debug ip packet – Real-Time Packet Tracing on Cisco Devices

What is `debug ip packet`?

Definition: debug ip packet is a Cisco IOS command that enables real-time monitoring and display of IP packets as they are processed by a router. It is one of the most powerful, but potentially risky, troubleshooting tools available to network engineers.

Main Purpose: Diagnose live packet flows, complex routing, ACL (access-list), and connectivity issues at the packet level.
Visibility: Shows source, destination, interface, and the router’s decision (routed, denied, unroutable, etc.).

Basic Syntax and Usage

Action	Command	Explanation
Enable Debug	`debug ip packet`	Displays all processed IP packets (can overwhelm the CPU!)
Filtered Debug	`debug ip packet [access-list] [detail]`	Debug only packets matching the specified ACL (recommended)
Disable Debug	`undebug all` or `no debug all`	Stops all active debug processes (always do this when finished!)

Example: Debug only ICMP (ping) traffic:

access-list 100 permit icmp any any
debug ip packet 100

Interpreting Debug Output

IP: s=10.1.1.10 (Ethernet0), d=10.1.1.20 (Ethernet1), len 84, unroutable
IP: s=10.1.1.20 (Ethernet1), d=8.8.8.8 (Ethernet0), len 60, ACL deny

Field	Meaning
s=	Source IP and incoming interface
d=	Destination IP and outgoing interface
len	Packet length (bytes)
Status	Action (e.g., routed, ACL deny, unroutable)

Tip: Use debug output to see how your router handles each packet and where issues may be occurring (ACL block, missing route, etc.).

Impact of Debugging on Performance

Warning: Unfiltered debugging is extremely CPU-intensive and can disrupt or crash production routers!
Always filter with access-lists and use in low-traffic or lab environments.
Stop debug as soon as you have the info needed: undebug all

Using Access Lists (ACLs) to Filter Debug Output

Use ACLs to focus only on the relevant traffic and reduce system load.
Example: Only debug packets from host 192.168.10.5 to 10.0.0.20:

configure terminal
access-list 150 permit ip host 192.168.10.5 host 10.0.0.20
end
debug ip packet 150

Common Use Cases

Diagnosing Routing Problems: Confirm if packets are routed or dropped.
Identifying Packet Drops: Detect if packets are denied by ACLs or unroutable.
Verifying ACL Effectiveness: Check which traffic is permitted or denied in real time.
Detecting Routing Loops: See if the same packets keep circulating.

Stopping Debug Sessions

Always stop debugging immediately after collecting data:

undebug all or no debug all
undebug ip packet (to stop only IP packet debugging)

Security & Privacy Considerations

Debug output reveals sensitive info (IPs, protocols, actions).
Limit access to debug commands; use only with authorization.

Alternatives & Complementary Tools

Less Intrusive: show ip route, show ip cef – Safe for verifying tables and paths.
Packet Capture: Use tcpdump or Wireshark on connected hosts for deeper analysis without impacting router performance.

Example Scenario: Debugging a Packet Drop

Situation: John cannot reach 10.0.0.5 from 192.168.1.10.

Create a filter:

access-list 101 permit ip host 192.168.1.10 host 10.0.0.5

Enable debug:
```
debug ip packet 101
```
Generate traffic (ping from 192.168.1.10 to 10.0.0.5), observe debug output.
Interpretation:
- If output shows unroutable: Focus on routing table.
- If output shows ACL deny: Check the access-lists for misconfigurations.
Stop debugging:
```
undebug all
```

debug vs. show Commands for Packet Analysis

Feature	debug ip packet	show ip route / show ip cef
Purpose	Live, real-time packet tracing	Static table view of routing/forwarding
Resource Usage	High (can overload CPU)	Very low (safe in production)
Live Packet Info	Yes (actual packets)	No (routing info only)
Filtering	Yes (via ACL)	Not applicable
Output Format	Real-time console logs	Tabular summaries
Risk in Production	High—always use caution	Low
Security	May reveal sensitive data	Safer (static info only)
Stop Command	undebug all	Not needed

Exam Tips and Key Points

Never run unfiltered debug ip packet on production routers.
Know syntax for ACL filtering and debug commands.
Always stop debug with undebug all as soon as possible.
Show commands are preferred for routine verification.
Mention security and performance risks in your exam answers.
Combine debug with show and external captures for complete analysis.

Debug IP Packet – Real-Time Packet Tracing Quiz

1. What is the primary purpose of the `debug ip packet` command?

A. Display the routing table B. Clear all interface counters C. Show real-time packet processing information D. Enable interface debugging

Correct answer is C. The command shows real-time information about IP packets processed by the router.

2. Why is it recommended to use access list filters with `debug ip packet`?

A. To reduce CPU load and focus on relevant traffic B. To increase packet capture speed C. To disable debugging D. To enable logging to console

Correct answer is A. Filters limit debug output to only relevant packets, reducing CPU overhead.

3. Which command disables all debugging on a Cisco router?

A. debug stop B. no debug ip packet C. end debug D. undebug all

Correct answer is D. 'undebug all' stops all debug sessions to prevent router overload.

4. What does the debug output line `IP: s=10.1.1.10 (Ethernet0), d=10.1.1.20 (Ethernet1), len 84, unroutable` indicate?

A. Packet was successfully routed B. Packet is unroutable and dropped C. Packet is delayed D. Packet is encrypted

Correct answer is B. 'unroutable' means the router cannot forward the packet.

5. What risk does running `debug ip packet` without filters on a busy router pose?

A. High CPU usage causing performance degradation B. Log files get deleted C. Packets are dropped intentionally D. Router reloads automatically

Correct answer is A. Unfiltered debug outputs flood the console and overload the CPU.

6. How can you limit debugging to only packets from host 192.168.10.5 to 10.0.0.20?

A. debug ip packet host 192.168.10.5 B. access-list 150 deny ip any any C. Create access-list 150 permit ip host 192.168.10.5 host 10.0.0.20 and then run debug ip packet 150 D. debug ip packet 10.0.0.20

Correct answer is C. Using an ACL filter with debug limits output to specified source and destination IPs.

7. Which command is recommended to stop debugging if your console is flooded with output?

A. no debug ip packet B. clear logging C. show logging D. undebug all

Correct answer is D. 'undebug all' immediately stops all debug output to prevent router overload.

8. What information does the 's=' and 'd=' fields in debug output indicate?

A. Source and destination MAC addresses B. Source and destination IP addresses C. Source and destination VLANs D. Source and destination protocols

Correct answer is B. 's=' and 'd=' represent source and destination IP addresses respectively.

9. Which of the following is a less intrusive alternative to `debug ip packet` for packet analysis?

A. Using Wireshark or tcpdump on connected hosts B. Running show interfaces repeatedly C. Increasing the logging buffer size D. Clearing the debug output

Correct answer is A. Packet capture tools like Wireshark/tcpdump avoid overloading the router and provide detailed analysis.

10. What should you do immediately after collecting enough debug information?

A. Keep debugging for better data B. Reboot the router C. Stop debugging with undebug all D. Clear the routing table

Correct answer is C. Stopping debug after sufficient data avoids router overload and instability.

← Back to Home