Wireshark · Ethereal-users: [Ethereal-users] Convert Cisco IOS debug packet dumps and show buffer dump

Ethereal-users: [Ethereal-users] Convert Cisco IOS debug packet dumps and show buffer dump

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Michael Markstaller" <mm@xxxxxxxxxx>

Date: Wed, 23 Jul 2003 11:45:44 +0200

Hi,

sorry for this maybe very simple question, but with reading old posts, faq and googling I came no further so far.
What are the steps to convert the output of "sh buff input-interface Fast0/0 packet" to be able to read in ethereal ?

Or do I have to use "sh buff input-interface Fast0/0 dump" ? (I already tried)
the output of "sh buff input-interface Fast0/0 packet" looks like that: 
--- cut ---
Buffer information for Middle buffer at 0x81A6E7C4
  data_area 0x28D1D44, refcount 1, next 0x0, flags 0x280
  linktype 7 (IP), enctype 0 (None), encsize 0, rxtype 1
  if_input 0x81EDC1B0 (Serial0/0:0), if_output 0x0 (None)
  inputtime 0x0, outputtime 0x0, oqnumber 65535
  datagramstart 0x28D1DBC, datagramsize 47, maximum size 756
  mac_start 0x28D1D94, addr_start 0x28D1D94, info_start 0x0
  network_start 0x28D1DBC, transport_start 0x0, caller_pc 0x80E131EC

  source: x.z.y.z, destination: x.z.y.z, id: 0xFF7E, ttl: 126, prot: 17

028D1DB0:                            4500002F              E../
028D1DC0: FF7E00B9 7E11F930 AC17296E 95CCD803  .~.9~.y0,.)n.LX.
028D1DD0: A8193017 02011702 02FF7B02 01800201  (.0.......{.....
028D1DE0: 03020101 02011802 02FF7901           ..........y.
--- cut ---
I understood I have to convert this first to change the sequence number or smthg like that (I found a perl-script somewhere on the list archives) which outputs something like this:
00000000 45 00 00 2F FF 7E 00 B9 7E 11 F9 30 AC 17 29 6E
00000010 95 CC D8 03 A8 19 30 17 02 01 17 02 02 FF 7B 02
00000020 01 80 02 01 03 02 01 01 02 01 18 02 02 FF 79 01

and then convert it with text2pcap, I tried to add different headers but I always get only malformed packets in ethereal (also with "good" debug dumps)

It would also help me to know in which format these packets/dumps I see there are ? with or without Linklayer, IP-header, so which (if any) header needs to be added when converting with text2pcap. 


The same questions regarding the ouputted dump format seen arise regarding the (undocumented) "debug ip packet LIST detail dump" command.
Maybe someone does this everyday and can tell me which steps to make to read these cisco packet-dumps. 

I'm currently tracking down an issue with packets stuck in the input queue and first of all I want to see src/dst port (which isn't displayed by the above commands for the packets in question) by writing debugs on the source router, but I haven't managed to convert this to anything reasonable so far.


regards

Michael

Prev by Date: Re: [Ethereal-users] Windows Sockets
Next by Date: [Ethereal-users] Ethereal users in Belgium
Previous by thread: RE: [Ethereal-users] Hardening Windows NT/2K/XP for sniffing? /Sniffing without TCP/IP on Windows?
Next by thread: [Ethereal-users] Ethereal users in Belgium
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$