cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
20652
Views
47
Helpful
11
Replies

ISE TCP dump - limited filters

Arne Bier
VIP
VIP

Hello

If I understand the ISE Admin Guide correctly, the ONLY expression that ISE supports is "ip host" ?  I have misunderstood 'standard' to mean that ISE supports the standard tcpdump expressions :-(

It would be nice to be able to apply the standard filters - would this be considered a feature request?

1 Accepted Solution

Accepted Solutions

Greg Gibbs
Cisco Employee
Cisco Employee

It looks like this changed at some point (maybe with 2.3?) as I know I have used simple port filters in the past, but for some reason ISE won't take a port filter unless I also specify an 'ip host' filter. If you're trying to filter on a port, you might just include the ISE node IP address as a workaround.

Screen Shot 2018-04-10 at 10.46.20 am.png

Maybe one of the TME's that monitor the community page can provide some clarification if this is expected behaviour or should be considered a bug.

-Regards,

Greg

View solution in original post

11 Replies 11

Greg Gibbs
Cisco Employee
Cisco Employee

It looks like this changed at some point (maybe with 2.3?) as I know I have used simple port filters in the past, but for some reason ISE won't take a port filter unless I also specify an 'ip host' filter. If you're trying to filter on a port, you might just include the ISE node IP address as a workaround.

Screen Shot 2018-04-10 at 10.46.20 am.png

Maybe one of the TME's that monitor the community page can provide some clarification if this is expected behaviour or should be considered a bug.

-Regards,

Greg

Arne Bier
VIP
VIP

nice workaround

Greg Gibbs
Cisco Employee
Cisco Employee

hslai, do you have any knowledge about or comment on this change of behaviour for the tcpdump filter?

+1

I am guessing it might be due to moving this utility from flash to HTML5.

CSCvd36140 is an enhancement to allow other options and currently internal but I will add an RNE and make it external.

This is unfortunately still a problem in 2.6 and 2.7. I wanted to capture all DHCP traffic via the TCPDump utility, sadly can't.

funny you say that ... today I used the crude tcpdump on the CLI and captured all the output to a text file - I was testing the SMTP and I found what I was looking for. But it did feel a bit 1984'ish ... there's a perfectly good Linux tcpdump just sitting under the covers ... now if only I could get my grubby paws on it ... :)

You will be pleasantly surprised in the next few months :)
Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

Well ?

In 2022, ISE 2.7 with patch 7 does not still have this repaired.

So workaround with using ip host plus and port still works.

 

It seems it is BUG and that was not still fixed at all. What do you think now ?

Don't expect too much to get fixed in ISE 2.7. No matter what version of ISE you're on you're always at the mercy of Cisco making these tools available to you. All the while, the tools that can do the job are already there in Linux, but hidden from us (no access). Prime Infrastructure has root access, so does DNAC. Even a non-root shell would be nice. 

Can I expect it in version 3.1 ?

Hsing-Tsu made a great suggestion. Because I am pcaping a single node the following worked from the GUI, "ip hose <psn ip> and port 67".

Eddie also suggested the CLI as an alternative, ex. "tech dumptcp 0 | inc "\.22 \>""

The next GUI doesn't have this issue :)
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: