show capture
To display the capture configuration when no options are specified, use the show capture command.
show capture [ capture_name] [ access-list access_list_name] [ count number] [ decode] [ detail] [ dump] [ packet-number number] [ trace]
Syntax Description
access-list access_list_name |
(Optional) Displays information for packets that are based on IP or higher fields for the specific access list identification. |
capture_name |
(Optional) Specifies the name of the packet capture. |
count number |
(Optional) Displays the number of packets specified data. Valid values are from 0- 4294967295. |
decode |
This option is useful when a capture of type isakmp is applied to an interface. All ISAKMP data flowing through that interface will be captured after decryption and shown with more information after decoding the fields. |
detail |
(Optional) Displays additional protocol information for each packet. |
dump |
(Optional) Displays a hexadecimal dump of the packets that are transported over the data link. |
packet-number number |
(Optional) Starts the display at the specified packet number. Valid values are from 0- 4294967295. |
trace |
(Optional) Displays extended trace information for each packet - used if capture is set using the trace keyword as mentioned above, this will show the output of packet tracer for each packet in the inbound direction. |
Command History
Release |
Modification |
---|---|
6.1 |
This command was introduced. |
Usage Guidelines
If you specify the capture name, then the capture buffer contents for that capture are displayed.
The dump keyword does not display MAC information in the hexadecimal dump.
The decoded output of the packets depend on the protocol of the packet. In the following table, the bracketed output is displayed when you specify the detail keyword.
Packet Type |
Capture Output Format |
---|---|
802.1Q |
HH:MM:SS.ms [ether-hdr] VLAN-info encap-ether-packet |
ARP |
HH:MM:SS.ms [ether-hdr] arp-type arp-info |
IP/ICMP |
HH:MM:SS.ms [ether-hdr] ip-source > ip-destination: icmp: icmp-type icmp-code [checksum-failure] |
IP/UDP |
HH:MM:SS.ms [ether-hdr] src-addr.src-port dest-addr.dst-port: [checksum-info] udp payload-len |
IP/TCP |
HH:MM:SS.ms [ether-hdr] src-addr.src-port dest-addr.dst-port: tcp-flags [header-check] [checksum-info] sequence-number ack-number tcp-window urgent-info tcp-options |
IP/Other |
HH:MM:SS.ms [ether-hdr] src-addr dest-addr: ip-protocol ip-length |
Other |
HH:MM:SS.ms ether-hdr: hex-dump |
If the threat defense device receives packets with an incorrectly formatted TCP header and drops them because of the ASP drop reason invalid-tcp-hdr-length, the show capture command output on the interface where those packets are received does not show those packets.
Note |
When the file size option is used:
|
Examples
This example shows how to display the capture configuration:
> show capture
capture arp ethernet-type arp interface outside
capture http access-list http packet-length 74 interface inside
This example shows how to display the packets that are captured by an ARP capture:
> show capture arp
2 packets captured
19:12:23.478429 arp who-has 171.69.38.89 tell 171.69.38.10
19:12:26.784294 arp who-has 171.69.38.89 tell 171.69.38.10
2 packets shown
The following example shows how to display the packets that are captured on a single unit in a clustering environment:
> show capture
capture 1 cluster type raw-data interface primary interface cluster [Buffer Full - 524187 bytes]
capture 2 type raw-data interface cluster [Capturing - 232354 bytes]
The following example shows how to display the packets that are captured on all units in a clustering environment:
> cluster exec show capture
mycapture (LOCAL):----------------------------------------------------------
capture 1 type raw-data interface primary [Buffer Full - 524187 bytes]
capture 2 type raw-data interface cluster [Capturing - 232354 bytes]
yourcapture:----------------------------------------------------------------
capture 1 type raw-data interface primary [Capturing - 191484 bytes]
capture 2 type raw-data interface cluster [Capturing - 532354 bytes]
The following example shows the packets that are captured when SGT plus Ethernet tagging has been enabled on an interface:
> show capture my-inside-capture
1: 11:34:42.931012 INLINE-TAG 36 10.0.101.22 > 11.0.101.100: icmp: echo request
2: 11:34:42.931470 INLINE-TAG 48 11.0.101.100 > 10.0.101.22: icmp: echo reply
3: 11:34:43.932553 INLINE-TAG 36 10.0.101.22 > 11.0.101.100: icmp: echo request
4: 11.34.43.933164 INLINE-TAG 48 11.0.101.100 > 10.0.101.22: icmp: echo reply
When SGT plus Ethernet tagging has been enabled on an interface, the interface can still receive tagged or untagged packets. The example shown is for tagged packets, which have INLINE-TAG 36 in the output. When the same interface receives untagged packets, the output remains unchanged (that is, no “INLINE-TAG 36” entry is included in the output).