04-01-2011 03:07 PM
So, using debug dataplane packet-diag I am unable to get filters to work propperly and quite often don't see data that I actually Should. I didn't know if this was a bug with the 4.0.0 code or not but it makes it awful hard to defend the firewall when I can't produce reliable output from either logs or packet captures. The settings I have are below and not only does the filter not work propperly but I don't see the traffic I should be seeing. Also rather odd that the transmitted packets counter is so much higher than all the rest.
DP 0:
--------------------------------------------------------------------------------
Packet diagnosis setting:
--------------------------------------------------------------------------------
Packet filter
Enabled: yes
Match pre-parsed packet: yes
Index 1: 10.100.240.179[0]->0.0.0.0[0], proto 0
ingress-interface ethernet1/1, egress-interface any, exclude non-IP
--------------------------------------------------------------------------------
Logging
Enabled: no
Log-throttle: no
Aggregate-to-single-file: yes
Output file size: 7364 of 10485760 Bytes
Features:
Counters:
--------------------------------------------------------------------------------
Packet capture
Enabled: no
Stage receive : file ssh-receive.pcap
Captured: packets - 63673 bytes - 14346098
Maximum: packets - 0 bytes - 0
Stage firewall : file ssh-firewall.pcap
Captured: packets - 59183 bytes - 13831536
Maximum: packets - 0 bytes - 0
Stage transmit : file ssh-transmit.pcap
Captured: packets - 111227 bytes - 27857297
Maximum: packets - 0 bytes - 0
Stage drop : file ssh-drop.pcap
Captured: packets - 1131 bytes - 239054
Maximum: packets - 0 bytes - 0
--------------------------------------------------------------------------------
DP 1:
--------------------------------------------------------------------------------
Packet diagnosis setting:
--------------------------------------------------------------------------------
Packet filter
Enabled: yes
Match pre-parsed packet: yes
Index 1: 10.100.240.179[0]->0.0.0.0[0], proto 0
ingress-interface ethernet1/1, egress-interface any, exclude non-IP
--------------------------------------------------------------------------------
Logging
Enabled: no
Log-throttle: no
Aggregate-to-single-file: yes
Output file size: 221380 of 10485760 Bytes
Features:
Counters:
--------------------------------------------------------------------------------
Packet capture
Enabled: no
Stage receive : file ssh-receive.pcap
Captured: packets - 211771 bytes - 157212649
Maximum: packets - 0 bytes - 0
Stage firewall : file ssh-firewall.pcap
Captured: packets - 215378 bytes - 157520273
Maximum: packets - 0 bytes - 0
Stage transmit : file ssh-transmit.pcap
Captured: packets - 359186 bytes - 197191051
Maximum: packets - 0 bytes - 0
Stage drop : file ssh-drop.pcap
Captured: packets - 695 bytes - 112144
Maximum: packets - 0 bytes - 0
--------------------------------------------------------------------------------
04-05-2011 09:30 AM
Hi Price
could you try setting these without interface and with a second filter with 10.100.240.179 as destination. Can you try this command a couple of times during your tests: "show counter global filter delta yes filter packet-filter yes" , are there counters visible after the second time you execute this command, are there drops in there ?
regards
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
