In article , ants wrote: :how can you see what packets are being blocked on an :access-list on a Cisco router? I know about show access-list xxx which :shows how many times an access-list rule has been used, but I want to :see the actual packets through the router
There might perhaps be a more direct way, but the way that comes to mind is this:
Don't apply the access-list directly to the interface in question. Instead, create policy-based routing (PBR) and use that access-list to permit traffic through in the first policy. In the second policy of the PBR, redirect the remaining traffic to a loopback interface. Now, SPAN or RSPAN the loopback interface to your monitoring equipment.
See also "debug ip packet detail" -- but that can overwhelm your system easily, and has the problem that the access-list controls what is to be captured. But you could use the PBR approach listed above and debug everything that got sent to the loopback interface I described.
You might also be able to take advantage of "ip traffic-export profile".
If you have one of the advanced security features with the firewall feature, then you can use NBAR to capture traffic:
formatting link
Cisco's features for -direct- capture and display of traffic are deliberately restricted as a security precaution.