Displaying and Capturing Live Traffic on an Interface
This chapter describes how to display, capture, copy, and erase packet files. It contains the following sections:
Packet Display And Capture Notes and Caveats
The following notes and caveats apply to capturing packet files:
-
Although capturing live traffic off the interface does not disrupt any of the functionality of the sensor, it does cause significant performance degradation.
-
Changing the interface configuration results in abnormal termination of any
packet
command running on that interface.
-
You can configure packet capture/display restrictions using the
permit-packet-logging true | false
command.
-
On IPS sensors with multiple processors, packets may be captured out of order in the IP logs and by the
packet
command. Because the packets are not processed using a single processor, the packets can become out of sync when received from multiple processors.
-
When the IPS 4500 series sensors are configured in VLAN pairs, the
packet display
command does not work without the VLAN option if the
expression
keyword is also used.
For More Information
For detailed information about the packet-related command restrictions, see Configuring Packet Command Restriction.
Understanding Packet Display and Capture
You can display or capture live traffic from an interface and have the live traffic or a previously captured file put directly on the screen. Storage is available for one local file only, subsequent capture requests overwrites an existing file. The size of the storage file varies depending on the platform. A message may be displayed if the maximum file size is reached before the requested packet count is captured.
Displaying Live Traffic on an Interface
Use the
packet display
interface_name
[
snaplen
length
] [
count
count
] [
verbose
] [
expression
expression
] command to display live traffic from an interface directly on your screen. Use the packet display iplog id [verbose] [expression expression] to display iplogs.
Note To terminate the live display, press Ctrl-C.
The following commands apply:
-
interface_name
—Specifies the interface name, interface type (GigabitEthernet, FastEthernet, Management, PortChannel) followed by slot/port. You can only use an interface name that exists in the system.
-
snaplen
—(Optional) Specifies the maximum number of bytes captured for each packet. The valid range is 68 to 1600. The default is 0. A value of 0 means use the required length to catch whole packets.
-
count
—(Optional) Specifies the maximum number of packets to capture. The valid range is 1 to 10000.
Note If you do not specify this option, the capture terminates after the maximum file size is captured.
-
verbose
—(Optional) Displays the protocol tree for each packet rather than a one-line summary.
-
expression
—Specifies the packet-display filter expression. This expression is passed directly to TCPDUMP and must meet the TCPDUMP expression syntax.
Note The expression syntax is described in the TCPDUMP man page.
Note If you use the expression option when monitoring packets with VLAN headers, the expression does not match properly unless vlan and is added to the beginning of the expression. For example, packet display iplog 926299444 verbose expression icmp Will NOT show ICMP packets; packet display iplog 926299444 verbose expression vlan and icmp WILL show ICMP packets. It is often necessary to use expression vlan and on IPS appliance interfaces connected to trunk ports.
-
file-info
—Displays information about the stored packet file.
File-info
displays the following information:
Captured by: user:id, Cmd: cliCmd Start: yyyy/mm/dd hh:mm:ss zone, End: yyyy/mm/dd hh:mm:ss zone or in-progress.
Where
user
= the username of user initiating capture,
id
= the CLI ID of the user, and
cliCmd
= the command entered to perform the capture.
Caution Executing the
packet display command causes significant performance degradation.
Displaying Live Traffic From an Interface
To configure the sensor to display live traffic from an interface on the screen, follow these steps:
Step 1 Log in to the sensor using an account with administrator or operator privileges.
Step 2 Display the live traffic on the interface you are interested in, for example, GigabitEthernet0/1.
sensor# packet display GigabitEthernet0/1 Warning: This command will cause significant performance degradation tcpdump: listening on ge0_1, link-type EN10MB (Ethernet), capture size 65535 bytes 03:43:05.691883 IP (tos 0x10, ttl 64, id 55460, offset 0, flags [DF], length: 100) 10.89.147.31.22 > 10.89.147.50.41805: P [tcp sum ok] 4233955485:4233955533(48) ack 1495691730 win 8576 <nop,nop,timestamp 44085169 226014949> 03:43:05.691975 IP (tos 0x10, ttl 64, id 55461, offset 0, flags [DF], length: 164) 10.89.147.31.22 > 10.89.147.50.41805: P [tcp sum ok] 48:160(112) ack 1 win 8576 <nop,nop,timestamp 44085169 226014949> 03:43:05.691998 IP (tos 0x10, ttl 64, id 53735, offset 0, flags [DF], length: 52) 10.89.147.50.41805 > 10.89.147.31.22: . [tcp sum ok] 1:1(0) ack 48 win 11704 <nop,nop,timestamp 226014949 44085169> 03:43:05.693165 IP (tos 0x10, ttl 64, id 53736, offset 0, flags [DF], length: 52) 10.89.147.50.41805 > 10.89.147.31.22: . [tcp sum ok] 1:1(0) ack 160 win 11704 <nop,nop,timestamp 226014949 44085169> 03:43:05.693351 IP (tos 0x10, ttl 64, id 55462, offset 0, flags [DF], length: 316) 10.89.147.31.22 > 10.89.147.50.41805: P [tcp sum ok] 160:424(264) ack 1 win 8576 <nop,nop,timestamp 44085169 226014949> 03:43:05.693493 IP (tos 0x10, ttl 64, id 55463, offset 0, flags [DF], length: 292) 10.89.147.31.22 > 10.89.147.50.41805: P [tcp sum ok] 424:664(240) ack 1 win 8576 <nop,nop,timestamp 44085169 226014949> 03:43:05.693612 IP (tos 0x10, ttl 64, id 55464, offset 0, flags [DF], length: 292) 10.89.147.31.22 > 10.89.147.50.41805: P [tcp sum ok] 664:904(240) ack 1 win 8576 <nop,nop,timestamp 44085169 226014949> 03:43:05.693628 IP (tos 0x10, ttl 64, id 53737, offset 0, flags [DF], length: 52) 10.89.147.50.41805 > 10.89.147.31.22: . [tcp sum ok] 1:1(0) ack 424 win 11704 <nop,nop,timestamp 226014949 44085169> 03:43:05.693654 IP (tos 0x10, ttl 64, id 53738, offset 0, flags [DF], length: 52) 10.89.147.50.41805 > 10.89.147.31.22: . [tcp sum ok] 1:1(0) ack 664 win 11704 <nop,nop,timestamp 226014949 44085169> 03:43:05.693926 IP (tos 0x10, ttl 64, id 55465, offset 0, flags [DF], length: 292) 10.89.147.31.22 > 10.89.147.50.41805: P [tcp sum ok] 904:1144(240) ack 1 win 8576 <nop,nop,timestamp 44085169 226014949> 03:43:05.694043 IP (tos 0x10, ttl 64, id 55466, offset 0, flags [DF], length: 292) 10.89.147.31.22 > 10.89.147.50.41805: P [tcp sum ok] 1144:1384(240) ack 1 win 8576 <nop,nop,timestamp 44085169 226014949> 03:43:05.694163 IP (tos 0x10, ttl 64, id 55467, offset 0, flags [DF], length: 292) 10.89.147.31.22 > 10.89.147.50.41805: P [tcp sum ok] 1384:1624(240) ack 1 win 8576 <nop,nop,timestamp 44085169 226014949> 03:43:05.694209 IP (tos 0x10, ttl 64, id 53739, offset 0, flags [DF], length: 52) 10.89.147.50.41805 > 10.89.147.31.22: . [tcp sum ok] 1:1(0) ack 1384 win 11704 <nop,nop,timestamp 226014950 44085169> 03:43:05.694283 IP (tos 0x10, ttl 64, id 55468, offset 0, flags [DF], length: 292) 10.89.147.31.22 > 10.89.147.50.41805: P [tcp sum ok] 1624:1864(240) ack 1 win 8576 <nop,nop,timestamp 44085169 226014950> 03:43:05.694402 IP (tos 0x10, ttl 64, id 55469, offset 0, flags [DF], length: 292) 10.89.147.31.22 > 10.89.147.50.41805: P [tcp sum ok] 1864:2104(240) ack 1 win 8576 <nop,nop,timestamp 44085169 226014950> 03:43:05.694521 IP (tos 0x10, ttl 64, id 55470, offset 0, flags [DF], length: 292) 10.89.147.31.22 > 10.89.147.50.41805: P [tcp sum ok] 2104:2344(240) ack 1 win 8576 <nop,nop,timestamp 44085169 226014950> 03:43:05.694690 IP (tos 0x10, ttl 64, id 53740, offset 0, flags [DF], length: 52) 10.89.147.50.41805 > 10.89.147.31.22: . [tcp sum ok] 1:1(0) ack 2344 win 11704 <nop,nop,timestamp 226014950 44085169> 03:43:05.694808 IP (tos 0x10, ttl 64, id 55471, offset 0, flags [DF], length: 300) 10.89.147.31.22 > 10.89.147.50.41805: P [tcp sum ok] 2344:2592(248) ack 1 win 8576 <nop,nop,timestamp 44085169 226014950>
Step 3 You can use the
expression
option to limit what you display, for example, only TCP packets.
Note As described in the TCPDUMP man page, the protocol identifiers tcp, udp, and icmp are also keywords and must be escaped by using two back slashes (\\).
sensor# packet display GigabitEthernet0/1 verbose expression ip proto \\tcp Warning: This command will cause significant performance degradation tcpdump: listening on ge0_1, link-type EN10MB (Ethernet), capture size 65535 bytes 03:42:02.509738 IP (tos 0x10, ttl 64, id 27743, offset 0, flags [DF], length: 88) 10.89.147.31.22 > 64.101.182.54.47039: P [tcp sum ok] 3449098782:3449098830(48) ack 3009767154 win 8704 03:42:02.509834 IP (tos 0x10, ttl 64, id 27744, offset 0, flags [DF], length: 152) 10.89.147.31.22 > 64.101.182.54.47039: P [tcp sum ok] 48:160(112) ack 1 win 8704 03:42:02.510248 IP (tos 0x0, ttl 252, id 55922, offset 0, flags [none], length: 40) 64.101.182.54.47039 > 10.89.147.31.22: . [tcp sum ok] 1:1(0) ack 160 win 8760 03:42:02.511262 IP (tos 0x10, ttl 64, id 27745, offset 0, flags [DF], length: 264) 10.89.147.31.22 > 64.101.182.54.47039: P [tcp sum ok] 160:384(224) ack 1 win 8704 03:42:02.511408 IP (tos 0x10, ttl 64, id 27746, offset 0, flags [DF], length: 248) 10.89.147.31.22 > 64.101.182.54.47039: P [tcp sum ok] 384:592(208) ack 1 win 8704 03:42:02.511545 IP (tos 0x10, ttl 64, id 27747, offset 0, flags [DF], length: 240) 10.89.147.31.22 > 64.101.182.54.47039: P [tcp sum ok] 592:792(200) ack 1 win 8704
Step 4 Display information about the packet file.
sensor# packet display file-info Captured by: cisco:25579, Cmd: packet capture GigabitEthernet0/1 Start: 2003/02/03 02:56:48 UTC, End: 2003/02/03 02:56:51 UTC
Capturing Live Traffic on an Interface
Use the
packet capture
interface_name
[
snaplen
length
] [
count
count
] [
expression
expression
] command to capture live traffic on an interface. Only one user can use the
packet capture
command at a time. A second user request results in an error message containing information about the user currently executing the capture.
Caution Executing the
packet capture command causes significant performance degradation.
The
packet capture
command captures the libpcap output into a local file. Use the
packet display packet-file
[
verbose
] [
expression
expression
] command to view the local file. Use the
packet display file-info
to display information about the local file, if any.
The following commands apply:
-
interface_name
—Specifies the logical interface name. You can only use an interface name that exists in the system.
-
snaplen
—Specifies the maximum number of bytes captured for each packet (optional). The valid range is 68 to 1600. The default is 0.
-
count
—Specifies the maximum number of packets to capture (optional). The valid range is 1 to 10000.
Note If you do not specify this option, the capture terminates after the maximum file size is captured.
-
expression
—Specifies the packet-capture filter expression. This expression is passed directly to TCPDUMP and must meet the TCPDUMP expression syntax.
-
file-info
—Displays information about the stored packet file.
File-info
displays the following information:
Captured by: user:id, Cmd: cliCmd Start: yyyy/mm/dd hh:mm:ss zone, End: yyyy/mm/dd hh:mm:ss zone or in-progress
Where
user
= username of user initiating capture,
id
= CLI ID of the user, and
cliCmd
= command entered to perform the capture.
-
verbose
—Displays the protocol tree for each packet rather than a one-line summary. This parameter is optional.
Capturing Live Traffic on an Interface
To configure the sensor to capture live traffic on an interface, follow these steps:
Step 1 Log in to the sensor using an account with administrator or operator privileges.
Step 2 Capture the live traffic on the interface you are interested in, for example, GigabitEthernet0/1.
sensor# packet capture GigabitEthernet0/1 Warning: This command will cause significant performance degradation tcpdump: WARNING: ge0_1: no IPv4 address assigned tcpdump: listening on ge0_1, link-type EN10MB (Ethernet), capture size 65535 bytes 126 packets received by filter 0 packets dropped by kernel
Step 3 View the captured packet file.
sensor# packet display packet-file reading from file /usr/cids/idsRoot/var/packet-file, link-type EN10MB (Ethernet) 03:03:13.216768 802.1d config TOP_CHANGE 8000.00:04:9a:66:35:01.8025 root 8000.0 0:04:6d:f9:e8:82 pathcost 8 age 2 max 20 hello 2 fdelay 15 03:03:13.232881 IP 64.101.182.244.1978 > 10.89.130.108.23: . ack 3266153791 win 03:03:13.232895 IP 10.89.130.108.23 > 64.101.182.244.1978: P 1:157(156) ack 0 wi 03:03:13.433136 IP 64.101.182.244.1978 > 10.89.130.108.23: . ack 157 win 65535 03:03:13.518335 IP 10.89.130.134.42342 > 255.255.255.255.42342: UDP, length: 76 03:03:15.218814 802.1d config TOP_CHANGE 8000.00:04:9a:66:35:01.8025 root 8000.0 0:04:6d:f9:e8:82 pathcost 8 age 2 max 20 hello 2 fdelay 15 03:03:15.546866 IP 64.101.182.244.1978 > 10.89.130.108.23: P 0:2(2) ack 157 win 03:03:15.546923 IP 10.89.130.108.23 > 64.101.182.244.1978: P 157:159(2) ack 2 wi 03:03:15.736377 IP 64.101.182.244.1978 > 10.89.130.108.23: . ack 159 win 65533 03:03:17.219612 802.1d config TOP_CHANGE 8000.00:04:9a:66:35:01.8025 root 8000.0 0:04:6d:f9:e8:82 pathcost 8 age 2 max 20 hello 2 fdelay 15 03:03:19.218535 802.1d config TOP_CHANGE 8000.00:04:9a:66:35:01.8025 root 8000.0 0:04:6d:f9:e8:82 pathcost 8 age 2 max 20 hello 2 fdelay 15 03:03:19.843658 IP 64.101.182.143.3262 > 10.89.130.23.445: P 3749577803:37495778 56(53) ack 3040953472 win 64407 03:03:20.174835 IP 161.44.55.250.1720 > 10.89.130.60.445: S 3147454533:314745453 3(0) win 65520 <mss 1260,nop,nop,sackOK> 03:03:21.219958 802.1d config TOP_CHANGE 8000.00:04:9a:66:35:01.8025 root 8000.0 0:04:6d:f9:e8:82 pathcost 8 age 2 max 20 hello 2 fdelay 15 03:03:21.508907 IP 161.44.55.250.1809 > 10.89.130.61.445: S 3152179859:315217985 9(0) win 65520 <mss 1260,nop,nop,sackOK> 03:03:23.221004 802.1d config TOP_CHANGE 8000.00:04:9a:66:35:01.8025 root 8000.0 0:04:6d:f9:e8:82 pathcost 8 age 2 max 20 hello 2 fdelay 15 03:03:23.688099 IP 161.44.55.250.1975 > 10.89.130.63.445: S 3160484670:316048467 0(0) win 65520 <mss 1260,nop,nop,sackOK> 03:03:25.219054 802.1d config TOP_CHANGE 8000.00:04:9a:66:35:01.8025 root 8000.0 0:04:6d:f9:e8:82 pathcost 8 age 2 max 20 hello 2 fdelay 15 03:03:25.846552 IP 172.20.12.10.2984 > 10.89.130.127.445: S 1345848756:134584875 6(0) win 64240 <mss 1460,nop,nop,sackOK> 03:03:26.195342 IP 161.44.55.250.2178 > 10.89.130.65.445: S 3170518052:317051805 2(0) win 65520 <mss 1260,nop,nop,sackOK> 03:03:27.222725 802.1d config TOP_CHANGE 8000.00:04:9a:66:35:01.8025 root 8000.0 0:04:6d:f9:e8:82 pathcost 8 age 2 max 20 hello 2 fdelay 15 03:03:27.299178 IP 161.44.55.250.2269 > 10.89.130.66.445: S 3174717959:317471795 9(0) win 65520 <mss 1260,nop,nop,sackOK> 03:03:27.308798 arp who-has 161.44.55.250 tell 10.89.130.66 03:03:28.383028 IP 161.44.55.250.2349 > 10.89.130.67.445: S 3178636061:317863606 1(0) win 65520 <mss 1260,nop,nop,sackOK>
Step 4 View any information about the packet file.
sensor# packet display file-info Captured by: cisco:8874, Cmd: packet capture GigabitEthernet0/1 Start: 2003/01/07 00:12:50 UTC, End: 2003/01/07 00:15:30 UTC
Copying the Packet File
Use the
copy packet-file
destination_url
command to copy the packet file to an FTP or SCP server for saving or further analysis with another tool, such as Wireshark or TCPDUMP.
The following commands apply:
-
packet-file
—Specifies the locally stored libpcap file that you captured using the
packet capture
command.
-
destination_url
—Specifies the location of the destination file to be copied. It can be a URL or a keyword.
Note The exact format of the source and destination URLs varies according to the file.
-
ftp:—Destination URL for an FTP network server. The syntax for this prefix is:
ftp://[[username@]location][/relativeDirectory]/filename
ftp://[[username@]location][//absoluteDirectory]/filename
-
scp:—Destination URL for the SCP network server. The syntax for this prefix is:
scp://[[username@]location][/relativeDirectory]/filename
scp://[[username@]location][//absoluteDirectory]/filename
Note When you use FTP or SCP protocol, you are prompted for a password.
To copy packets files to an FTP or SCP server, follow these steps:
Step 1 Log in to the CLI using an account with administrator privileges.
Step 2 Copy the packet-file to an FTP or SCP server.
sensor# copy packet-file scp://jbrown@209.165.200.225/work/ packet-file 100% 1670 0.0KB/s 00:00
Step 3 View the packet file with Wireshark or TCPDUMP.
Erasing the Packet File
Use the
erase packet-file
command to erase the packet file. There is only one packet file. It is 16 MB and is over-written each time you use the
packet capture
command. To erase the packet file, follow these steps:
Step 1 Display information about the current captured packet file.
sensor# packet display file-info Captured by: cisco:1514, Cmd: packet capture GigabitEthernet0/1 Start: 2005/02/15 03:55:00 CST, End: 2005/02/15 03:55:05 CST
Step 2 Erase the packet file.
sensor# erase packet-file
Step 3 Verify that you have erased the packet file.
sensor# packet display file-info No packet-file available.