Pix Packet Capture question.

[Hagfish]

I'm wondering how I can have the Pix capture traffic from only one incoming IP. I'm currently using this command:

capture captest buffer 2045952 interface dmz

This captures all of the traffic on the DMZ to a 2 meg file. The problem is there is so much traffic on the dmz that the 2 meg buffer fills up immediately and it's hard to isolate the problem I'm looking for. Is there a command that will allow me to capture only the IP I'm looking for so that the buffer doesn't fill up so fast?

P.S. the IP I'm wanting to filter is from the outside world, if that makes a difference..
Thanks,

--Pete

 

[Supergrrover]

You can capture via an access list -

access-list traffic-capture line 1 permitip host 10.0.0.2 host 192.168.9.2

capture captured-traffic access-list traffic-capture interface inside




Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Hagfish]

Ok, that makes sense except what's the "line 1" do in the access list example?

 

[horus42]

When you enter the access-list command for a given access list name the pix adds it to the end of the access list unless you specify the line number.



Hope that helps

 

[Hagfish]

Cool, thanks for the tips. This worked but I had to also reverse and do two access lists for it to show traffic both ways like this..

access-list traffic-capture line 1 permitip host 10.0.0.2 host 192.168.9.2
access-list traffic-capture line 2 permitip host 192.168.9.2 host 10.0.0.2

Thanks again