Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual page 169

Chapter 9 Displaying and Capturing Live Traffic on an Interface
count—Maximum number of packets to capture (optional).
•
The valid range is 1 to 10000.
Note
expression—Packet-capture filter expression.
•
This expression is passed directly to TCPDUMP and must meet the TCPDUMP expression syntax.
Note
file-info—Displays information about the stored packet file.
•
File-info displays the following information:
Captured by: user:id, Cmd: cliCmd
Start: yyyy/mm/dd hh:mm:ss zone, End: yyyy/mm/dd hh:mm:ss zone or in-progress
Where
user = username of user initiating capture
id = user's CLI ID
cliCmd = command entered to perform the capture
• verbose—Displays the protocol tree for each packet rather than a one-line summary. This parameter
is optional.
To configure the sensor to capture live traffic on an interface, follow these steps:
Log in to the sensor using an account with administrator or operator privileges.
Step 1
Capture the live traffic on the interface you are interested in, for example, GigabitEthernet0/1:
Step 2
sensor# packet capture GigabitEthernet0/1
Warning: This command will cause significant performance degradation
tcpdump: WARNING: ge0_1: no IPv4 address assigned
tcpdump: listening on ge0_1, link-type EN10MB (Ethernet), capture size 65535 bytes
125 packets captured
126 packets received by filter
0 packets dropped by kernel
To view the captured packet file:
Step 3
sensor# packet display packet-file
reading from file /usr/cids/idsRoot/var/packet-file, link-type EN10MB (Ethernet)
03:03:13.216768 802.1d config TOP_CHANGE 8000.00:04:9a:66:35:01.8025 root 8000.0
0:04:6d:f9:e8:82 pathcost 8 age 2 max 20 hello 2 fdelay 15
03:03:13.232881 IP 64.101.182.244.1978 > 10.89.130.108.23: . ack 3266153791 win
64328
03:03:13.232895 IP 10.89.130.108.23 > 64.101.182.244.1978: P 1:157(156) ack 0 wi
n 5840
03:03:13.433136 IP 64.101.182.244.1978 > 10.89.130.108.23: . ack 157 win 65535
03:03:13.518335 IP 10.89.130.134.42342 > 255.255.255.255.42342: UDP, length: 76
03:03:15.218814 802.1d config TOP_CHANGE 8000.00:04:9a:66:35:01.8025 root 8000.0
0:04:6d:f9:e8:82 pathcost 8 age 2 max 20 hello 2 fdelay 15
03:03:15.546866 IP 64.101.182.244.1978 > 10.89.130.108.23: P 0:2(2) ack 157 win
65535
78-16527-01
If you do not specify this option, the capture terminates after the maximum file size is
captured.
The expression syntax is described in the Wireshark man page.
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
Capturing Live Traffic on an Interface
9-5