03-16-2006 06:47 AM - edited 03-09-2019 02:17 PM
Hi
I would like to debug all packets going to a particular ip to a particular port. I understand there is the "debug" command but I can't understand how to use it. Can anyone give me exmples of this?
Thanks
Dan
03-16-2006 07:24 AM
I'm not sure I know exactly what you are trying to see but I believe the debug packet command is what you want. See the following site for more detail on the debug command. http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a8.html#wp1059143
Keep in mind debug can be very processing intensive and crash a system. Be as specific in your debug as possible. You may also want to consider doing it off hours and on-site just in case.
Hope this helps.
Steve
03-16-2006 08:06 AM
First you need to enable logging to see the debug messages on the PIX or forward it.
Example:
logging on
# Enables loggong globaly
logging monitor debugging
# Loggs in debugmode to console on a telnet or ssh session
logging console debugging
# Loggs all messages to console when connected in the PIX console port
logging buffered debugging
# Best choise = loggs all messages in the memory buffer
logging host inside x.x.x.x
# Sends all debug messages to a syslog server
Logging doc:
You could also use the
example:
access-list 120 permit tcp 192.168.222.0 255.255.255.0 any eq http
capture vpncap access-list 120 interface inside
show capture vpncap access-list 120 detail
To remove the capture and data use:
no capture vpncap access-list 120 interface inside
no capture vpncap
Reference:
Another good document is:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml
sincerely
Patrick
03-16-2006 08:23 AM
Hi Patrick
Thanks for your reply. Since this is a production firewall, would turning on capture cause any problems?
Also I don't have an access list, but I have an access group, can I use that in my capture command?
Thanks in advance
Dan
03-16-2006 02:56 PM
You can use this in Production but create a an explicit filter (ACL) for what you are looking for. Note that the use of the Access-list is to specify what to sniff in the capture.
Example: USE SRC and DST IP and protocol and not any any in the capture Access-list.
Take a look at this Cisco document:
Examples in the command refernece:
On a web browser, the capture contents for a capture named "mycapture" can be viewed at the following location:
https://209.165.200.232/capture/mycapture/pcap
To download a libpcap file (used in web browsers such as Internet Explorer or Netscape Navigator) to a local machine, enter the following:
https://209.165.200.232/capture/http/pcap
In the following example, the traffic is captured from an outside host at 209.165.200.241 to an inside HTTP server.
access-list http permit tcp host 10.120.56.15 eq http host 209.165.200.241
access-list http permit tcp host 209.165.200.241 host 10.120.56.15 eq http
capture http access-list http packet-length 74 interface inside
To capture ARP packets, enter the following:
pixfirewall(config)# capture arp ethernet-type arp interface outside
To display the packets captured by an ARP capture, enter the following:
pixfirewall(config)# show capture arp
2 packets captured
19:12:23.478429 arp who-has 209.165.200.228 tell 209.165.200.10
19:12:26.784294 arp who-has 209.165.200.228 tell 209.165.200.10
2 packets shown
To capture PPPoE Discovery packets on multiple interfaces, enter the following:
pixfirewall(config)# capture pppoed ethernet-type pppoed interface outside
pixfirewall(config)# capture pppoed interface inside
The following stores a PPPoED trace to a file name "pppoed-dump" on a TFTP server at 209.165.201.17. (Some TFTP servers require that the file exists and is world writable, so check your TFTP server for the appropriate permissions and file first.)
pixfirewall(config)# copy capture:pppoed tftp://209.165.201.17/pppoed-dump
Writing to file '/tftpboot/pppoed-dump' at 209.165.201.17 on outside
To display the capture configuration, use the show capture command without specifying any options as follows:
pixfirewall(config)# show capture
capture arp ethernet-type arp interface outside
capture http access-list http packet-length 74 interface inside
sincerely
Patrick
03-17-2006 07:16 AM
Hi Patrick
I appreciate the full reply. I tried your capture commands, Iw wrote the following:
access-list check permit tcp host 10.10.24.10 eq sqlnet host 10.110.9.122
access-list check permit tcp host 10.110.9.122 host 10.10.24.10 eq sqlnet
After this I wrote:
capture 1521 access-list check interface inside
however when I run the following:
show capture check access-list check detail
I get:
ERROR: capture
Could you please place me in the right direction.
Thanks
Dan
03-17-2006 07:59 AM
Try:
show capture 1521 access-list check detail
sincerely
Patrick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide