Configuring A Packet Capture; Viewing The Crash Dump - Cisco 7604 Configuration Manual

Chapter 26 Troubleshooting the Firewall Services Module

Configuring a Packet Capture

Configuring a capture typically involves configuring an access list that matches the traffic that needs to
be captured. Once an access list that matches the traffic pattern is configured, then you need to define a
capture and associate this access list to the capture, along with the interface on which the capture needs
to be configured. Note that a capture only works if an access list and an interface are associated with a
capture for capturing IPv4 traffic. The access list is not required for IPv6 traffic.
To configure a packet capture for IPv4 traffic, perform the following steps:
Configure an extended access list that matches the traffic that needs to be captured according to the
Step 1
"Adding an Extended Access List" section on page
For example, the following access list identifies all traffic:
hostname(config)# access-list capture extended permit ip any any
To configure the capture, enter the following command.
Step 2
hostname(config)# capture name access-list acl_name interface interface_name
By default configuring a capture creates a linear capture buffer of size 512 KB. You can optionally
configure a circular buffer. By default only 68 bytes of the packets are captured in the buffer. You can
optionally change this value. See the capture command in the Catalyst 6500 Series Switch and Cisco
7600 Series Router Firewall Services Module Command Reference for these and other options.
For example, the following command creates a capture called ip-capture using the capture access lost
configured in
hostname(config)# capture ip-capture access-list capture interface outside
Step 3 To view the capture, enter the following command:
hostname(config)# show capture name
You can also copy the capture using the copy capture command. See the Catalyst 6500 Series Switch
and Cisco 7600 Series Router Firewall Services Module Command Reference for more information.
Step 4 To end the capture but retain the buffer, enter the following command:
hostname(config)# no capture name access-list acl_name interface interface_name
Step 5 To end the capture and delete the buffer, enter the following command:
hostname(config)# no capture name

Viewing the Crash Dump

If the FWSM crashes, you can view the crash dump information. We recommend contacting Cisco TAC
if you want to interpret the crash dump. See the show crashdump command in the Catalyst 6500 Series
Switch and Cisco 7600 Series Router Firewall Services Module Command Reference.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
For egress traffic, only the traffic of the context with the active capture is captured. The only
exception is when you do not enable the ICMP inspection (therefore the ICMP traffic does not
have a session in the accelerated path). In this case, both ingress and egress ICMP traffic for all
contexts on the shared VLAN is captured.
Step 1 that is applied to the outside interface:
Other Troubleshooting Tools
13-6.
26-9