after the vlan keyword to restrict the tcpdump output to traffic on a single vlan.

0 Helpful

Go to solution
Maxim Zimovets
Level 1
Level 1
In response to marcabal

‎06-16-2009 09:30 PM

Hello Marco!

Thank you for your answer. It gave me real direction to look.

But it's necessary to correct your command to the module. With your command:

packet display gigabitethernet0/7 expression vlan ip proto \icmp

device will produce error.

It's necessary to add AND between vlan and ip proto keywords. Something like that:

packet display gigabitethernet0/7 expression vlan and ip proto \icmp

I should also stress, that keyword vlan has to go first in the expression because it gives tcpdump bias to find real ip packet.

I suppose it's necessary to add this things to software configuration guide. Not all of the software users know about underlying staff (such as tcpdump).

With best regards,

Maxim

0 Helpful

Go to solution
marcabal
Cisco Employee
Cisco Employee
In response to Maxim Zimovets

‎06-17-2009 10:14 AM

Here is what we have listed in the User Guide:

expression-Packet-display filter expression.

This expression is passed directly to TCPDUMP and must meet the TCPDUMP expression syntax.

--------------------------------------------------------------------------------

Note The expression syntax is described in the TCPDUMP man page.

--------------------------------------------------------------------------------

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card