Wireshark-users: Re: [Wireshark-users] Cisco FWSM Capture Dump

From: "Robert D. Scott" <robert@xxxxxxx>
Date: Mon, 10 Aug 2009 08:06:43 -0400
That is an ASA, and is based on the same hardware as the ACE.  This is an
older FWSM.  Both the ACE and ASA will allow the export. This is a FWSM
running 4.0, and there is nothing in the Cisco docs, or that I can find in
the CLI to export.  Just the text dump I sent. :(

text2pcap chokes on the 0X0 offset indicator, and the AD01, double byte
format.

Robert D. Scott                 Robert@xxxxxxx
Senior Network Engineer         352-273-0113 Phone
CNS - Network Services          352-392-2061 CNS Phone Tree
University of Florida           352-392-9440 FAX
Florida Lambda Rail             352-294-3571 FLR NOC
Gainesville, FL  32611          321-663-0421 Cell


-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
Sent: Monday, August 10, 2009 2:05 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Cisco FWSM Capture Dump

Are you sure you are not able to export the capture files? Have a look at 
http://supportwiki.cisco.com/ViewWiki/index.php/Packet_capture#Gather_captur
es

(is is this for more recent versions of FWSM?)

Cheers,
     Sake

----- Original Message ----- 
From: "Robert D. Scott" <robert@xxxxxxx>
To: <wireshark-users@xxxxxxxxxxxxx>
Sent: Friday, August 07, 2009 7:08 PM
Subject: [Wireshark-users] Cisco FWSM Capture Dump


> Has anyone written a script to convert a Cisco FWSM dump format into a
> test2pcap format so I can read them in Wireshark?
>
> text2pcap -l 12 infile.txt outfile.pcap works like a champ when the 
> firewall
> output is in valid format. Hand editing is tedious.
>
> Here is a 3 step tcp handshake from the fwsm:
>   9: 12:11:00.692669814 802.1Q vlan#1202 P0 10.227.212.114.3709 >
> 10.19.1.125.80: S 3444274164:3444274164(0) win 65535 <mss 1460,nop,wscale
> 7,nop,nop,timestamp 0 0,nop,nop,sackOK>
> 0x0000   4500 0040 f143 4000 7e06 208f 0ae3 d472        [email protected]@.~. ....r
> 0x0010   0a13 017d 0e7d 0050 cd4b 73f4 0000 0000        ...}.}.P.Ks.....
> 0x0020   b002 ffff fb07 0000 0204 05b4 0103 0307        ................
> 0x0030   0101 080a 0000 0000 0000 0000 0101 0402        ................
>  10: 12:11:00.692669814 802.1Q vlan#1202 P0 10.19.1.125.80 >
> 10.227.212.114.3709: S 1345738498:1345738498(0) ack 3444274165 win 4128 
> <mss
> 536>
> 0x0000   4500 002c a748 0000 fe06 2a9e 0a13 017d        E..,.H....*....}
> 0x0010   0ae3 d472 0050 0e7d 5036 5702 cd4b 73f5        ...r.P.}P6W..Ks.
> 0x0020   6012 1020 a966 0000 0204 0218 0000             `.. .f........
>  11: 12:11:00.692669814 802.1Q vlan#1202 P0 10.227.212.114.3709 >
> 10.19.1.125.80: . ack 1345738499 win 65535
> 0x0000   4500 0028 f145 4000 7e06 20a5 0ae3 d472        E..(.E@.~. ....r
> 0x0010   0a13 017d 0e7d 0050 cd4b 73f5 5036 5703        ...}.}.P.Ks.P6W.
> 0x0020   5010 ffff cda7 0000 0000 0000 0000             P.............
>
> Robert D. Scott                 Robert@xxxxxxx
> Senior Network Engineer         352-273-0113 Phone
> CNS - Network Services          352-392-2061 CNS Phone Tree
> University of Florida           352-392-9440 FAX
> Florida Lambda Rail             352-294-3571 FLR NOC
> Gainesville, FL  32611          321-663-0421 Cell
>
>
>
>
___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> 
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
> 

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
 
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe