Solved: Cisco ASA Capture Meaning

reno51 · ‎10-20-2020

Hello,

I would like to know the meaning of these words (P0/P2) in an ASA capture:

CISCOASA# capture TOTO interface Guest real-time

4: 11:04:48.898055 802.1Q vlan#XXXX P2 172.22.X.X.50336 > X.X.X.X.53: udp 39
5: 11:04:48.908034 802.1Q vlan#XXXX P0 172.22.X.X.61668 > X.X.X.X.443: S 1932400622:1932400622(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>

I searched on different forums/blogs/cisco website without finding anything.

Sheraz.Salim · ‎10-20-2020

P stand for Push. it is used in regards with Transport layer where tcp/udp resides.

here is example of my firewall cap.

5: 20:41:14.396280       192.168.103.37.52140 > 52.51.6.150.443: P 4009765312:4009765343(31) ack 558260876 win 512
6: 20:41:14.396418       192.168.103.37.52140 > 52.51.6.150.443: F 4009765343:4009765343(0) ack 558260876 win 512

now if i give a command

asa# show capture wireless decode detail dump packet-number 5 trace
5: 20:41:14.396280 14ab.c5f4.f1ff 286f.7fd1.3a38 0x0800 Length: 85
      192.168.103.37.52140 > 52.51.6.150.443: P [tcp sum ok] 4009765312:4009765343(31) ack 558260876 win 512 (DF) (ttl 128, id 62257)
0x0000   286f 7fd1 3a38 14ab c5f4 f1ff 0800 4500        (o..:8........E.
0x0010   0047 f331 4000 8006 a4e8 c0a8 6725 3433        .G.1@.......g%43
0x0020   0696 cbac 01bb ef00 29c0 2146 628c 5018        ........).!Fb.P.
0x0030   0200 8a58 0000 1503 0300 1a00 0000 0000        ...X............
0x0040   0000 028f a5c5 7800 9414 eea6 94d8 c67d        ......x........}
0x0050   e44c 430b ff                                   .LC..
1 packet shown

prior to get P. rest of the flags are come in first. forexample SYN, SYN-ACK and ACK.

HH:MM:SS.ms [ether-hdr] src-addr.src-port dest-addr.dst-port: tcp-flags [header-check] [checksum-info] sequence-number ack-number tcp-window urgent-info tcp-options

in your output as you shown:

4: 11:04:48.898055 802.1Q vlan#XXXX P2 172.22.X.X.50336 > X.X.X.X.53: udp 39
5: 11:04:48.908034 802.1Q vlan#XXXX P0 172.22.X.X.61668 > X.X.X.X.443: S 1932400622:1932400622(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>

first its clearly mention you using 802.1Q mean vlanx here P0/P2 is a Priority values.

according to IEEE

The IEEE however has made some broad recommendations:[2][3]
PCP Priority Acronym Traffic types
1 0 (lowest) BK Background
0 1 BE Best Effort
2 2 EE Excellent Effort
3 3 CA Critical Applications
4 4 VI Video, < 100 ms latency and jitter
5 5 VO Voice, < 10 ms latency and jitter
6 6 IC Internetwork Control
7 7 (highest) NC Network Control
Note that the above recommendations are in use since IEEE 802.1Q-2005 and were revised from the original recommendations in IEEE 802.1D-2004 to better accommodate IP DiffServ.
https://en.wikipedia.org/wiki/IEEE_P802.1p

please do not forget to rate.

View solution in original post

balaji.bandi · ‎10-20-2020

Good quesiton, Looks ethernet header ( just guess - sorry)

here is general capture for TCP flow :

HH:MM:SS.ms [ether-hdr] src-addr.src-port dest-addr.dst-port: tcp-flags [header-check] [checksum-info] sequence-number ack-number tcp-window urgent-info tcp-options

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Sheraz.Salim · ‎10-20-2020

P stand for Push. it is used in regards with Transport layer where tcp/udp resides.

here is example of my firewall cap.

5: 20:41:14.396280       192.168.103.37.52140 > 52.51.6.150.443: P 4009765312:4009765343(31) ack 558260876 win 512
6: 20:41:14.396418       192.168.103.37.52140 > 52.51.6.150.443: F 4009765343:4009765343(0) ack 558260876 win 512

now if i give a command

asa# show capture wireless decode detail dump packet-number 5 trace
5: 20:41:14.396280 14ab.c5f4.f1ff 286f.7fd1.3a38 0x0800 Length: 85
      192.168.103.37.52140 > 52.51.6.150.443: P [tcp sum ok] 4009765312:4009765343(31) ack 558260876 win 512 (DF) (ttl 128, id 62257)
0x0000   286f 7fd1 3a38 14ab c5f4 f1ff 0800 4500        (o..:8........E.
0x0010   0047 f331 4000 8006 a4e8 c0a8 6725 3433        .G.1@.......g%43
0x0020   0696 cbac 01bb ef00 29c0 2146 628c 5018        ........).!Fb.P.
0x0030   0200 8a58 0000 1503 0300 1a00 0000 0000        ...X............
0x0040   0000 028f a5c5 7800 9414 eea6 94d8 c67d        ......x........}
0x0050   e44c 430b ff                                   .LC..
1 packet shown

prior to get P. rest of the flags are come in first. forexample SYN, SYN-ACK and ACK.

HH:MM:SS.ms [ether-hdr] src-addr.src-port dest-addr.dst-port: tcp-flags [header-check] [checksum-info] sequence-number ack-number tcp-window urgent-info tcp-options

in your output as you shown:

4: 11:04:48.898055 802.1Q vlan#XXXX P2 172.22.X.X.50336 > X.X.X.X.53: udp 39
5: 11:04:48.908034 802.1Q vlan#XXXX P0 172.22.X.X.61668 > X.X.X.X.443: S 1932400622:1932400622(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>

first its clearly mention you using 802.1Q mean vlanx here P0/P2 is a Priority values.

according to IEEE

The IEEE however has made some broad recommendations:[2][3]
PCP Priority Acronym Traffic types
1 0 (lowest) BK Background
0 1 BE Best Effort
2 2 EE Excellent Effort
3 3 CA Critical Applications
4 4 VI Video, < 100 ms latency and jitter
5 5 VO Voice, < 10 ms latency and jitter
6 6 IC Internetwork Control
7 7 (highest) NC Network Control
Note that the above recommendations are in use since IEEE 802.1Q-2005 and were revised from the original recommendations in IEEE 802.1D-2004 to better accommodate IP DiffServ.
https://en.wikipedia.org/wiki/IEEE_P802.1p

please do not forget to rate.

reno51 · ‎10-20-2020

Thank you so much for your answer.

I should have looked better at the pcap file with Wireshark.