Solved: Re: ISE TCP dump - limited filters

Arne Bier · ‎04-08-2018

Hello

If I understand the ISE Admin Guide correctly, the ONLY expression that ISE supports is "ip host" ? I have misunderstood 'standard' to mean that ISE supports the standard tcpdump expressions :-(

It would be nice to be able to apply the standard filters - would this be considered a feature request?

Greg Gibbs · ‎04-09-2018

It looks like this changed at some point (maybe with 2.3?) as I know I have used simple port filters in the past, but for some reason ISE won't take a port filter unless I also specify an 'ip host' filter. If you're trying to filter on a port, you might just include the ISE node IP address as a workaround.

Maybe one of the TME's that monitor the community page can provide some clarification if this is expected behaviour or should be considered a bug.

-Regards,

Greg

View solution in original post

Greg Gibbs · ‎04-09-2018

It looks like this changed at some point (maybe with 2.3?) as I know I have used simple port filters in the past, but for some reason ISE won't take a port filter unless I also specify an 'ip host' filter. If you're trying to filter on a port, you might just include the ISE node IP address as a workaround.

Maybe one of the TME's that monitor the community page can provide some clarification if this is expected behaviour or should be considered a bug.

-Regards,

Greg

Arne Bier · ‎04-09-2018

nice workaround

Greg Gibbs · ‎04-10-2018

hslai, do you have any knowledge about or comment on this change of behaviour for the tcpdump filter?

hslai · ‎04-10-2018

+1

I am guessing it might be due to moving this utility from flash to HTML5.

CSCvd36140 is an enhancement to allow other options and currently internal but I will add an RNE and make it external.

Damien Miller · ‎06-01-2020

This is unfortunately still a problem in 2.6 and 2.7. I wanted to capture all DHCP traffic via the TCPDump utility, sadly can't.

Arne Bier · ‎06-02-2020

funny you say that ... today I used the crude tcpdump on the CLI and captured all the output to a text file - I was testing the SMTP and I found what I was looking for. But it did feel a bit 1984'ish ... there's a perfectly good Linux tcpdump just sitting under the covers ... now if only I could get my grubby paws on it ... :)

Anurag Sharma · ‎06-02-2020

You will be pleasantly surprised in the next few months :)

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

stayd · ‎05-19-2022

Well ?

In 2022, ISE 2.7 with patch 7 does not still have this repaired.

So workaround with using ip host plus and port still works.

It seems it is BUG and that was not still fixed at all. What do you think now ?

Arne Bier · ‎05-19-2022

Don't expect too much to get fixed in ISE 2.7. No matter what version of ISE you're on you're always at the mercy of Cisco making these tools available to you. All the while, the tools that can do the job are already there in Linux, but hidden from us (no access). Prime Infrastructure has root access, so does DNAC. Even a non-root shell would be nice.

stayd · ‎06-15-2022

Can I expect it in version 3.1 ?

Damien Miller · ‎06-02-2020

Hsing-Tsu made a great suggestion. Because I am pcaping a single node the following worked from the GUI, "ip hose <psn ip> and port 67".

Eddie also suggested the CLI as an alternative, ex. "tech dumptcp 0 | inc "\.22 \>""

The next GUI doesn't have this issue :)