Log in Go to the main page Page Discussion History Go to the file list Go to the site toolbox

Debug ip packet command

From NetworkCommands

Image:Cisco-logo-large.gif

Output displays IP addresses before AND after NATting.

Fast switching must be disabled on relevant interfaces as only process switched packets are displayed in debug output. Use the no ip route-cache command where necessary.

Contents

Image:Vm-power-on-medium.png Usage Examples

It's good practise to enter the undebug all command before you enter your actual debug command. This way, if you've made a mistake and/or the output is far greater than expected, you can simply press the up arrow once to bring up the last command and press enter to execute it and stop all debugging.

debug ip packet - Never a good idea! Display details of every ip packet passing through the router. Likely to crash the device unless very little traffic is being processed or it's extremely powerful.

debug ip packet 199 - A much better idea. Display details of only those packets matching the permit statements in the specified access list, 199 in this case.

debug ip packet 199 detail - Also displays source and destination ports and TCP flags such as SYN, ACK etc.

debug ip packet 199 dump - A recent addition. Also displays packet contents! Like a straight debug ip packet use this with great caution as the output is likely to be overwhelming.

Image:accessories-text-editor-v2-medium.png Usage Notes

Disabling IP CEF will NOT have the same affect as using the no ip route-cache command.

You cannot use named access lists.

The access list should reference post-NAT addresses if NATting is occurring.

Additional Resources

This access list prevents most unwanted output; 

access-list 199 deny udp any any eq rip
access-list 199 deny udp any any eq 1984
access-list 199 deny udp any any eq 1985
access-list 199 deny udp any any eq 161 !SNMP
access-list 199 deny udp any any eq 162 !SNMP Trap
access-list 199 deny udp any any eq 49 !TACACS
access-list 199 deny tcp any any eq 49 !TACACS
access-list 199 deny udp any any eq 123 !NTP
access-list 199 deny tcp any any eq 22 !SSH
access-list 199 deny tcp any any eq 23 !TELNET
access-list 199 deny ip  any 224.0.0.0 255.255.255.0 !Multicast traffic; HSRP, OSPF etc. 
access-list 199 deny ip  any host x.x.x.x !SNMP Server
access-list 199 deny ip  host x.x.x.x any !This device to anywhere first  interface
access-list 199 deny ip  host x.x.x.x any !This device to anywhere second interface
access-list 199 deny ip  any host x.x.x.x !Anywhere to this device first interface
access-list 199 deny ip  any host x.x.x.x !Anywhere to this device second interface
access-list 199 permit ip any any
access-list 199 deny icmp any any !PING etc.

Image:icemon-medium.png Related Commands

Use the undebug all command to stop all debugging.

Retrieved from "http://www.networkcommands.eu/index.php/Debug_ip_packet_command"

Site Toolbox:

Personal tools
This page was last modified on 4 June 2008, at 10:08. - This page has been accessed 32 times. - Disclaimers - About NetworkCommands
Powered by MediaWiki