Use the Packet Tracer

To use a packet tracer on Secure Firewall Threat Defense devices, you must be an Admin or Maintenance user.

Procedure

Step 1

On the management center, choose Devices > Packet Tracer.

Step 2

From the Select Device drop-down, choose the device on which you want to run the trace.

Step 3

From the Ingress Interface drop-down, choose the ingress interface for the packet trace.

Note

Do not select VTI. VTI as ingress interface is not supported for packet tracer.

Step 4

To use a PCAP replay in the packet-tracer, do the following:

  1. Click Select a PCAP File.

  2. To upload a new PCAP file, click Upload a PCAP file. To reuse a recently uploaded file, click the file from the list.

    Note

    Only .pcap and .pcapng file formats are supported. The PCAP file can contain only a single TCP/UDP based flow with a maximum of 100 packets. The maximum character limit on the PCAP file name (including the file formats) is 64.

  3. In the Upload PCAP box, you can either drag a PCAP file or click in the box to browse and upload the file. On selecting the file, the upload process starts automatically.

  4. Go to this step.

Step 5

To define the trace parameters, from the Protocol drop-down menu, select the packet type for the trace, and specify the protocol characteristics:

  • ICMP—Enter the ICMP type, ICMP code (0-255), and optionally, the ICMP identifier.

  • TCP/UDP/SCTP—Enter the source and destination port numbers.

  • GRE/IPIP—Enter the protocol number, 0-255.

  • ESP—Enter the SPI value for Source, 0-4294967295.

  • RAWIP—Enter the port number, 0-255.

Step 6

Select the Source Type for the packet trace, and enter the source IP address.

Source and destination types include IPv4, IPv6, and fully-qualified domain names (FQDN). You can specify IPv4 or IPv6 addresses and FQDN, if you use Cisco TrustSec.

Step 7

Select the Source Port for the packet trace.

Step 8

Select the Destination type for the packet trace, and enter the destination IP address.

Destination type options vary depending on the source type that you select.

Step 9

Select the Destination Port for the packet trace.

Step 10

Optionally, if you want to trace a packet where the Security Group Tag (SGT) value is embedded in the Layer 2 CMD header (TrustSec), enter a valid SGT number.

Step 11

If you want packet tracer to enter a parent interface, which is later redirected to a sub-interface, enter a VLAN ID.

This value is optional for non-sub-interfaces only, since all the interface types can be configured on a sub-interface.

Step 12

Specify a Destination MAC Address for the packet trace.

If the Secure Firewall Threat Defense device is running in transparent firewall mode, and the ingress interface is VTEP, Destination MAC Address is required if you enter a value in VLAN ID. Whereas if the interface is a bridge group member, Destination MAC Address is optional if you enter a VLAN ID value, but required if you do not enter a VLAN ID value.

If the Secure Firewall Threat Defense is running in routed firewall mode, VLAN ID and Destination MAC Address are optional if the input interface is a bridge group member.

Step 13

(Optional) If you want the packet-tracer to ignore the security checks on the simulated packet, click Bypass all security checks for simulated packet. This enables packet-tracer to continue with tracing of packet through the system which, otherwise would have been dropped.

Step 14

(Optional) To allow the packet to be sent out through the egress interface from the device, click Allow simulated packet to transmit from device.

Step 15

(Optional) If you want the packet-tracer to consider the injected packet as an IPsec/SSL VPN decrypted packet, click Treat simulated packet as IPsec/SSL VPN decrypt.

Step 16

Click Trace.

The Trace Result displays the results for each phase that the PCAP packets has traveled through the system. Click on the individual packet to view the traces results for the packet. You can do the following:

  • Copy () the trace results to clipboard.

  • Expand or collapse () the displayed results.

  • Maximize () the trace result screen.

The time elapsed information that is useful to gauge the processing efforts are displayed for each phase. The total time that is taken for the entire flow of packets flowing from an ingress to an egress interface is also displayed in the results section.

The Trace History pane displays the stored trace details for each PCAP trace. It can store up to 100 packet traces. You can select a saved trace and run the packet trace activity again. You can do the following:

  • Search for a trace using any of the trace parameters.

  • Disable saving of the trace to history using the button.

  • Delete specific trace results.

  • Clear all the traces.