The trigger packet is automatically encoded and and placed as a field within the alert.
The alert is then placed in the EventStore of the sensor where it can be queried by VMS, and other viewers.
So how do you get a look at the packet?
You could download and install IEV and Ethereal.
IEV can pull the event and will decode the trigger packet into a libpcap format. It can then launch Ethereal for you to look at the packet.
If you don't want to load IEV, you can also access the trigger packet through "show events" on the sensor.
When you see the alarm in your viewer make note of the time of the alarm and the severity of the alarm and the ID of the alarm.
When you go to the sensor execute the "show events" command with the "alert " and a time a few seconds before the alarm fired.
Example: show events alert high 13:45:10 Jan 1 2004
Then look for the alert with the same eventId as in your viewer. At the bottom of the alert you will see the attached trigger packet.
On the left side will the Hex version of the packet, and on the right will be the Ascii representation of the Hex packet ( a period will be used for nonprintable characeters).
It does not try and decode the headers of the packet so it can de difficult to determine where the data of the packet begins.
If the decode done by the CLI is not enough for you then you can still take this output and use ethereal.
Copy the trigger packet from your CLI session and paste it into a text file on your computer.
Save the file.
Now run the program "text2pcap" to convert the Hex based trigger packet to a libpcap file.
NOTE: text2pcap is a program included in most distributions of ethereal.
You can now use ethereal to load the pcap file.
The Trigger Packet works well for IEV where the viewing of the packet has been integrated into the alarm viewer. It will eventually be integrated into the other viewers created by Cisco (and hopefully viewers from other companies pulling events from Cisco IDS sensors).
The other option is to use IP Logging (the "log" action on the signature). The IP Log also contains the trigger packet of the signature.
The IP Log is stored in a libpcap format on the sensor in special files. The IP Log can not be directly accessed on the sensor, but the user can use the copy command on the sensor to download an IP Log from the sensor to their ftp (or scp) server.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :