Use the Packet Tracer

To use a packet tracer on Secure Firewall Threat Defense devices, you must be an Admin or Maintenance user.

Procedure

Step 1

In Firewall Management Center, choose Devices > Troubleshoot > Packet Tracer.

Step 2

From the Select Device drop-down list, choose the device on which you want to run the trace.

Step 3

Choose Use Protocol to perform the configuration manually, or Upload or Edit a PCAP file to upload a packet capture (PCAP) file.

Step 4

If you choose to upload a PCAP file, do the following:

  1. Click the Upload or Edit a PCAP file drop-down list, and choose the Upload a PCAP file option. To use a recently uploaded file, click the file name from the available list.

    Note

    • Only .pcap and .pcapng file formats are supported.

    • The file can contain up to 100 packets. All packets must be from the same Ethernet connection or from the same VLAN-encapsulated TCP or UDP connection.

    • Multiflow PCAP files are not supported. Upload only single-flow PCAP files.

  2. If you choose to upload a PCAP file, drag and drop the PCAP file into the Upload PCAP dialog box or browse and select the PCAP file. After you select the file, the upload process starts automatically.

    Note

    • After you upload the file, the Protocol, Source Type, and Destination Type fields will be grayed, and cannot be edited. To make changes to these fields, you must upload a new PCAP file.

    • You can edit the source and destination IP addresses, source and destination ports, VLAN ID, destination MAC address (for a firewall in transparent mode), and the PCAP file name.

  3. Go to Step 7.

Step 5

If you choose to perform a manual configuration, do the following:

  1. From the Ingress Interface drop-down list, choose the ingress interface for the packet trace.

    Note

    Do not select VTI, because VTI as ingress interface is not supported for packet tracer.

  2. To define the trace parameters, from the Protocol drop-down list, select the packet type for the trace, and specify the protocol characteristics:

    • ICMP: Enter the ICMP type, ICMP code (0-255), and optionally, the ICMP identifier.

    • TCP/UDP/SCTP: Enter the source and destination port numbers.

    • GRE/IPIP: Enter the protocol number, 0-255.

    • ESP: Enter the Security Parameter Index (SPI) value for the source. Valid range is 0-4294967295.

    • RAWIP: Enter the port number. Valid range is 0-255.

  3. Select the Source Type for the packet trace, and enter the source IP address.

    Source and destination types include IPv4, IPv6, and fully-qualified domain names (FQDN). You can specify IPv4 or IPv6 addresses and FQDN, if you use Cisco TrustSec.

  4. Select the Source Port for the packet trace.

  5. Select the Destination Type for the packet trace, and enter the destination IP address.

    Destination type options vary depending on the source type that you select.

  6. Select the Destination Port for the packet trace.

  7. If you want the packet tracer to enter a parent interface, which is later redirected to a subinterface, enter a VLAN ID.

    This value is optional for non-subinterfaces only, since all the interface types can be configured in a subinterface.

  8. Specify a Destination MAC Address for the packet trace.

    If the Secure Firewall Threat Defense device is running in transparent firewall mode, and the ingress interface is VTEP, Destination MAC Address is required if you enter a value in VLAN ID. However if the interface is a bridge group member, Destination MAC Address is optional if you enter a VLAN ID value, but is required if you do not enter a VLAN ID value.

    If the Secure Firewall Threat Defense device is running in routed firewall mode, VLAN ID and Destination MAC Address are optional if the input interface is a bridge group member.

  9. (Optional) If you want the packet tracer to ignore the security checks in the simulated packet, click Bypass all security checks for simulated packet. This enables packet tracer to continue with tracing the packet through the system, which otherwise, would have been dropped.

  10. (Optional) To allow the packet to be sent out through the egress interface from the device, click Allow simulated packet to transmit from device.

  11. (Optional) If you want the packet tracer to consider the injected packet as an IPsec/SSL VPN-decrypted packet, click Treat simulated packet as IPsec/SSL VPN decrypt.

Step 6

From the Ingress Interface drop-down, choose the ingress interface for the packet trace.

Note

Do not select VTI. VTI as ingress interface is not supported for packet tracer.

Step 7

To use a PCAP replay in the packet tracer, do the following:

  1. Click Select a PCAP File.

  2. To upload a new PCAP file, click Upload a PCAP file. To reuse a recently uploaded file, click the file name from the list.

    Note

    Only .pcap and .pcapng file formats are supported. The PCAP file can contain only a single TCP/UDP-based flow with a maximum of 100 packets. The maximum character limit for the PCAP file name (including the file formats) is 64.

  3. In the Upload PCAP box, you can either drag a PCAP file or click to browse to the location where the file is stored, and select the file. When you select the file, the upload process starts automatically.

  4. Go to this step

Step 8

To define the trace parameters, from the Protocol drop-down list, select the packet type for the trace, and specify the protocol characteristics:

  • ICMP: Enter the ICMP type, ICMP code (0-255), and optionally, the ICMP identifier.

  • TCP/UDP/SCTP: Enter the source and destination port numbers.

  • GRE/IPIP: Enter the protocol number, 0-255.

  • ESP: Enter the Security Parameter Index (SPI) value for the source. Valid range is 0-4294967295.

  • RAWIP: Enter the port number. Valid range is 0-255.

Step 9

Select the Source Type for the packet trace, and enter the source IP address.

Source and destination types include IPv4, IPv6, and fully-qualified domain names (FQDN). You can specify IPv4 or IPv6 addresses and FQDN, if you use Cisco TrustSec.

Step 10

Select the Source Port for the packet trace.

Step 11

Select the Destination type for the packet trace, and enter the destination IP address.

Destination type options vary depending on the source type that you select.

Step 12

Select the Destination Port for the packet trace.

Step 13

Optionally, if you want to trace a packet where the Security Group Tag (SGT) value is embedded in the Layer 2 CMD header (TrustSec), enter a valid SGT number.

Step 14

If you want packet tracer to enter a parent interface, which is later redirected to a sub-interface, enter a VLAN ID.

This value is optional for non-sub-interfaces only, since all the interface types can be configured on a sub-interface.

Step 15

Specify a Destination MAC Address for the packet trace.

If the Secure Firewall Threat Defense device is running in transparent firewall mode, and the ingress interface is VTEP, Destination MAC Address is required if you enter a value in VLAN ID. Whereas if the interface is a bridge group member, Destination MAC Address is optional if you enter a VLAN ID value, but required if you do not enter a VLAN ID value.

If the Secure Firewall Threat Defense is running in routed firewall mode, VLAN ID and Destination MAC Address are optional if the input interface is a bridge group member.

Step 16

(Optional) If you want the packet-tracer to ignore the security checks on the simulated packet, click Bypass all security checks for simulated packet. This enables packet-tracer to continue with tracing of packet through the system which, otherwise would have been dropped.

Step 17

(Optional) To allow the packet to be sent out through the egress interface from the device, click Allow simulated packet to transmit from device.

Step 18

(Optional) If you want the packet-tracer to consider the injected packet as an IPsec/SSL VPN decrypted packet, click Treat simulated packet as IPsec/SSL VPN decrypt.

Step 19

Click Trace.

Step 20

(Optional) If you want to modify any values, ensure you click Save PCAP and save the values before proceeding with the trace.

Step 21

(Optional) If you do not save the modified values of the PCAP file and click Trace, the Unsaved PCAP changes dialog box is displayed, which prompts you to save the file.

  1. Check the Save PCAP file check box.

  2. Enter a name for the PCAP file in the Name field.

  3. Click Save and Trace to save the changes and proceed with packet trace.

Note

The PCAP file name changes to the name entered in the Name field.

Step 22

You can track the status of trace in the Events & Logs > Analysis > Audit Logs window. The following tasks can be tracked:

  • Saving a PCAP file

  • Uploading a PCAP file

  • Details of the packet trace

The Trace Result displays the results for each phase that the PCAP packets have traveled through the system. Click an individual packet to view the traces results for the packet. You can do the following:

  • Copy (Copycopy icon) the trace results to the clipboard.

  • Expand or collapse (Expand or collapseexpand or collapse icon) the displayed results.

  • Maximize (Maximizemaximize icon) the trace result window.

The time elapsed information, useful to gauge the processing efforts, is displayed for each phase. The results section also displays the total time taken for packets flowing from an ingress to an egress interface.

The Trace History pane displays the stored trace details for each PCAP trace. It can store up to 100 packet traces. You can select a saved trace and run the packet trace activity again. You can do the following:

  • Search for a trace using any of the trace parameters.

  • Disable saving of the trace to history using the Sliderslider enabled icon button.

  • Delete specific trace results.

  • Clear all the traces.