Wireshark-users: Re: [Wireshark-users] Cisco FWSM Capture Dump
From: "Robert D. Scott" <robert@xxxxxxx>
Date: Mon, 10 Aug 2009 08:06:43 -0400
That is an ASA, and is based on the same hardware as the ACE. This is an older FWSM. Both the ACE and ASA will allow the export. This is a FWSM running 4.0, and there is nothing in the Cisco docs, or that I can find in the CLI to export. Just the text dump I sent. :( text2pcap chokes on the 0X0 offset indicator, and the AD01, double byte format. Robert D. Scott Robert@xxxxxxx Senior Network Engineer 352-273-0113 Phone CNS - Network Services 352-392-2061 CNS Phone Tree University of Florida 352-392-9440 FAX Florida Lambda Rail 352-294-3571 FLR NOC Gainesville, FL 32611 321-663-0421 Cell -----Original Message----- From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok Sent: Monday, August 10, 2009 2:05 AM To: Community support list for Wireshark Subject: Re: [Wireshark-users] Cisco FWSM Capture Dump Are you sure you are not able to export the capture files? Have a look at http://supportwiki.cisco.com/ViewWiki/index.php/Packet_capture#Gather_captur es (is is this for more recent versions of FWSM?) Cheers, Sake ----- Original Message ----- From: "Robert D. Scott" <robert@xxxxxxx> To: <wireshark-users@xxxxxxxxxxxxx> Sent: Friday, August 07, 2009 7:08 PM Subject: [Wireshark-users] Cisco FWSM Capture Dump > Has anyone written a script to convert a Cisco FWSM dump format into a > test2pcap format so I can read them in Wireshark? > > text2pcap -l 12 infile.txt outfile.pcap works like a champ when the > firewall > output is in valid format. Hand editing is tedious. > > Here is a 3 step tcp handshake from the fwsm: > 9: 12:11:00.692669814 802.1Q vlan#1202 P0 10.227.212.114.3709 > > 10.19.1.125.80: S 3444274164:3444274164(0) win 65535 <mss 1460,nop,wscale > 7,nop,nop,timestamp 0 0,nop,nop,sackOK> > 0x0000 4500 0040 f143 4000 7e06 208f 0ae3 d472 [email protected]@.~. ....r > 0x0010 0a13 017d 0e7d 0050 cd4b 73f4 0000 0000 ...}.}.P.Ks..... > 0x0020 b002 ffff fb07 0000 0204 05b4 0103 0307 ................ > 0x0030 0101 080a 0000 0000 0000 0000 0101 0402 ................ > 10: 12:11:00.692669814 802.1Q vlan#1202 P0 10.19.1.125.80 > > 10.227.212.114.3709: S 1345738498:1345738498(0) ack 3444274165 win 4128 > <mss > 536> > 0x0000 4500 002c a748 0000 fe06 2a9e 0a13 017d E..,.H....*....} > 0x0010 0ae3 d472 0050 0e7d 5036 5702 cd4b 73f5 ...r.P.}P6W..Ks. > 0x0020 6012 1020 a966 0000 0204 0218 0000 `.. .f........ > 11: 12:11:00.692669814 802.1Q vlan#1202 P0 10.227.212.114.3709 > > 10.19.1.125.80: . ack 1345738499 win 65535 > 0x0000 4500 0028 f145 4000 7e06 20a5 0ae3 d472 E..(.E@.~. ....r > 0x0010 0a13 017d 0e7d 0050 cd4b 73f5 5036 5703 ...}.}.P.Ks.P6W. > 0x0020 5010 ffff cda7 0000 0000 0000 0000 P............. > > Robert D. Scott Robert@xxxxxxx > Senior Network Engineer 352-273-0113 Phone > CNS - Network Services 352-392-2061 CNS Phone Tree > University of Florida 352-392-9440 FAX > Florida Lambda Rail 352-294-3571 FLR NOC > Gainesville, FL 32611 321-663-0421 Cell > > > > ___________________________________________________________________________ > Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> > Archives: http://www.wireshark.org/lists/wireshark-users > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe > > ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
- Follow-Ups:
- Re: [Wireshark-users] Cisco FWSM Capture Dump
- From: Joerg Mayer
- Re: [Wireshark-users] Cisco FWSM Capture Dump
- References:
- [Wireshark-users] Cisco FWSM Capture Dump
- From: Robert D. Scott
- Re: [Wireshark-users] Cisco FWSM Capture Dump
- From: Sake Blok
- [Wireshark-users] Cisco FWSM Capture Dump
- Prev by Date: Re: [Wireshark-users] Cisco FWSM Capture Dump
- Next by Date: [Wireshark-users] ip.addr==192.168.0.0/16
- Previous by thread: Re: [Wireshark-users] Cisco FWSM Capture Dump
- Next by thread: Re: [Wireshark-users] Cisco FWSM Capture Dump
- Index(es):