03-20-2015 07:03 AM - edited 03-11-2019 10:40 PM
I have captured some syslog output from my ASA5585-SSP-40 running 9.1(5)19 code. The basic show command results in output that shows the source and destination IPs, each with .514 appended. This seems right because syslog is transmitted UDP/514. What I don't understand is the "udp 143" and "udp 166" at the end of these two lines. The rest of the capture has more, seemingly random, numbers at the end as well.
fw3-cloudsys-ash1/act# sh capture syslog-tst3 4294 packets captured 1: 15:36:39.245852 802.1Q vlan#2050 P0 10.30.30.30.514 > 10.20.20.20.514: udp 143 2: 15:36:39.245852 802.1Q vlan#2050 P0 10.30.30.30.514 > 10.20.20.20.514: udp 166 fw3-cloudsys-ash1/act# sh capture syslog-tst3 detail 4294 packets captured 1: 15:36:39.245852 f4cf.e200.3d72 0000.0c07.ac64 0x8100 Length: 189 802.1Q vlan#2050 P0 10.64.4.131.514 > 10.74.80.84.514: [udp sum ok] udp 143 (ttl 255, id 28239) 2: 15:36:39.245852 f4cf.e200.3d72 0000.0c07.ac64 0x8100 Length: 212 802.1Q vlan#2050 P0 10.64.4.131.514 > 10.74.80.84.514: [udp sum ok] udp 166 (ttl 255, id 15063)
I then exported the capture and looked at it with Wireshark. Those numbers, 143 & 166, do not appear anywhere in frames 1 and 2. The overall packet length of packet 1 is 189. The length of the UDP datagram is 151.
What is that output telling me? What is that last field in the ASA CLI terminal output?
Thank you
Solved! Go to Solution.
03-24-2015 06:19 AM
Hi,
There are two Fields which are shown in the captures with the "detailed " option on the ASA device.
1) Length:- Overall length of the Frame captured
2) Payload Length:- Length of the payload on the Layer 4 protocol(For ex:- UDP payload for DNS etc)
I am not seeing any discrepancy in the capture lengths.
The only difference i saw in your test was the VLAN TAG and nothing else.
Thanks and Regards,
Vibhor Amrodia
03-24-2015 06:19 AM
Hi,
There are two Fields which are shown in the captures with the "detailed " option on the ASA device.
1) Length:- Overall length of the Frame captured
2) Payload Length:- Length of the payload on the Layer 4 protocol(For ex:- UDP payload for DNS etc)
I am not seeing any discrepancy in the capture lengths.
The only difference i saw in your test was the VLAN TAG and nothing else.
Thanks and Regards,
Vibhor Amrodia
03-24-2015 01:25 PM
Ok, I have it now. I only looked at the size of the various protocol sections. I didn't look at only the syslog message by itself. Those numbers are the payload. Just the syslog message without any protocol information.
Thank you very much.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide