Capturing Packets; Capture Overview; Capture Limitations - Cisco 7604 Configuration Manual

Other Troubleshooting Tools

Capturing Packets

Capturing packets is sometimes useful when troubleshooting connectivity problems or monitoring
suspicious activity. This section includes the following topics:
•
•
•

Capture Overview

The FWSM is capable of tracking all IP traffic that flows across it. It is also capable of capturing all the
IP traffic that is destined to the FWSM, including all the management traffic (such as SSH and Telnet
traffic) to the FWSM.
The FWSM architecture consists of three different sets of processors for packet processing; this
architecture poses certain restrictions on the capability of the capture feature. Typically most of the
packet forwarding functionality in the FWSM is handled by the two front-end network processors, and
packets are sent to the control-plane general-purpose processor only if they need application inspection
(see the
to the session management path network processor only if there is a session miss in the accelerated path
processor.
Because all the packets that are forwarded or dropped by the FWSM hits the two front-end network
processors, the packet capture feature is implemented in these network processors. So all the packets that
hit the FWSM can be captured by these front end processors, if an appropriate capture is configured for
those traffic interfaces. On the ingress side, the packets are captured the moment the packet hits the
FWSM interfaces, and on the egress side the packets are captured just before they are sent out on the
wire.

Capture Limitations

The following are some of the limitations of the capture feature. Most of the limitations are due to the
distributed nature of the FWSM architecture and due to the hardware accelerators that are being used in
the FWSM.
•
•
•
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
26-8
Capture Overview, page 26-8
Capture Limitations, page 26-8
Configuring a Packet Capture, page 26-9
"Stateful Inspection Overview" section on page 1-8
You cannot configure more than one capture per interface. But you can configure multiple ACEs in
the capture access list to have a flexible configuration.
You can only capture IP traffic. Non-IP packets like ARPs cannot be captured by the capture feature.
For a shared VLAN:
You can only configure one capture for the VLAN; if you configure a capture in multiple
–
contexts on the shared VLAN, then only the last capture that was configured is used.
If you remove the last-configured (active) capture, no captures become active, even if you
previously configured a capture in another context; you must remove and readd the capture to
make it active.
All traffic that enters the interface to which the capture is attached (and that matches the capture
–
access list) is captured, including traffic to other contexts on the shared VLAN.
Therefore, if you enable a capture in Context A for a VLAN that is also used by Context B, both
Context A and Context B ingress traffic is captured.
Chapter 26 Troubleshooting the Firewall Services Module
for more information). The packets are sent
OL-20748-01