how to use debug

dan_track · ‎03-16-2006

Hi

I would like to debug all packets going to a particular ip to a particular port. I understand there is the "debug" command but I can't understand how to use it. Can anyone give me exmples of this?

Thanks

Dan

stomasko · ‎03-16-2006

I'm not sure I know exactly what you are trying to see but I believe the debug packet command is what you want. See the following site for more detail on the debug command. http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a8.html#wp1059143

Keep in mind debug can be very processing intensive and crash a system. Be as specific in your debug as possible. You may also want to consider doing it off hours and on-site just in case.

Hope this helps.

Steve

Patrick Iseli · ‎03-16-2006

First you need to enable logging to see the debug messages on the PIX or forward it.

Example:

logging on

# Enables loggong globaly

logging monitor debugging

# Loggs in debugmode to console on a telnet or ssh session

logging console debugging

# Loggs all messages to console when connected in the PIX console port

logging buffered debugging

# Best choise = loggs all messages in the memory buffer

logging host inside x.x.x.x

# Sends all debug messages to a syslog server

Logging doc:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172797.html#wp1119533

You could also use the command on the PIX to follow the datastream like the tcpdump or ethereal sniffer.

example:

access-list 120 permit tcp 192.168.222.0 255.255.255.0 any eq http

capture vpncap access-list 120 interface inside

show capture vpncap access-list 120 detail

To remove the capture and data use:

no capture vpncap access-list 120 interface inside

no capture vpncap

Reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a6.html#wp1053548

Another good document is:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a8.html#wp1059143

sincerely

Patrick

dan_track · ‎03-16-2006

Hi Patrick

Thanks for your reply. Since this is a production firewall, would turning on capture cause any problems?

Also I don't have an access list, but I have an access group, can I use that in my capture command?

Thanks in advance

Dan

Patrick Iseli · ‎03-16-2006

You can use this in Production but create a an explicit filter (ACL) for what you are looking for. Note that the use of the Access-list is to specify what to sniff in the capture.

Example: USE SRC and DST IP and protocol and not any any in the capture Access-list.

Take a look at this Cisco document:

Examples in the command refernece:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a6.html#wp1053548

On a web browser, the capture contents for a capture named "mycapture" can be viewed at the following location:

https://209.165.200.232/capture/mycapture/pcap

To download a libpcap file (used in web browsers such as Internet Explorer or Netscape Navigator) to a local machine, enter the following:

https://209.165.200.232/capture/http/pcap

In the following example, the traffic is captured from an outside host at 209.165.200.241 to an inside HTTP server.

access-list http permit tcp host 10.120.56.15 eq http host 209.165.200.241

access-list http permit tcp host 209.165.200.241 host 10.120.56.15 eq http

capture http access-list http packet-length 74 interface inside

To capture ARP packets, enter the following:

pixfirewall(config)# capture arp ethernet-type arp interface outside

To display the packets captured by an ARP capture, enter the following:

pixfirewall(config)# show capture arp

2 packets captured

19:12:23.478429 arp who-has 209.165.200.228 tell 209.165.200.10

19:12:26.784294 arp who-has 209.165.200.228 tell 209.165.200.10

2 packets shown

To capture PPPoE Discovery packets on multiple interfaces, enter the following:

pixfirewall(config)# capture pppoed ethernet-type pppoed interface outside

pixfirewall(config)# capture pppoed interface inside

The following stores a PPPoED trace to a file name "pppoed-dump" on a TFTP server at 209.165.201.17. (Some TFTP servers require that the file exists and is world writable, so check your TFTP server for the appropriate permissions and file first.)

pixfirewall(config)# copy capture:pppoed tftp://209.165.201.17/pppoed-dump

Writing to file '/tftpboot/pppoed-dump' at 209.165.201.17 on outside

To display the capture configuration, use the show capture command without specifying any options as follows:

pixfirewall(config)# show capture

capture arp ethernet-type arp interface outside

capture http access-list http packet-length 74 interface inside

sincerely

Patrick

dan_track · ‎03-17-2006

Hi Patrick

I appreciate the full reply. I tried your capture commands, Iw wrote the following:

access-list check permit tcp host 10.10.24.10 eq sqlnet host 10.110.9.122

access-list check permit tcp host 10.110.9.122 host 10.10.24.10 eq sqlnet

After this I wrote:

capture 1521 access-list check interface inside

however when I run the following:

show capture check access-list check detail

I get:

ERROR: capture does not exist

Could you please place me in the right direction.

Thanks

Dan

Patrick Iseli · ‎03-17-2006

Try:

show capture 1521 access-list check detail

sincerely

Patrick