Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Showing Captured Packets

I enabled capturepacket for sig 3050. About an hour later, it fired twice. I am following the instructions listed in the cisco article located at: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap6.htm#1789

Show Captured Packet

If you have configured the sensor to capture packets for alarms, certain alarms may have captured packet data that you can view. If you have Ethereal installed on your system, you can view the fully decoded output, including the IP header information. If you do not have Ethereal, you can view the hexadecimal ASCII code representation of the trigger packet in IDS Event Viewer.

To view the captured packet for an alarm, follow these steps:

--------------------------------------------------------------------------------

Step 1 From the Alarm Information Dialog or Realtime Dashboard, locate the alarm with the captured packet you want to view.

--------------------------------------------------------------------------------

Note If an alarm has a captured packet, the word present appears in the corresponding cell of the Captured Packet column. A blank cell indicates that no packet was captured.

--------------------------------------------------------------------------------

Step 2 Right-click the corresponding cell in the Captured Packet column, and then select Show Captured Packet.

IDS Event Viewer decodes the base64 output and saves it to the myTriggerPacket.txt file in the /path to Cisco IDS Event Viewer/IEV/temp/ directory.

If you have Ethereal installed on the system and the path to the Ethereal executable is set correctly in the Application Settings panel, IDS Event Viewer initiates the process to convert the .txt file (myTriggerPacket.txt) into a .pcap file (myTriggerPacket.pcap). The .pcap file is then displayed using Ethereal.

Step 3 If Ethereal is not installed on the system, an error message appears. Click OK to close the error message.

The Captured Packet dialog appears and displays the hexadecimal ASCII code representation of the trigger packet

I have ethereal installed and my view in IDS eventviewer states capturepacket... but I don't see anything other NSDB/Expand Whole details... is this only available via the realtime dashboard? I do see the option there, but I wasn't running the dashboard when the sig fired.

thanks,

biz

1 REPLY
New Member

Re: Showing Captured Packets

I'm able to open the captured packet if I have the realtime dashboard running... any way to view the data?

212
Views
0
Helpful
1
Replies