Use the Packet Tracer

To use a packet tracer on Secure Firewall Threat Defense devices, you must be an Admin or Maintenance user.

Procedure


Step 1

In Firewall Management Center, choose Devices > Troubleshoot > Packet Tracer.

Step 2

From the Select Device drop-down list, choose the device on which you want to run the trace.

Step 3

Choose Use Protocol to perform the configuration manually, or Upload or Edit a PCAP file to upload a packet capture (PCAP) file.

Step 4

If you choose to upload a PCAP file, do the following:

  1. Click the Upload or Edit a PCAP file drop-down list, and choose the Upload a PCAP file option. To use a recently uploaded file, click the file name from the available list.

    Note
    • Only .pcap and .pcapng file formats are supported.

    • The file can contain up to 100 packets from the same Ethernet connection, or from the same single VLAN-encapsulated TCP or UDP connection.

    • Multiflow PCAP files are not supported. Upload only single flow PCAP file.

  2. If you choose to upload a PCAP file, drag and drop the PCAP file into the Upload PCAP dialog box or browse and select the PCAP file. After you select the file, the upload process starts automatically.

    Note
    • After you upload the file, the Protocol, Source Type, and Destination Type fields will be grayed, and cannot be edited. To make changes to these fields, you must upload a new PCAP file.

    • You can edit the source and destination IP addresses, source and destination ports, VLAN ID, destination MAC address (for a firewall in transparent mode), and the PCAP file name.

  3. Go to Step 7.

Step 5

If you choose to perform a manual configuration, do the following:

  1. From the Ingress Interface drop-down list, choose the ingress interface for the packet trace.

    Note

    Do not select VTI, because VTI as ingress interface is not supported for packet tracer.

  2. To define the trace parameters, from the Protocol drop-down list, select the packet type for the trace, and specify the protocol characteristics:

    • ICMP: Enter the ICMP type, ICMP code (0-255), and optionally, the ICMP identifier.

    • TCP/UDP/SCTP: Enter the source and destination port numbers.

    • GRE/IPIP: Enter the protocol number, 0-255.

    • ESP: Enter the Security Parameter Index (SPI) value for the source. Valid range is 0-4294967295.

    • RAWIP: Enter the port number. Valid range is 0-255.

  3. Select the Source Type for the packet trace, and enter the source IP address.

    Source and destination types include IPv4, IPv6, and fully-qualified domain names (FQDN). You can specify IPv4 or IPv6 addresses and FQDN, if you use Cisco TrustSec.

  4. Select the Source Port for the packet trace.

  5. Select the Destination Type for the packet trace, and enter the destination IP address.

    Destination type options vary depending on the source type that you select.

  6. Select the Destination Port for the packet trace.

  7. If you want the packet tracer to enter a parent interface, which is later redirected to a subinterface, enter a VLAN ID.

    This value is optional for non-subinterfaces only, since all the interface types can be configured in a subinterface.

  8. Specify a Destination MAC Address for the packet trace.

    If the Secure Firewall Threat Defense device is running in transparent firewall mode, and the ingress interface is VTEP, Destination MAC Address is required if you enter a value in VLAN ID. However if the interface is a bridge group member, Destination MAC Address is optional if you enter a VLAN ID value, but is required if you do not enter a VLAN ID value.

    If the Secure Firewall Threat Defense device is running in routed firewall mode, VLAN ID and Destination MAC Address are optional if the input interface is a bridge group member.

  9. (Optional) If you want the packet tracer to ignore the security checks in the simulated packet, click Bypass all security checks for simulated packet. This enables packet tracer to continue with tracing the packet through the system, which otherwise, would have been dropped.

  10. (Optional) To allow the packet to be sent out through the egress interface from the device, click Allow simulated packet to transmit from device.

  11. (Optional) If you want the packet tracer to consider the injected packet as an IPsec/SSL VPN-decrypted packet, click Treat simulated packet as IPsec/SSL VPN decrypt.

Step 6

To use a PCAP replay in the packet tracer, do the following:

  1. Click Select a PCAP File.

  2. To upload a new PCAP file, click Upload a PCAP file. To reuse a recently uploaded file, click the file name from the list.

    Note

    Only .pcap and .pcapng file formats are supported. The PCAP file can contain only a single TCP/UDP-based flow with a maximum of 100 packets. The maximum character limit for the PCAP file name (including the file formats) is 64.

  3. In the Upload PCAP box, you can either drag a PCAP file or click to browse to the location where the file is stored, and select the file. When you select the file, the upload process starts automatically.

Step 7

Click Trace.

Step 8

(Optional) If you want to modify any values, ensure you click Save PCAP and save the values before proceeding with the trace.

Step 9

(Optional) If you do not save the modified values of the PCAP file and click Trace, the Unsaved PCAP changes dialog box is displayed, which prompts you to save the file.

  1. Check the Save PCAP file check box.

  2. Enter a name for the PCAP file in the Name field.

  3. Click Save and Trace to save the changes and proceed with packet trace.

Note

The PCAP file name changes to the name entered in the Name field.

Step 10

You can track the status of trace in the Events & Logs > Analysis > Audit Logs window. The following tasks can be tracked:

  • Saving a PCAP file

  • Uploading a PCAP file

  • Details of the packet trace


The Trace Result displays the results for each phase that the PCAP packets have traveled through the system. Click an individual packet to view the traces results for the packet. You can do the following:

  • Copy (Copycopy icon) the trace results to the clipboard.

  • Expand or collapse (Expand or collapseexpand or collapse icon) the displayed results.

  • Maximize (Maximizemaximize icon) the trace result window.

The time elapsed information, useful to gauge the processing efforts, is displayed for each phase. The results section also displays the total time taken for packets flowing from an ingress to an egress interface.

The Trace History pane displays the stored trace details for each PCAP trace. It can store up to 100 packet traces. You can select a saved trace and run the packet trace activity again. You can do the following:

  • Search for a trace using any of the trace parameters.

  • Disable saving of the trace to history using the Sliderslider enabled icon button.

  • Delete specific trace results.

  • Clear all the traces.