Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Not seeing all packets in a capture

Hi,

I have set up a couple of captures on an FWSM running 3.2(4) to look for packets from host a to host b and the return traffic but I'm not seeing all the packets in one of the captures.

It a simple case of traffic coming in on the outside interface, traversing the firewall through the inside interface and obviously return traffic following the reciprocal path.

Looking at the captures I can see the 3way handshake setting up on both captures but then the data traffic only appears in the outside capture. I'm positive the traffic is OK as I can also see the tcp ack's from the inside host back to the outside host (in the outside capture only). If the tcp 'stream' wasn't working I would not expect to see these acks.

Is this the nature of the FWSM and captures or would you expect to see all traffic in both captures?

Any help information would be appreciated.

Paul.

Capture and acl set up:

firewall# sh access-list test
access-list test; 2 elements
access-list test line 1 extended permit tcp host 82.xx.xx.77 host 62.xx.xx.12 (hitcnt=190) 0x65b723b5
access-list test line 2 extended permit tcp host 62.xx.xx.12 host 82.xx.xx.77 (hitcnt=73) 0xdb1c5f30

firewall# sh access-list test2
access-list test2; 2 elements
access-list test2 line 1 extended permit tcp host 82.xx.xx.77 host 62.xx.xx.12 (hitcnt=18) 0x2ac230c2
access-list test2 line 2 extended permit tcp host 62.xx.xx.12 host 82.xx.xx.77 (hitcnt=12) 0x545b5188

capture test1 type raw-data access-list test interface Outside
capture test2 type raw-data access-list test2 interface Inside

firewall/admin# sho cap test1
   1: 11:51:06.30366242 802.1Q vlan#20 P0 82.xx.xx.77.25334 > 62.xx.xx.12.2000: S 4073668671:4073668671 win 4128 <mss 536>
   2: 11:51:06.30366242 802.1Q vlan#20 P0 62.xx.xx.12.2000 > 82.xx.xx.77.25334: S 2617559826:2617559826 ack 4073668672 win 5840 <mss 1380>
   3: 11:51:06.30366252 802.1Q vlan#20 P0 82.xx.xx.77.25334 > 62.xx.xx.12.2000: . ack 2617559827 win 4128
   4: 11:51:06.30366252 802.1Q vlan#20 P0 82.xx.xx.77.25334 > 62.xx.xx.12.2000: . 4073668672:4073669012(340) ack 2617559827 win 4128
   5: 11:51:06.30366252 802.1Q vlan#20 P0 62.xx.xx.12.2000 > 82.xx.xx.77.25334: . ack 4073669012 win 8192
   6: 11:51:06.30366262 802.1Q vlan#20 P0 82.xx.xx.77.25334 > 62.xx.xx.12.2000: . 4073669012:4073669208(196) ack 2617559827 win 4128
   7: 11:51:06.30366262 802.1Q vlan#20 P0 62.xx.xx.12.2000 > 82.xx.xx.77.25334: . ack 4073669208 win 8192
   8: 11:51:07.30367252 802.1Q vlan#20 P0 82.xx.xx.77.25334 > 62.xx.xx.12.2000: . 4073669208:4073669744(536) ack 2617559827 win 4128
   9: 11:51:07.30367252 802.1Q vlan#20 P0 82.xx.xx.77.25334 > 62.xx.xx.12.2000: . 4073669744:4073670280(536) ack 2617559827 win 4128
  10: 11:51:07.30367252 802.1Q vlan#20 P0 62.xx.xx.12.2000 > 82.xx.xx.77.25334: . ack 4073669744 win 8192
  11: 11:51:07.30367252 802.1Q vlan#20 P0 62.xx.xx.12.2000 > 82.xx.xx.77.25334: . ack 4073670280 win 8192
  12: 11:51:08.30368252 802.1Q vlan#20 P0 82.xx.xx.77.25334 > 62.xx.xx.12.2000: . 4073670280:4073670816(536) ack 2617559827 win 4128
  13: 11:51:08.30368252 802.1Q vlan#20 P0 82.xx.xx.77.25334 > 62.xx.xx.12.2000: . 4073670816:4073671352(536) ack 2617559827 win 4128
  14: 11:51:08.30368252 802.1Q vlan#20 P0 82.xx.xx.77.25334 > 62.xx.xx.12.2000: . 4073671352:4073671888(536) ack 2617559827 win 4128
  15: 11:51:08.30368252 802.1Q vlan#20 P0 62.xx.xx.12.2000 > 82.xx.xx.77.25334: . ack 4073670816 win 8192
  16: 11:51:08.30368252 802.1Q vlan#20 P0 82.xx.xx.77.25334 > 62.xx.xx.12.2000: . 4073671888:4073672424(536) ack 2617559827 win 4128
  17: 11:51:08.30368252 802.1Q vlan#20 P0 62.xx.xx.12.2000 > 82.xx.xx.77.25334: . ack 4073671352 win 8192
  18: 11:51:08.30368252 802.1Q vlan#20 P0 62.xx.xx.12.2000 > 82.xx.xx.77.25334: . ack 4073671888 win 8192
  19: 11:51:08.30368252 802.1Q vlan#20 P0 62.xx.xx.12.2000 > 82.xx.xx.77.25334: . ack 4073672424 win 8192
  20: 11:51:09.30369252 802.1Q vlan#20 P0 82.xx.xx.77.25334 > 62.xx.xx.12.2000: . 4073672424:4073672960(536) ack 2617559827 win 4128
  21: 11:51:09.30369252 802.1Q vlan#20 P0 82.xx.xx.77.25334 > 62.xx.xx.12.2000: . 4073672960:4073673496(536) ack 2617559827 win 4128
  22: 11:51:09.30369252 802.1Q vlan#20 P0 82.xx.xx.77.25334 > 62.xx.xx.12.2000: . 4073673496:4073674032(536) ack 2617559827 win 4128
  23: 11:51:09.30369252 802.1Q vlan#20 P0 62.xx.xx.12.2000 > 82.xx.xx.77.25334: . ack 4073672960 win 8192

firewall/admin# sho cap test2
   1: 11:51:06.30366242 802.1Q vlan#182 P0 82.xx.xx.77.25334 > 62.xx.xx.12.2000: S 4073668671:4073668671 win 4128 <mss 536>
   2: 11:51:06.30366242 802.1Q vlan#182 P0 62.xx.xx.12.2000 > 82.xx.xx.77.25334: S 2331413964:2331413964 ack 4073668672 win 5840 <mss 1460>
   3: 11:51:06.30366252 802.1Q vlan#182 P0 82.xx.xx.77.25334 > 62.xx.xx.12.2000: . ack 2331413965 win 4128
3 packets shown

We've resolved this issue. The port being used for this was tcp 2000 and this is the default port used by application inspection for skinny protocol. Removed tcp 2000 from app inspection and now all good.

  • Other Security Subjects
351
Views
0
Helpful
0
Replies