debug ip packet

Discussion in 'Cisco' started by J Anderia, Sep 2, 2006.

  1. J Anderia

    J Anderia Guest

    I like to use the debug packet ip detail command to troubleshoot but even when I use it
    with an access list, the show log command captures everything, not just what I've put in
    the acess list. Is there a way to get only what I want in the log buffer? This is what
    I'm doing:

    Log onto router - A 3660 running IOS 12.3(6)a

    1. Configure an access list:
    access-list 150 permit tcp host 10.10.59.59 host 192.168.25.14 eq smtp
    access-list 150 permit tcp host 192.168.25.14 host 10.10.59.59 established

    2. Turn on debug:
    debug ip packet detail 150
    **(note, I've also tried a variation, debug ip packet 150 detail)

    3. Telnet to port 25 from the host, 10.10.59.59

    4. Run a 'show log' command on the router to look at the log

    Instead of just seeing the traffic between the two hosts in the access list, I see a
    multitude of traffic from other hosts. Am I doing something wrong here? I would love to
    be able to only see the narrowed down traffic that I've specified in my access list.

    Thanks!
    J Anderia, Sep 2, 2006
    #1
    1. Advertising

  2. J Anderia

    lfnetworking Guest

    J Anderia wrote:
    > I like to use the debug packet ip detail command to troubleshoot but even when I use it
    > with an access list, the show log command captures everything, not just what I've put in
    > the acess list. Is there a way to get only what I want in the log buffer? This is what
    > I'm doing:
    >
    > Log onto router - A 3660 running IOS 12.3(6)a
    >
    > 1. Configure an access list:
    > access-list 150 permit tcp host 10.10.59.59 host 192.168.25.14 eq smtp
    > access-list 150 permit tcp host 192.168.25.14 host 10.10.59.59 established
    >
    > 2. Turn on debug:
    > debug ip packet detail 150
    > **(note, I've also tried a variation, debug ip packet 150 detail)
    >
    > 3. Telnet to port 25 from the host, 10.10.59.59
    >
    > 4. Run a 'show log' command on the router to look at the log
    >
    > Instead of just seeing the traffic between the two hosts in the access list, I see a
    > multitude of traffic from other hosts. Am I doing something wrong here? I would love to
    > be able to only see the narrowed down traffic that I've specified in my access list.
    >
    > Thanks!

    watch the debug in your terminal in exec mode, no need to look at logs -
    use the "term mon" command . sounds like you have terminal logging on
    as well
    lfnetworking, Sep 2, 2006
    #2
    1. Advertising

  3. J Anderia

    J Anderia Guest

    Thanks for the quick reply! I have tried that and I still get all the unwanted traffic
    showing up on the terminal. Any way to limit the traffic so it doesn't scroll off the
    screen too quickly when I'm trying to troubleshoot?



    On Sat, 02 Sep 2006 00:07:18 GMT, lfnetworking <_bill_@_lfnetworking.com> wrote:

    >J Anderia wrote:
    >> I like to use the debug packet ip detail command to troubleshoot but even when I use it
    >> with an access list, the show log command captures everything, not just what I've put in
    >> the acess list. Is there a way to get only what I want in the log buffer? This is what
    >> I'm doing:
    >>
    >> Log onto router - A 3660 running IOS 12.3(6)a
    >>
    >> 1. Configure an access list:
    >> access-list 150 permit tcp host 10.10.59.59 host 192.168.25.14 eq smtp
    >> access-list 150 permit tcp host 192.168.25.14 host 10.10.59.59 established
    >>
    >> 2. Turn on debug:
    >> debug ip packet detail 150
    >> **(note, I've also tried a variation, debug ip packet 150 detail)
    >>
    >> 3. Telnet to port 25 from the host, 10.10.59.59
    >>
    >> 4. Run a 'show log' command on the router to look at the log
    >>
    >> Instead of just seeing the traffic between the two hosts in the access list, I see a
    >> multitude of traffic from other hosts. Am I doing something wrong here? I would love to
    >> be able to only see the narrowed down traffic that I've specified in my access list.
    >>
    >> Thanks!

    >watch the debug in your terminal in exec mode, no need to look at logs -
    >use the "term mon" command . sounds like you have terminal logging on
    >as well
    J Anderia, Sep 2, 2006
    #3
  4. In article <>,
    J Anderia <> wrote:

    > I like to use the debug packet ip detail command to troubleshoot but even
    > when I use it
    > with an access list, the show log command captures everything, not just what
    > I've put in
    > the acess list. Is there a way to get only what I want in the log buffer?
    > This is what
    > I'm doing:
    >
    > Log onto router - A 3660 running IOS 12.3(6)a
    >
    > 1. Configure an access list:
    > access-list 150 permit tcp host 10.10.59.59 host 192.168.25.14 eq smtp
    > access-list 150 permit tcp host 192.168.25.14 host 10.10.59.59 established


    Are you sure there wasn't already an access-list 150? If there was, you
    just added to the end of it, you didn't replace it. Type

    no access-list 150

    before configuring the ACL, to ensure that it starts out empty.

    >
    > 2. Turn on debug:
    > debug ip packet detail 150
    > **(note, I've also tried a variation, debug ip packet 150 detail)
    >
    > 3. Telnet to port 25 from the host, 10.10.59.59
    >
    > 4. Run a 'show log' command on the router to look at the log
    >
    > Instead of just seeing the traffic between the two hosts in the access list,
    > I see a
    > multitude of traffic from other hosts. Am I doing something wrong here? I
    > would love to
    > be able to only see the narrowed down traffic that I've specified in my
    > access list.
    >
    > Thanks!


    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***
    Barry Margolin, Sep 2, 2006
    #4
  5. J Anderia

    J Anderia Guest

    I did confirm that there was no other access-list 150 before I created it. A "show run |
    inc list 150" confirms this for me now also.

    Could this be a bug with IOS 12.3(6)a? I'm guessing I am supposesd to see filtered
    results and not everything going through, is this correct?

    On Fri, 01 Sep 2006 21:42:53 -0400, Barry Margolin <> wrote:

    >In article <>,
    > J Anderia <> wrote:
    >
    >> I like to use the debug packet ip detail command to troubleshoot but even
    >> when I use it
    >> with an access list, the show log command captures everything, not just what
    >> I've put in
    >> the acess list. Is there a way to get only what I want in the log buffer?
    >> This is what
    >> I'm doing:
    >>
    >> Log onto router - A 3660 running IOS 12.3(6)a
    >>
    >> 1. Configure an access list:
    >> access-list 150 permit tcp host 10.10.59.59 host 192.168.25.14 eq smtp
    >> access-list 150 permit tcp host 192.168.25.14 host 10.10.59.59 established

    >
    >Are you sure there wasn't already an access-list 150? If there was, you
    >just added to the end of it, you didn't replace it. Type
    >
    >no access-list 150
    >
    >before configuring the ACL, to ensure that it starts out empty.
    >
    >>
    >> 2. Turn on debug:
    >> debug ip packet detail 150
    >> **(note, I've also tried a variation, debug ip packet 150 detail)
    >>
    >> 3. Telnet to port 25 from the host, 10.10.59.59
    >>
    >> 4. Run a 'show log' command on the router to look at the log
    >>
    >> Instead of just seeing the traffic between the two hosts in the access list,
    >> I see a
    >> multitude of traffic from other hosts. Am I doing something wrong here? I
    >> would love to
    >> be able to only see the narrowed down traffic that I've specified in my
    >> access list.
    >>
    >> Thanks!
    J Anderia, Sep 2, 2006
    #5
  6. J Anderia

    J Anderia Guest

    Actually, the exact IOS is c3660-ik9o3s-mz.123-6a for what it's worth.

    On Fri, 01 Sep 2006 21:55:35 -0400, J Anderia <> wrote:

    >I did confirm that there was no other access-list 150 before I created it. A "show run |
    >inc list 150" confirms this for me now also.
    >
    >Could this be a bug with IOS 12.3(6)a? I'm guessing I am supposesd to see filtered
    >results and not everything going through, is this correct?
    >
    >On Fri, 01 Sep 2006 21:42:53 -0400, Barry Margolin <> wrote:
    >
    >>In article <>,
    >> J Anderia <> wrote:
    >>
    >>> I like to use the debug packet ip detail command to troubleshoot but even
    >>> when I use it
    >>> with an access list, the show log command captures everything, not just what
    >>> I've put in
    >>> the acess list. Is there a way to get only what I want in the log buffer?
    >>> This is what
    >>> I'm doing:
    >>>
    >>> Log onto router - A 3660 running IOS 12.3(6)a
    >>>
    >>> 1. Configure an access list:
    >>> access-list 150 permit tcp host 10.10.59.59 host 192.168.25.14 eq smtp
    >>> access-list 150 permit tcp host 192.168.25.14 host 10.10.59.59 established

    >>
    >>Are you sure there wasn't already an access-list 150? If there was, you
    >>just added to the end of it, you didn't replace it. Type
    >>
    >>no access-list 150
    >>
    >>before configuring the ACL, to ensure that it starts out empty.
    >>
    >>>
    >>> 2. Turn on debug:
    >>> debug ip packet detail 150
    >>> **(note, I've also tried a variation, debug ip packet 150 detail)
    >>>
    >>> 3. Telnet to port 25 from the host, 10.10.59.59
    >>>
    >>> 4. Run a 'show log' command on the router to look at the log
    >>>
    >>> Instead of just seeing the traffic between the two hosts in the access list,
    >>> I see a
    >>> multitude of traffic from other hosts. Am I doing something wrong here? I
    >>> would love to
    >>> be able to only see the narrowed down traffic that I've specified in my
    >>> access list.
    >>>
    >>> Thanks!
    J Anderia, Sep 2, 2006
    #6
  7. In article <>,
    J Anderia <> wrote:

    > I did confirm that there was no other access-list 150 before I created it. A
    > "show run |
    > inc list 150" confirms this for me now also.


    That's a convoluted way to do "show access-list 150", isn't it?

    >
    > Could this be a bug with IOS 12.3(6)a? I'm guessing I am supposesd to see
    > filtered
    > results and not everything going through, is this correct?


    Yes. It always worked for me, but it's been a few years and IOS
    versions since I worked on Ciscos.

    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***
    Barry Margolin, Sep 2, 2006
    #7
  8. J Anderia

    J Anderia Guest

    Ha! Yes, it is a convoluted way to show the list. I suppose I'm just a little too much
    'include' happy. :)

    On Fri, 01 Sep 2006 22:04:55 -0400, Barry Margolin <> wrote:

    >In article <>,
    > J Anderia <> wrote:
    >
    >> I did confirm that there was no other access-list 150 before I created it. A
    >> "show run |
    >> inc list 150" confirms this for me now also.

    >
    >That's a convoluted way to do "show access-list 150", isn't it?
    >
    >>
    >> Could this be a bug with IOS 12.3(6)a? I'm guessing I am supposesd to see
    >> filtered
    >> results and not everything going through, is this correct?

    >
    >Yes. It always worked for me, but it's been a few years and IOS
    >versions since I worked on Ciscos.
    J Anderia, Sep 2, 2006
    #8
  9. J Anderia

    Guest

    J Anderia wrote:
    > Ha! Yes, it is a convoluted way to show the list. I suppose I'm just a little too much
    > 'include' happy. :)
    >
    > On Fri, 01 Sep 2006 22:04:55 -0400, Barry Margolin <> wrote:
    >
    > >In article <>,
    > > J Anderia <> wrote:
    > >
    > >> I did confirm that there was no other access-list 150 before I created it. A
    > >> "show run |
    > >> inc list 150" confirms this for me now also.

    > >
    > >That's a convoluted way to do "show access-list 150", isn't it?
    > >
    > >>
    > >> Could this be a bug with IOS 12.3(6)a? I'm guessing I am supposesd to see
    > >> filtered
    > >> results and not everything going through, is this correct?

    > >
    > >Yes. It always worked for me, but it's been a few years and IOS
    > >versions since I worked on Ciscos.


    Firstly:-

    access-list 150 permit tcp host 10.10.59.59 host 192.168.25.14
    eq smtp
    access-list 150 permit tcp host 192.168.25.14 host 10.10.59.59
    established

    In a /normal/ access list that was filtering interface traffic
    the "established" keyword effectively stops TCP sessions
    from starting by blocking the initial SYN packet which does not
    have the ACK bit (or RST) bit set.

    http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080431049.html
    "The established keyword is used only for the TCP protocol to
    indicate an established connection. A match occurs if the TCP
    datagram has the ACK or RST bits set, which indicate that the
    packet belongs to an existing connection."

    In a debug ACL it won't block the whole session from the
    debug processing.

    I am not clear what exactly the issue is since you have
    not given an example of exactly what is getting through
    that you don't think should be.

    Please post an example packet.

    I have never seen debug behave in this way.
    , Sep 2, 2006
    #9
  10. J Anderia

    Merv Guest

    you can also enable the internal logging buffer

    check how much free memory the router has with sh memory command

    Router# show memory


    Head Total(b) Used(b) Free(b) Lowest(b)
    Largest(b)

    Processor B0EE38 5181896 2210036 2971860 2692456
    2845368



    on most system should be able to spare 20K, so configure:

    conf t
    logging buffer 20000 debugging
    no logging coneol
    end

    wri mem

    after debug, show logging
    Merv, Sep 2, 2006
    #10
  11. In article <>,
    wrote:

    > Firstly:-
    >
    > access-list 150 permit tcp host 10.10.59.59 host 192.168.25.14
    > eq smtp
    > access-list 150 permit tcp host 192.168.25.14 host 10.10.59.59
    > established
    >
    > In a /normal/ access list that was filtering interface traffic
    > the "established" keyword effectively stops TCP sessions
    > from starting by blocking the initial SYN packet which does not
    > have the ACK bit (or RST) bit set.


    No it does't. The established keyword doesn't block anything, it just
    permits the returning packets on a connection that was already allowed
    to start by some other entry in the ACL.

    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***
    Barry Margolin, Sep 3, 2006
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Christopher Marshall

    pix 515:debug packet

    Christopher Marshall, Jan 14, 2004, in forum: Cisco
    Replies:
    1
    Views:
    5,292
    Rik Bain
    Jan 14, 2004
  2. kev
    Replies:
    1
    Views:
    7,037
    micke
    Sep 21, 2004
  3. arme35
    Replies:
    3
    Views:
    1,663
  4. Replies:
    1
    Views:
    1,779
    CiscoHeadsetAdapter.com
    Feb 7, 2006
  5. John
    Replies:
    2
    Views:
    1,554
    Dom Wilkinson
    Feb 15, 2006
Loading...

Share This Page