Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1885
Views
0
Helpful
5
Replies

ACE Packet capture

sandevsingh
Level 1
Level 1

‎10-15-2013 11:42 AM

Hi, I have tried to do a packet capture on the ACE by following this doc -

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Troubleshooting_Guide_--_Overview_of_ACE_Troubleshooting#Capturing_Packets_in_Real_Time

Issue is, the output is displayed in a hexa-decimal format (In red below) -

ACE1# show capture CAP2414 detail

0001: msg_type: PKT_RCV

ace_id: 18173           action_flag: 0x13

src_addr: 10.127.84.153            src_port: 58653

dst_addr: 10.127.85.153            dst_port: 14109

l3_protocol: 0          l4_protocol: 6

message_hex_dump:

0x0000: 0007 0104 0000 46fd 0000 0000 0a7f 5499  ......F.......T.

0x0010: 0a7f 5599 0609 0033 e51d 371d 0000 0000  ..U....3..7.....

0x0020: 0104 0000 05b4 0000 0000 46fd 1300 0000  ..........F.....

0x0030: 0000 0000 0000 0000 0000 0000 0000 0000  ................

0x0040: 0000 0000 0000 0001                      ........

Even if I copy the CAP file to my laptop and open it in wireshark, I only see it showing source and destination MACs. (File attached)

Can anyone please advise??

Labels:
Preview file
45 KB
0 Helpful
5 Replies 5

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎10-17-2013 09:41 AM

Hi,

Normally after you run a pcap and you save it in disk and then import file from there to your laptop and open in wireshark it should show you the normal output as you see normally with packet capture done on your machine?

Which version of ACE are you running? Have you tried in another version?

Regards,

Kanwal

0 Helpful

sandevsingh
Level 1
Level 1
In response to Kanwaljeet Singh

‎10-21-2013 10:09 AM

Hi, I have done exactly the same. We have the ACE module (PID: ACE20-MOD-K9) running ver A2.3 (6a). I cannot try another version as the device is in production. Does it do the same for you? If you open my attached .docx file, I am not getting the desired information as source IP and dest IP.

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to sandevsingh

‎10-21-2013 10:16 AM

Hi Sandev,

We take pcaps all the time and have never faced issue like that. We see some packets missing or file not copying but never such an issue. Can you send me the exact steps you are doing and access list that you have set up?

Regards,

Kanwal

0 Helpful

sandevsingh
Level 1
Level 1
In response to sandevsingh

‎10-21-2013 10:28 AM

Hi Kanwaljeet, the steps are -

Step 1:

access-list CAP line 8 extended permit ip host 10.127.84.152 host 10.127.85.152

access-list CAP line 16 extended permit ip host 10.127.84.153 host 10.127.85.153

Step 2:

capture CAP interface all access-list CAP

Step 3:

capture CAP start

Step 4:

capture CAP stop

Step 5:

Copy capture CAP disk0:CAP

Step 6:

tftp the file CAP to the laptop and open in Wireshark

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to sandevsingh

‎10-21-2013 11:21 AM

Hi Sandev,

The steps look fine. Is it possible to send me the CAP file that i can open in wireshark?

Regards,

Kanwal

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card