topic packet capture for unknown-tcp in General Topics

packet capture for unknown-tcp

idelconsulting — Thu, 30 Aug 2012 17:02:20 GMT

Hi,

I'm getting a lot of unknown-tcp on the internal network and would like to capture some packets to get an idea what this is.

I tried:

debug dataplane packet-diag set capture trigger application from unknown-tcp to unknown-tcp

but I don't get any packets so far.

I also tried from none to unknown-tcp, same result, nothing captured.

Any idea what I'm doing wrong or a better idea how to capture that unknown traffic?

Regards,

Andreas

UhMayYeah — Thu, 30 Aug 2012 18:46:45 GMT

Hello Andreas,

I would suggest updating and the Application database to the latest version.

Also try trigger condition from application "unknown " to "unknown-tcp".

These document might be helpful:

-Ameya

idelconsulting — Thu, 30 Aug 2012 20:09:31 GMT

Hello Ameya,

thanks for the links. I knew most of it but not all.

The Application DB is the latest version.

In this case I'm observing mainframe traffic, there are not many mainframe apps in the application DB. 😞

Regards,

Andreas

UhMayYeah — Fri, 31 Aug 2012 00:48:15 GMT

Did you get a chance to change the trigger condition from application "unknown " to "unknown-tcp".

>debug dataplane packet-diag set capture trigger application from unknown to unknown-tcp

If this doesn't work you could try configuring packet filters based on destination-port.

If this is a multi-dataplane platform eg 5k there are few other settings needed to capture exact packets.

-Ameya

reaper — Fri, 07 Sep 2012 10:07:09 GMT

Hi Andreas

you can enable this command to packetcapture unknown application packets:

> set application dump-unknown yes

the pcaps will appear in the traffic log as a little green arrow or from the CLI in "view-pcap application-pcap <date>/"