Solved: Re: FWSM and capture.

andrea.meconi · ‎12-01-2010

Another question about FWSM with software 4.1(1).

Using capture, we are able to view the captured packets after a minute, or more, that they hit the interface.

Why?

Regards.

Andrea

mirober2 · ‎12-01-2010

Hi Andrea,

Yes, unfortunately all of the rules need to be recompiled whenever an ACL change is made. Therefore, this is expected behavior if you have a large set of ACLs.

-Mike

View solution in original post

mirober2 · ‎12-01-2010

Hi Andrea,

Do you mean that it takes a minute or so before you see any packets show up in the capture you configured? If so, this is expected when you configure a new ACL to be used with a capture. The capture will not start showing packets until the ACL used to match the traffic is finished compiling.Therefore, the longer it takes for the ACLs to compile, the longer it will be before you start seeing any data in your capture.

Hope that helps.

-Mike

andrea.meconi · ‎12-01-2010

You are right Mike.
But this happens with an ACL with two entries also?

Regards.

Andrea

mirober2 · ‎12-01-2010

Hi Andrea,

Yes, unfortunately all of the rules need to be recompiled whenever an ACL change is made. Therefore, this is expected behavior if you have a large set of ACLs.

-Mike

andrea.meconi · ‎12-01-2010

Many thanks for your help Mike.

Regards.

Andrea

andrea.meconi · ‎12-01-2010

Sorry Mike. To be clear, FWSM captures all packets but shows these after some minutes, when session is already closed.