cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1316
Views
0
Helpful
2
Replies

ASA CLI Packet Capture - What does the last number in the terminal output represent?

dfreemire
Level 1
Level 1

I have captured some syslog output from my ASA5585-SSP-40 running 9.1(5)19 code. The basic show command results in output that shows the source and destination IPs, each with .514 appended. This seems right because syslog is transmitted UDP/514. What I don't understand is the "udp 143" and "udp 166" at the end of these two lines. The rest of the capture has more, seemingly random, numbers at the end as well.

fw3-cloudsys-ash1/act# sh capture syslog-tst3
4294 packets captured
   1: 15:36:39.245852       802.1Q vlan#2050 P0 10.30.30.30.514 > 10.20.20.20.514:  udp 143
   2: 15:36:39.245852       802.1Q vlan#2050 P0 10.30.30.30.514 > 10.20.20.20.514:  udp 166

fw3-cloudsys-ash1/act# sh capture syslog-tst3 detail
4294 packets captured
   1: 15:36:39.245852 f4cf.e200.3d72 0000.0c07.ac64 0x8100 Length: 189
      802.1Q vlan#2050 P0 10.64.4.131.514 > 10.74.80.84.514:  [udp sum ok] udp 143 (ttl 255, id 28239) 
   2: 15:36:39.245852 f4cf.e200.3d72 0000.0c07.ac64 0x8100 Length: 212
      802.1Q vlan#2050 P0 10.64.4.131.514 > 10.74.80.84.514:  [udp sum ok] udp 166 (ttl 255, id 15063) 

I then exported the capture and looked at it with Wireshark. Those numbers, 143 & 166, do not appear anywhere in frames 1 and 2. The overall packet length of packet 1 is 189. The length of the UDP datagram is 151.

What is that output telling me? What is that last field in the ASA CLI terminal output?

Thank you

 

1 Accepted Solution

Accepted Solutions

Vibhor Amrodia
Cisco Employee
Cisco Employee

Hi,

There are two Fields which are shown in the captures with the "detailed " option on the ASA device.

1) Length:- Overall length of the Frame captured

2) Payload Length:- Length of the payload on the Layer 4 protocol(For ex:- UDP payload for DNS etc)

I am not seeing any discrepancy in the capture lengths.

The only difference i saw in your test was the VLAN TAG and nothing else.

Thanks and Regards,

Vibhor Amrodia

View solution in original post

2 Replies 2

Vibhor Amrodia
Cisco Employee
Cisco Employee

Hi,

There are two Fields which are shown in the captures with the "detailed " option on the ASA device.

1) Length:- Overall length of the Frame captured

2) Payload Length:- Length of the payload on the Layer 4 protocol(For ex:- UDP payload for DNS etc)

I am not seeing any discrepancy in the capture lengths.

The only difference i saw in your test was the VLAN TAG and nothing else.

Thanks and Regards,

Vibhor Amrodia

Ok, I have it now. I only looked at the size of the various protocol sections. I didn't look at only the syslog message by itself. Those numbers are the payload. Just the syslog message without any protocol information.

Thank you very much.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: