Support User Manuals

Cisco Systems IPS 7.1 Home Security System User Manual

Open as PDF

of 1042

13-5

Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1

OL-19892-01

Chapter 13 Displaying and Capturing Live Traffic on an Interface

Capturing Live Traffic on an Interface

The packet capture command captures the libpcap output into a local file. Use the packet display

packet-file [verbose] [expression expression] command to view the local file. Use the packet display

file-info to display information about the local file, if any.

The following options apply:

• interface_name—Specifies the logical interface name. You can only use an interface name that

exists in the system.

• snaplen—Specifies the maximum number of bytes captured for each packet (optional). The valid

range is 68 to 1600. The default is 0.

• count—Specifies the maximum number of packets to capture (optional). The valid range is 1 to

10000.

Note If you do not specify this option, the capture terminates after the maximum file size is

captured.

• expression—Specifies the packet-capture filter expression. This expression is passed directly to

TCPDUMP and must meet the TCPDUMP expression syntax.

• file-info—Displays information about the stored packet file.

File-info displays the following information:

Captured by: user:id, Cmd: cliCmd

Start: yyyy/mm/dd hh:mm:ss zone, End: yyyy/mm/dd hh:mm:ss zone or in-progress

Where user = username of user initiating capture, id = CLI ID of the user, and cliCmd = command

entered to perform the capture.

• verbose—Displays the protocol tree for each packet rather than a one-line summary. This parameter

is optional.

Capturing Live Traffic on an Interface

To configure the sensor to capture live traffic on an interface, follow these steps:

Step 1 Log in to the sensor using an account with administrator or operator privileges.

Step 2 Capture the live traffic on the interface you are interested in, for example, GigabitEthernet0/1.

sensor# packet capture GigabitEthernet0/1

Warning: This command will cause significant performance degradation

tcpdump: WARNING: ge0_1: no IPv4 address assigned

tcpdump: listening on ge0_1, link-type EN10MB (Ethernet), capture size 65535 bytes

125 packets captured

126 packets received by filter

0 packets dropped by kernel

Step 3 View the captured packet file.

sensor# packet display packet-file

reading from file /usr/cids/idsRoot/var/packet-file, link-type EN10MB (Ethernet)

03:03:13.216768 802.1d config TOP_CHANGE 8000.00:04:9a:66:35:01.8025 root 8000.0

0:04:6d:f9:e8:82 pathcost 8 age 2 max 20 hello 2 fdelay 15

03:03:13.232881 IP 64.101.182.244.1978 > 10.89.130.108.23: . ack 3266153791 win

64328

03:03:13.232895 IP 10.89.130.108.23 > 64.101.182.244.1978: P 1:157(156) ack 0 wi

n 5840

03:03:13.433136 IP 64.101.182.244.1978 > 10.89.130.108.23: . ack 157 win 65535

03:03:13.518335 IP 10.89.130.134.42342 > 255.255.255.255.42342: UDP, length: 76

previous next