If you have configured the sensor to capture packets for alarms, certain alarms may have captured packet data that you can view. If you have Ethereal installed on your system, you can view the fully decoded output, including the IP header information. If you do not have Ethereal, you can view the hexadecimal ASCII code representation of the trigger packet in IDS Event Viewer.
To view the captured packet for an alarm, follow these steps:
Step 2 Right-click the corresponding cell in the Captured Packet column, and then select Show Captured Packet.
IDS Event Viewer decodes the base64 output and saves it to the myTriggerPacket.txt file in the /path to Cisco IDS Event Viewer/IEV/temp/ directory.
If you have Ethereal installed on the system and the path to the Ethereal executable is set correctly in the Application Settings panel, IDS Event Viewer initiates the process to convert the .txt file (myTriggerPacket.txt) into a .pcap file (myTriggerPacket.pcap). The .pcap file is then displayed using Ethereal.
Step 3 If Ethereal is not installed on the system, an error message appears. Click OK to close the error message.
The Captured Packet dialog appears and displays the hexadecimal ASCII code representation of the trigger packet
I have ethereal installed and my view in IDS eventviewer states capturepacket... but I don't see anything other NSDB/Expand Whole details... is this only available via the realtime dashboard? I do see the option there, but I wasn't running the dashboard when the sig fired.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...