Ethereal-users: Re: [Ethereal-users] New User - How do I cpature/save Cisco Debugs For Analysis
Guy Harris wrote:
While doing a Google search for "debug ip packet dump" to try to find
something describing the format of that command's output, I came across:
http://www.ethereal.com/lists/ethereal-dev/200010/msg03402.html
which warns about "debug ip packet dump":
I would *strongly* recommend against using this command unless
you really know what you're doing and/or don't mind a router
reboot.
It is very easy to lose control of the router, because it can
saturate both the serial link and the CPU given sufficient load
on the circuits, and you may need physical access to the router
to recover from this condition. If you're lucky, the task gets
killed by the executive, if not, the router locks up.
I've seen someone do this to a router in South Africa. He
didn't appreciate my suggestion he should bike over there and
fix it.
The SNMP capture has resource usage limitations built in; I'd
suggest using that if this functionality is required.
In this, it's no different from any other 'debug' command; they all come
with (and rightly so!) dire warnings that go something like 'Here Be
Tygers. May Cause CPU Meltdown And General Wonkyness. Do Not Try At
Home.' :-).
You should most certainly use this with *extreme* caution and a Well
Crafted access list (the command will take one, just like the documented
'debug ip packet' & 'debug ip packet detailed' will).
But, that said, it has come in handy now and again. It has one caveat
that I found out later: the resulting dump is only usable if both input
and output interface of the packet were some form of Ethernet. Because
it may be called 'debug *ip* packet dump', the resulting hexdump is that
of a full frame, and only if it has both a normal Ethernet SA & DA, they
get decoded correctly.
If either of the interfaces is not Ethernet, that's not the case, anf
Funky Stuff happens when the output of the script gets fed to text2pcap
:-). But perhaps something could be reverse-enineered about the
resulting hexdump (fake addresses and using only select bits of it?). I
haven't looked at it that deeply (yet?).
If by 'SNMP capture' the original writer meant the 'Capture' RMON group,
only a very select number of Ciscos with a very specific IOS feature set
have that. This will work (in principle) on all of them; I haven't found
one yet where 'debug ip packet dump' didn't exist.
--
Regards,
Marco.