Cisco 7604 Configuration Guide - Page 608
Capturing Packets, Capture Overview, Capture Limitations
View all Cisco 7604 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 608 highlights
Other Troubleshooting Tools Chapter 26 Troubleshooting the Firewall Services Module Capturing Packets Capturing packets is sometimes useful when troubleshooting connectivity problems or monitoring suspicious activity. This section includes the following topics: • Capture Overview, page 26-8 • Capture Limitations, page 26-8 • Configuring a Packet Capture, page 26-9 Capture Overview The FWSM is capable of tracking all IP traffic that flows across it. It is also capable of capturing all the IP traffic that is destined to the FWSM, including all the management traffic (such as SSH and Telnet traffic) to the FWSM. The FWSM architecture consists of three different sets of processors for packet processing; this architecture poses certain restrictions on the capability of the capture feature. Typically most of the packet forwarding functionality in the FWSM is handled by the two front-end network processors, and packets are sent to the control-plane general-purpose processor only if they need application inspection (see the "Stateful Inspection Overview" section on page 1-8 for more information). The packets are sent to the session management path network processor only if there is a session miss in the accelerated path processor. Because all the packets that are forwarded or dropped by the FWSM hits the two front-end network processors, the packet capture feature is implemented in these network processors. So all the packets that hit the FWSM can be captured by these front end processors, if an appropriate capture is configured for those traffic interfaces. On the ingress side, the packets are captured the moment the packet hits the FWSM interfaces, and on the egress side the packets are captured just before they are sent out on the wire. Capture Limitations The following are some of the limitations of the capture feature. Most of the limitations are due to the distributed nature of the FWSM architecture and due to the hardware accelerators that are being used in the FWSM. • You cannot configure more than one capture per interface. But you can configure multiple ACEs in the capture access list to have a flexible configuration. • You can only capture IP traffic. Non-IP packets like ARPs cannot be captured by the capture feature. • For a shared VLAN: - You can only configure one capture for the VLAN; if you configure a capture in multiple contexts on the shared VLAN, then only the last capture that was configured is used. If you remove the last-configured (active) capture, no captures become active, even if you previously configured a capture in another context; you must remove and readd the capture to make it active. - All traffic that enters the interface to which the capture is attached (and that matches the capture access list) is captured, including traffic to other contexts on the shared VLAN. Therefore, if you enable a capture in Context A for a VLAN that is also used by Context B, both Context A and Context B ingress traffic is captured. 26-8 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01