Capturing Live Traffic On An Interface - Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual

Capturing Live Traffic on an Interface

You can use the expression option to limit what you display, for example, only TCP packets.
Step 3
Note
sensor# packet display GigabitEthernet0/1 verbose expression ip proto \\tcp
Warning: This command will cause significant performance degradation
tcpdump: listening on ge0_1, link-type EN10MB (Ethernet), capture size 65535 bytes
03:42:02.509738 IP (tos 0x10, ttl
10.89.147.31.22 > 64.101.182.54.47039: P [tcp sum ok] 3449098782:3449098830(48) ack
3009767154 win 8704
03:42:02.509834 IP (tos 0x10, ttl
10.89.147.31.22 > 64.101.182.54.47039: P [tcp sum ok] 48:160(112) ack 1 win 8704
03:42:02.510248 IP (tos 0x0, ttl 252, id 55922, offset 0, flags [none], length: 40)
64.101.182.54.47039 > 10.89.147.31.22: . [tcp sum ok] 1:1(0) ack 160 win 8760
03:42:02.511262 IP (tos 0x10, ttl
10.89.147.31.22 > 64.101.182.54.47039: P [tcp sum ok] 160:384(224) ack 1 win 8704
03:42:02.511408 IP (tos 0x10, ttl
10.89.147.31.22 > 64.101.182.54.47039: P [tcp sum ok] 384:592(208) ack 1 win 8704
03:42:02.511545 IP (tos 0x10, ttl
10.89.147.31.22 > 64.101.182.54.47039: P [tcp sum ok] 592:792(200) ack 1 win 8704
To display information about the packet file:
Step 4
sensor# packet display file-info
Captured by: cisco:25579, Cmd: packet capture GigabitEthernet0/1
Start: 2003/02/03 02:56:48 UTC, End: 2003/02/03 02:56:51 UTC
sensor#
Capturing Live Traffic on an Interface
Use the packet capture interface-name [snaplen length] [count count] [expression expression]
command to capture live traffic on an interface.
Only one user can use the packet capture command at a time. A second user request results in an error
message containing information about the user currently executing the capture.
Executing the packet capture command causes significant performance degradation.
Caution
The packet capture command captures the libpcap output into a local file.
Use the packet display packet-file [verbose] [expression expression] command to view the local file.
Use the packet display file-info to display information about the local file, if any.
The following options apply:
•
•
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
9-4
As described in the TCPDUMP man page, the protocol identifiers tcp, udp, and icmp are also
keywords and must be escaped by using two back slashes (\\).
interface-name—Logical interface name.
You can only use an interface name that exists in the system.
snaplen—Maximum number of bytes captured for each packet (optional).
The valid range is 68 to 1600. The default is 0.
Chapter 9 Displaying and Capturing Live Traffic on an Interface
64, id 27743, offset 0, flags [DF], length: 88)
64, id 27744, offset 0, flags [DF], length: 152)
64, id 27745, offset 0, flags [DF], length: 264)
64, id 27746, offset 0, flags [DF], length: 248)
64, id 27747, offset 0, flags [DF], length: 240)
78-16527-01