13-5
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 13 Displaying and Capturing Live Traffic on an Interface
Capturing Live Traffic on an Interface
The packet capture command captures the libpcap output into a local file. Use the packet display
packet-file [verbose] [expression expression] command to view the local file. Use the packet display
file-info to display information about the local file, if any.
The following options apply:
• interface_name—Specifies the logical interface name. You can only use an interface name that
exists in the system.
• snaplen—Specifies the maximum number of bytes captured for each packet (optional). The valid
range is 68 to 1600. The default is 0.
• count—Specifies the maximum number of packets to capture (optional). The valid range is 1 to
10000.
Note If you do not specify this option, the capture terminates after the maximum file size is
captured.
• expression—Specifies the packet-capture filter expression. This expression is passed directly to
TCPDUMP and must meet the TCPDUMP expression syntax.
• file-info—Displays information about the stored packet file.
File-info displays the following information:
Captured by: user:id, Cmd: cliCmd
Start: yyyy/mm/dd hh:mm:ss zone, End: yyyy/mm/dd hh:mm:ss zone or in-progress
Where user = username of user initiating capture, id = CLI ID of the user, and cliCmd = command
entered to perform the capture.
• verbose—Displays the protocol tree for each packet rather than a one-line summary. This parameter
is optional.
Capturing Live Traffic on an Interface
To configure the sensor to capture live traffic on an interface, follow these steps:
Step 1 Log in to the sensor using an account with administrator or operator privileges.
Step 2 Capture the live traffic on the interface you are interested in, for example, GigabitEthernet0/1.
sensor# packet capture GigabitEthernet0/1
Warning: This command will cause significant performance degradation
tcpdump: WARNING: ge0_1: no IPv4 address assigned
tcpdump: listening on ge0_1, link-type EN10MB (Ethernet), capture size 65535 bytes
125 packets captured
126 packets received by filter
0 packets dropped by kernel
Step 3 View the captured packet file.
sensor# packet display packet-file
reading from file /usr/cids/idsRoot/var/packet-file, link-type EN10MB (Ethernet)
03:03:13.216768 802.1d config TOP_CHANGE 8000.00:04:9a:66:35:01.8025 root 8000.0
0:04:6d:f9:e8:82 pathcost 8 age 2 max 20 hello 2 fdelay 15
03:03:13.232881 IP 64.101.182.244.1978 > 10.89.130.108.23: . ack 3266153791 win
64328
03:03:13.232895 IP 10.89.130.108.23 > 64.101.182.244.1978: P 1:157(156) ack 0 wi
n 5840
03:03:13.433136 IP 64.101.182.244.1978 > 10.89.130.108.23: . ack 157 win 65535
03:03:13.518335 IP 10.89.130.134.42342 > 255.255.255.255.42342: UDP, length: 76