ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
July 17th, 2024 | 10:00am-11:55am SGT (UTC+8) | Online
Wireshark logo

Ethereal-users: Re: [Ethereal-users] New User - How do I cpature/save Cisco Debugs For Analysis

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "M.C. van den Bovenkamp" <marco@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 21 Jun 2002 00:09:25 +0200
Guy Harris wrote:


While doing a Google search for "debug ip packet dump" to try to find
something describing the format of that command's output, I came across:

	http://www.ethereal.com/lists/ethereal-dev/200010/msg03402.html

which warns about "debug ip packet dump":

	I would *strongly* recommend against using this command unless
	you really know what you're doing and/or don't mind a router
	reboot.

	It is very easy to lose control of the router, because it can
	saturate both the serial link and the CPU given sufficient load
	on the circuits, and you may need physical access to the router
	to recover from this condition.  If you're lucky, the task gets
	killed by the executive, if not, the router locks up.

	I've seen someone do this to a router in South Africa.  He
	didn't appreciate my suggestion he should bike over there and
	fix it.

	The SNMP capture has resource usage limitations built in; I'd
	suggest using that if this functionality is required.
In this, it's no different from any other 'debug' command; they all come with (and rightly so!) dire warnings that go something like 'Here Be Tygers. May Cause CPU Meltdown And General Wonkyness. Do Not Try At Home.' :-).
You should most certainly use this with *extreme* caution and a Well Crafted access list (the command will take one, just like the documented 'debug ip packet' & 'debug ip packet detailed' will).
But, that said, it has come in handy now and again. It has one caveat that I found out later: the resulting dump is only usable if both input and output interface of the packet were some form of Ethernet. Because it may be called 'debug *ip* packet dump', the resulting hexdump is that of a full frame, and only if it has both a normal Ethernet SA & DA, they get decoded correctly.
If either of the interfaces is not Ethernet, that's not the case, anf Funky Stuff happens when the output of the script gets fed to text2pcap :-). But perhaps something could be reverse-enineered about the resulting hexdump (fake addresses and using only select bits of it?). I haven't looked at it that deeply (yet?).
If by 'SNMP capture' the original writer meant the 'Capture' RMON group, only a very select number of Ciscos with a very specific IOS feature set have that. This will work (in principle) on all of them; I haven't found one yet where 'debug ip packet dump' didn't exist. 


--

		Regards,

			Marco.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube