topic Re: Debug command in Network Security

Debug command

sivakumar.ks — Mon, 11 Mar 2019 09:36:41 GMT

Any manual of how to use debug command specific to a packet or IP address. Since it take lot of memory if I run that randomly.

Re: Debug command

vitripat — Thu, 22 Feb 2007 11:45:50 GMT

Debug command was the old way of capturing the packets. This command has been deprecated in 7.x versions. There is a better way available to capture the packets. For that we can use the "capture" command. Here is an example-

suppose there is a host a.a.a.a on the inside interface of PIX/ASA and I need to capture all the outbound packets from this host. For this, I can apply captures using folloaing commands-

-> access-list capi permit ip host a.a.a.a any

-> capture cpi access-list capi buffer 1000000 packet-length 1518 interface inside

Using access-list gives me more strength and granularity to capture only the packets I need. Later I use that access-list in the capture command. To download the capture files, I need to point my browser to-

https://interface_ip/capture/cpi/pcap

(assuming PDM/ASDM is installed)

You can also use "copy" command to transfer the capture file to a tftp server.

Link for capture command-

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_txt/c.htm#wp1950270

Link for copy command-

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_txt/c.htm#wp1970556

Hope this is helpful.

Regards,

Vibhor.

Re: Debug command

sivakumar.ks — Fri, 23 Feb 2007 03:23:18 GMT

Hi ,

Thanks for your response. Do we need to apply accesslist exclusively to an interface. Do the above access-list capi is independent of exisiting access-list.

Regards,

siva

Re: Debug command

vitripat — Fri, 23 Feb 2007 04:02:49 GMT

We dont need to apply this access-list on any interface. It is completely independent of existing access-lists on device. The sole pupose of these ACLs is to match the traffic we need to capture by using them in the capture command.