CCNP Security Question of the Week: Packet-tracer Command

Which two are intended use of the packet-tracer command? (Choose two.)

A. To filter and monitor ingress traffic to a switch
B. To configure an interface-specific packet trace
C. To simulate network traffic through a data path
D. To debug packet drops in a production network
E. To automatically correct an ACL entry in an ASA

Reveal Answer

Answer: C and D.

Per Cisco command documentation, the packet-tracer command provides detailed information about the packets and how they are processed by the security appliance. In the instance that a command from the configuration did not cause the packet to drop, the packet-tracer command will provide information about the cause in an easily readable manner. For example, if a packet was dropped because of an invalid header validation, a message is displayed that says, “packet dropped due to bad ip header (reason).”

The packet-tracer command can generate packets based on the 5 tuple information—source IP, destination IP, source port, destination port and protocol. The packet tracer does not populate the data part of the packet and as a result some engine checks will not be applicable. The packet tracer will show that the packet is dropped not because it did not pass the inspection checks but because there is not enough data to test against the inspection checks.

 

Related Resources
Cisco White Papers

Related Course
CCNP Security e-Camp

CCNP Security Question of the Week Series

• CCNP Security Question of the Week: Cisco ASA Security Context
• CCNP Security Question of the Week: Authenticating ASDM Users
• CCNP Security Question of the Week: Layer 5-7 Policy Maps
• CCNP Security Question of the Week: 802.1X
• CCNP Security Question of the Week: IPS Updates
• CCNP Security Question of the Week: IPsec VPN Tunnels
• CCNP Security Question of the Week: AnyConnect VPN Client
• CCNP Security Question of the Week: ASA AIP-SSM and ASA AIP-SSC
• CCNP Security Question of the Week: Disable DHCP Server Service
• CCNP Security Question of the Week: Cisco ASA Security Appliance Access List
• CCNP Security Question of the Week: Network Address Translation
• CCNP Security Question of the Week: Harden a Switch
• CCNP Security Question of the Week: SSH Login
• CCNP Security Question of the Week: Packet-Tracer Command
• CCNP Security Question of the Week: SSL Ciphers
• CCNP Security Question of the Week: VLAN Hopping
• CCNP Security Question of the Week: DHCP Server Service
• CCNP Security Question of the Week: Default Behavior of an Access List
• CCNP Security Question of the Week: NAT Control on Cisco ASA Version 8.3
• CCNP Security Question of the Week: IPS Anomaly Detection Features
• CCNP Security Question of the Week: Bogus IPv6 Addresses
• CCNP Security Question of the Week: Harden a Switch
• CCNP Security Question of the Week: SSH Login
• CCNP Security Question of the Week: NTP on a Cisco ASA Default Settings
• CCNP Security Question of the Week: Packet-tracer Command

from
CERTIVIEW