9-4
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
78-16527-01
Chapter 9 Displaying and Capturing Live Traffic on an Interface
Capturing Live Traffic on an Interface
Step 3
You can use the
expression
option to limit what you display, for example, only TCP packets.
Note
As described in the TCPDUMP man page, the protocol identifiers tcp, udp, and icmp are also
keywords and must be escaped by using two back slashes (\\).
sensor#
packet display GigabitEthernet0/1 verbose expression ip proto \\tcp
Warning: This command will cause significant performance degradation
tcpdump: listening on ge0_1, link-type EN10MB (Ethernet), capture size 65535 bytes
03:42:02.509738 IP (tos 0x10, ttl 64, id 27743, offset 0, flags [DF], length: 88)
10.89.147.31.22 > 64.101.182.54.47039: P [tcp sum ok] 3449098782:3449098830(48) ack
3009767154 win 8704
03:42:02.509834 IP (tos 0x10, ttl 64, id 27744, offset 0, flags [DF], length: 152)
10.89.147.31.22 > 64.101.182.54.47039: P [tcp sum ok] 48:160(112) ack 1 win 8704
03:42:02.510248 IP (tos 0x0, ttl 252, id 55922, offset 0, flags [none], length: 40)
64.101.182.54.47039 > 10.89.147.31.22: . [tcp sum ok] 1:1(0) ack 160 win 8760
03:42:02.511262 IP (tos 0x10, ttl 64, id 27745, offset 0, flags [DF], length: 264)
10.89.147.31.22 > 64.101.182.54.47039: P [tcp sum ok] 160:384(224) ack 1 win 8704
03:42:02.511408 IP (tos 0x10, ttl 64, id 27746, offset 0, flags [DF], length: 248)
10.89.147.31.22 > 64.101.182.54.47039: P [tcp sum ok] 384:592(208) ack 1 win 8704
03:42:02.511545 IP (tos 0x10, ttl 64, id 27747, offset 0, flags [DF], length: 240)
10.89.147.31.22 > 64.101.182.54.47039: P [tcp sum ok] 592:792(200) ack 1 win 8704
Step 4
To display information about the packet file:
sensor#
packet display file-info
Captured by: cisco:25579, Cmd: packet capture GigabitEthernet0/1
Start: 2003/02/03 02:56:48 UTC, End: 2003/02/03 02:56:51 UTC
sensor#
Capturing Live Traffic on an Interface
Use the
packet capture
interface-name
[
snaplen
length
] [
count
count
] [
expression
expression
]
command to capture live traffic on an interface.
Only one user can use the
packet capture
command at a time. A second user request results in an error
message containing information about the user currently executing the capture.
Caution
Executing the
packet capture
command causes significant performance degradation.
The
packet capture
command captures the libpcap output into a local file.
Use the
packet display packet-file
[
verbose
] [
expression
expression
] command to view the local file.
Use the
packet display file-info
to display information about the local file, if any.
The following options apply:
•
interface-name
—Logical interface name.
You can only use an interface name that exists in the system.
•
snaplen
—Maximum number of bytes captured for each packet (optional).
The valid range is 68 to 1600. The default is 0.