Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > debug ip packet

Reply
Thread Tools

debug ip packet

 
 
J Anderia
Guest
Posts: n/a
 
      09-01-2006
I like to use the debug packet ip detail command to troubleshoot but even when I use it
with an access list, the show log command captures everything, not just what I've put in
the acess list. Is there a way to get only what I want in the log buffer? This is what
I'm doing:

Log onto router - A 3660 running IOS 12.3(6)a

1. Configure an access list:
access-list 150 permit tcp host 10.10.59.59 host 192.168.25.14 eq smtp
access-list 150 permit tcp host 192.168.25.14 host 10.10.59.59 established

2. Turn on debug:
debug ip packet detail 150
**(note, I've also tried a variation, debug ip packet 150 detail)

3. Telnet to port 25 from the host, 10.10.59.59

4. Run a 'show log' command on the router to look at the log

Instead of just seeing the traffic between the two hosts in the access list, I see a
multitude of traffic from other hosts. Am I doing something wrong here? I would love to
be able to only see the narrowed down traffic that I've specified in my access list.

Thanks!
 
Reply With Quote
 
 
 
 
lfnetworking
Guest
Posts: n/a
 
      09-02-2006
J Anderia wrote:
> I like to use the debug packet ip detail command to troubleshoot but even when I use it
> with an access list, the show log command captures everything, not just what I've put in
> the acess list. Is there a way to get only what I want in the log buffer? This is what
> I'm doing:
>
> Log onto router - A 3660 running IOS 12.3(6)a
>
> 1. Configure an access list:
> access-list 150 permit tcp host 10.10.59.59 host 192.168.25.14 eq smtp
> access-list 150 permit tcp host 192.168.25.14 host 10.10.59.59 established
>
> 2. Turn on debug:
> debug ip packet detail 150
> **(note, I've also tried a variation, debug ip packet 150 detail)
>
> 3. Telnet to port 25 from the host, 10.10.59.59
>
> 4. Run a 'show log' command on the router to look at the log
>
> Instead of just seeing the traffic between the two hosts in the access list, I see a
> multitude of traffic from other hosts. Am I doing something wrong here? I would love to
> be able to only see the narrowed down traffic that I've specified in my access list.
>
> Thanks!

watch the debug in your terminal in exec mode, no need to look at logs -
use the "term mon" command . sounds like you have terminal logging on
as well
 
Reply With Quote
 
 
 
 
J Anderia
Guest
Posts: n/a
 
      09-02-2006
Thanks for the quick reply! I have tried that and I still get all the unwanted traffic
showing up on the terminal. Any way to limit the traffic so it doesn't scroll off the
screen too quickly when I'm trying to troubleshoot?



On Sat, 02 Sep 2006 00:07:18 GMT, lfnetworking <_bill_@_lfnetworking.com> wrote:

>J Anderia wrote:
>> I like to use the debug packet ip detail command to troubleshoot but even when I use it
>> with an access list, the show log command captures everything, not just what I've put in
>> the acess list. Is there a way to get only what I want in the log buffer? This is what
>> I'm doing:
>>
>> Log onto router - A 3660 running IOS 12.3(6)a
>>
>> 1. Configure an access list:
>> access-list 150 permit tcp host 10.10.59.59 host 192.168.25.14 eq smtp
>> access-list 150 permit tcp host 192.168.25.14 host 10.10.59.59 established
>>
>> 2. Turn on debug:
>> debug ip packet detail 150
>> **(note, I've also tried a variation, debug ip packet 150 detail)
>>
>> 3. Telnet to port 25 from the host, 10.10.59.59
>>
>> 4. Run a 'show log' command on the router to look at the log
>>
>> Instead of just seeing the traffic between the two hosts in the access list, I see a
>> multitude of traffic from other hosts. Am I doing something wrong here? I would love to
>> be able to only see the narrowed down traffic that I've specified in my access list.
>>
>> Thanks!

>watch the debug in your terminal in exec mode, no need to look at logs -
>use the "term mon" command . sounds like you have terminal logging on
>as well


 
Reply With Quote
 
Barry Margolin
Guest
Posts: n/a
 
      09-02-2006
In article <(E-Mail Removed)>,
J Anderia <(E-Mail Removed)> wrote:

> I like to use the debug packet ip detail command to troubleshoot but even
> when I use it
> with an access list, the show log command captures everything, not just what
> I've put in
> the acess list. Is there a way to get only what I want in the log buffer?
> This is what
> I'm doing:
>
> Log onto router - A 3660 running IOS 12.3(6)a
>
> 1. Configure an access list:
> access-list 150 permit tcp host 10.10.59.59 host 192.168.25.14 eq smtp
> access-list 150 permit tcp host 192.168.25.14 host 10.10.59.59 established


Are you sure there wasn't already an access-list 150? If there was, you
just added to the end of it, you didn't replace it. Type

no access-list 150

before configuring the ACL, to ensure that it starts out empty.

>
> 2. Turn on debug:
> debug ip packet detail 150
> **(note, I've also tried a variation, debug ip packet 150 detail)
>
> 3. Telnet to port 25 from the host, 10.10.59.59
>
> 4. Run a 'show log' command on the router to look at the log
>
> Instead of just seeing the traffic between the two hosts in the access list,
> I see a
> multitude of traffic from other hosts. Am I doing something wrong here? I
> would love to
> be able to only see the narrowed down traffic that I've specified in my
> access list.
>
> Thanks!


--
Barry Margolin, http://www.velocityreviews.com/forums/(E-Mail Removed)
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
 
Reply With Quote
 
J Anderia
Guest
Posts: n/a
 
      09-02-2006
I did confirm that there was no other access-list 150 before I created it. A "show run |
inc list 150" confirms this for me now also.

Could this be a bug with IOS 12.3(6)a? I'm guessing I am supposesd to see filtered
results and not everything going through, is this correct?

On Fri, 01 Sep 2006 21:42:53 -0400, Barry Margolin <(E-Mail Removed)> wrote:

>In article <(E-Mail Removed)>,
> J Anderia <(E-Mail Removed)> wrote:
>
>> I like to use the debug packet ip detail command to troubleshoot but even
>> when I use it
>> with an access list, the show log command captures everything, not just what
>> I've put in
>> the acess list. Is there a way to get only what I want in the log buffer?
>> This is what
>> I'm doing:
>>
>> Log onto router - A 3660 running IOS 12.3(6)a
>>
>> 1. Configure an access list:
>> access-list 150 permit tcp host 10.10.59.59 host 192.168.25.14 eq smtp
>> access-list 150 permit tcp host 192.168.25.14 host 10.10.59.59 established

>
>Are you sure there wasn't already an access-list 150? If there was, you
>just added to the end of it, you didn't replace it. Type
>
>no access-list 150
>
>before configuring the ACL, to ensure that it starts out empty.
>
>>
>> 2. Turn on debug:
>> debug ip packet detail 150
>> **(note, I've also tried a variation, debug ip packet 150 detail)
>>
>> 3. Telnet to port 25 from the host, 10.10.59.59
>>
>> 4. Run a 'show log' command on the router to look at the log
>>
>> Instead of just seeing the traffic between the two hosts in the access list,
>> I see a
>> multitude of traffic from other hosts. Am I doing something wrong here? I
>> would love to
>> be able to only see the narrowed down traffic that I've specified in my
>> access list.
>>
>> Thanks!


 
Reply With Quote
 
J Anderia
Guest
Posts: n/a
 
      09-02-2006
Actually, the exact IOS is c3660-ik9o3s-mz.123-6a for what it's worth.

On Fri, 01 Sep 2006 21:55:35 -0400, J Anderia <(E-Mail Removed)> wrote:

>I did confirm that there was no other access-list 150 before I created it. A "show run |
>inc list 150" confirms this for me now also.
>
>Could this be a bug with IOS 12.3(6)a? I'm guessing I am supposesd to see filtered
>results and not everything going through, is this correct?
>
>On Fri, 01 Sep 2006 21:42:53 -0400, Barry Margolin <(E-Mail Removed)> wrote:
>
>>In article <(E-Mail Removed)>,
>> J Anderia <(E-Mail Removed)> wrote:
>>
>>> I like to use the debug packet ip detail command to troubleshoot but even
>>> when I use it
>>> with an access list, the show log command captures everything, not just what
>>> I've put in
>>> the acess list. Is there a way to get only what I want in the log buffer?
>>> This is what
>>> I'm doing:
>>>
>>> Log onto router - A 3660 running IOS 12.3(6)a
>>>
>>> 1. Configure an access list:
>>> access-list 150 permit tcp host 10.10.59.59 host 192.168.25.14 eq smtp
>>> access-list 150 permit tcp host 192.168.25.14 host 10.10.59.59 established

>>
>>Are you sure there wasn't already an access-list 150? If there was, you
>>just added to the end of it, you didn't replace it. Type
>>
>>no access-list 150
>>
>>before configuring the ACL, to ensure that it starts out empty.
>>
>>>
>>> 2. Turn on debug:
>>> debug ip packet detail 150
>>> **(note, I've also tried a variation, debug ip packet 150 detail)
>>>
>>> 3. Telnet to port 25 from the host, 10.10.59.59
>>>
>>> 4. Run a 'show log' command on the router to look at the log
>>>
>>> Instead of just seeing the traffic between the two hosts in the access list,
>>> I see a
>>> multitude of traffic from other hosts. Am I doing something wrong here? I
>>> would love to
>>> be able to only see the narrowed down traffic that I've specified in my
>>> access list.
>>>
>>> Thanks!


 
Reply With Quote
 
Barry Margolin
Guest
Posts: n/a
 
      09-02-2006
In article <(E-Mail Removed)>,
J Anderia <(E-Mail Removed)> wrote:

> I did confirm that there was no other access-list 150 before I created it. A
> "show run |
> inc list 150" confirms this for me now also.


That's a convoluted way to do "show access-list 150", isn't it?

>
> Could this be a bug with IOS 12.3(6)a? I'm guessing I am supposesd to see
> filtered
> results and not everything going through, is this correct?


Yes. It always worked for me, but it's been a few years and IOS
versions since I worked on Ciscos.

--
Barry Margolin, (E-Mail Removed)
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
 
Reply With Quote
 
J Anderia
Guest
Posts: n/a
 
      09-02-2006
Ha! Yes, it is a convoluted way to show the list. I suppose I'm just a little too much
'include' happy.

On Fri, 01 Sep 2006 22:04:55 -0400, Barry Margolin <(E-Mail Removed)> wrote:

>In article <(E-Mail Removed)>,
> J Anderia <(E-Mail Removed)> wrote:
>
>> I did confirm that there was no other access-list 150 before I created it. A
>> "show run |
>> inc list 150" confirms this for me now also.

>
>That's a convoluted way to do "show access-list 150", isn't it?
>
>>
>> Could this be a bug with IOS 12.3(6)a? I'm guessing I am supposesd to see
>> filtered
>> results and not everything going through, is this correct?

>
>Yes. It always worked for me, but it's been a few years and IOS
>versions since I worked on Ciscos.


 
Reply With Quote
 
Bod43@hotmail.co.uk
Guest
Posts: n/a
 
      09-02-2006

J Anderia wrote:
> Ha! Yes, it is a convoluted way to show the list. I suppose I'm just a little too much
> 'include' happy.
>
> On Fri, 01 Sep 2006 22:04:55 -0400, Barry Margolin <(E-Mail Removed)> wrote:
>
> >In article <(E-Mail Removed)>,
> > J Anderia <(E-Mail Removed)> wrote:
> >
> >> I did confirm that there was no other access-list 150 before I created it. A
> >> "show run |
> >> inc list 150" confirms this for me now also.

> >
> >That's a convoluted way to do "show access-list 150", isn't it?
> >
> >>
> >> Could this be a bug with IOS 12.3(6)a? I'm guessing I am supposesd to see
> >> filtered
> >> results and not everything going through, is this correct?

> >
> >Yes. It always worked for me, but it's been a few years and IOS
> >versions since I worked on Ciscos.


Firstly:-

access-list 150 permit tcp host 10.10.59.59 host 192.168.25.14
eq smtp
access-list 150 permit tcp host 192.168.25.14 host 10.10.59.59
established

In a /normal/ access list that was filtering interface traffic
the "established" keyword effectively stops TCP sessions
from starting by blocking the initial SYN packet which does not
have the ACK bit (or RST) bit set.

http://www.cisco.com/en/US/products/...080431049.html
"The established keyword is used only for the TCP protocol to
indicate an established connection. A match occurs if the TCP
datagram has the ACK or RST bits set, which indicate that the
packet belongs to an existing connection."

In a debug ACL it won't block the whole session from the
debug processing.

I am not clear what exactly the issue is since you have
not given an example of exactly what is getting through
that you don't think should be.

Please post an example packet.

I have never seen debug behave in this way.

 
Reply With Quote
 
Merv
Guest
Posts: n/a
 
      09-02-2006

you can also enable the internal logging buffer

check how much free memory the router has with sh memory command

Router# show memory


Head Total(b) Used(b) Free(b) Lowest(b)
Largest(b)

Processor B0EE38 5181896 2210036 2971860 2692456
2845368



on most system should be able to spare 20K, so configure:

conf t
logging buffer 20000 debugging
no logging coneol
end

wri mem

after debug, show logging

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
import packet.module without importing packet.__init__ ? Gelonida N Python 4 09-11-2011 02:17 PM
convert the ip packet to and from RS-232 packet Li Han Python 2 02-09-2009 02:43 PM
Security: rec'd packet not an ipsec packet ! mediumkuriboh Cisco 0 02-09-2009 12:14 AM
%PIX-4-402106: Rec'd packet not an IPSEC packet. lfnetworking Cisco 3 08-27-2006 05:30 AM
pix 515:debug packet Christopher Marshall Cisco 1 01-14-2004 04:44 PM



Advertisments