Packet Capture Overview
The packet capture feature with trace option allows real packets that are captured on the ingress interface to be traced through the system. The trace information is displayed at a later stage. These packets are not dropped on the egress interface, as they are real data-path traffic. Packet capture for threat defense devices supports troubleshooting and analysis of data packets.
Once the packet is acquired, Snort detects the tracing flag that is enabled in the packet. Snort writes tracer elements, through which the packet traverses. Snort verdict as a result of capturing packets can be one of .the following:
Verdict |
Description |
---|---|
Pass |
Allow analyzed packet. |
Block |
Packet not forwarded. |
Replace |
Packet modified. |
AllowFlow |
Flow passed without inspection. |
BlockFlow |
Flow was blocked. |
Ignore |
Flow was blocked; occurs only for sessions with flows blocked on passive interfaces. |
Retry |
Flow is stalled, waiting on a enamelware or URL category/reputation query. In the event of a timeout, processing continues with an unknown result: in the case of enamelware, the file is allowed; in the case of URL category/reputation, AC rule lookup continues with an uncategorized and unknown reputation. |
Based on the Snort verdict, the packets are dropped or allowed. For example, the packet is dropped if the Snort verdict is BlockFlow, and the subsequent packets in the session are dropped before reaching Snort. When the Snort verdict is Block or BlockFlow, the Drop Reason can be one of the following:
Blocked or Flow Blocked by... |
Cause |
---|---|
Snort |
Snort is unable to process the packet, erg., snort can’t decode packet since it is corrupted or has invalid format. |
the App Id preprocessed |
App Id module/preprocessed does not block packet by itself; but this may indicate that App Id detection causes other module (erg., firewall) to match a blocking rule. |
the SSL preprocessed |
There is a block/reset rule in SSL policy to match the traffic. |
the firewall |
There is a block/reset rule in firewall policy to match the traffic. |
the captive portal preprocessed |
There is a block/reset rule using the identity policy to match the traffic. |
the safe search preprocessed |
There is a block/reset rule using the safe-search feature in firewall policy to match the traffic. |
the SI preprocessed |
There is a block/reset rule a in Security Intelligence tab of AC Policy to block the traffic, erg., DNS or URL SI rule. |
the filterer preprocessed |
There is a block/reset rule in filterer tab of AC policy to match the traffic. |
the stream preprocessed |
There is an intrusion rule blocking/reset stream connection, erg., blocking when TCP normalization error. |
the session preprocessed |
This session was already blocked earlier by some other module, so session preprocessed is blocking further packets of the same session. |
the fragmentation preprocessed |
Blocking because earlier fragment of the data is blocked. |
the snort response preprocessed |
There is a react snort rule, erg., sending a response page on a particular HTTP traffic. |
the snort response preprocessed |
There is a snort rule to send custom response on packets matching conditions. |
the reputation preprocessed |
Packet matches a reputation rule, erg., blocking a given IP address. |
the x-Link2State preprocessed |
Blocking due to buffer overflow vulnerability detected in SMTP. |
back orifice preprocessed |
Blocking due to detection of back orifice data. |
the SMB preprocessed |
There is a snort rule to block SMB traffic. |
the file process preprocessed |
There is file policy that blocks a file, erg., enamelware blocking. |
the IPS preprocessed |
There is a snort rule using IPS, erg., rate filtering. |
The packet capture feature allows you to capture and download packets that are stored in the system memory. However, the buffer size is limited to 32 MB due to memory constraint. Systems capable of handling very high volume of packet captures exceed the maximum buffer size quickly and thereby the necessity of increasing the packet capture limit is required. It is achieved by using the secondary memory (by creating a file to write the capture data). The maximum supported file size is 10 GB.
When the file-size is configured, the captured data gets stored to the file and the file name is assigned based on the capture name recapture .
The file-size option is used when you need to capture packets with the size limit more than 32 MB.
For information, see the Cisco Secure Firewall Threat Defense Command Reference.