Cisco ASA 8.3(and up) packet capturing

In the course of time, it becomes necessary to run packet captures in order to understand where issues are within a network. In this case, I’ve done this so many times I figured it would be easy enough to write a quick blog on it.

DISCLAIMER: Make sure you know what access-list or lists you’re modifying in Config mode.

######################################
###   Here we will go over exactly how
###   to create a packet capture and
###   how to view it via the CLI as well as
###   how to download it in PCAP file
######################################


##########
### enter system global config mode
##########
Configure terminal
conf t

##########
### START with creating an access list that is going to capture data from ALL directions needed
###
### Make sure that if you're just monitoring traffic between two hosts, that you setup your ACL like this:
##########


ErdmanorASA(config)# access-list temp_packet_capture permit ip host 192.168.1.10 host 8.8.8.8 log error
ErdmanorASA(config)# access-list temp_packet_capture permit ip host 8.8.8.8 host 192.168.1.10 log error


### you may need to know some interface specific information, so don’t forget to:
ErdmanorASA(config)# sh ip add
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0/0       outside                1.1.1.1         255.255.255.0   CONFIG
GigabitEthernet0/1       inside                 192.168.1.1     255.255.255.0   CONFIG
GigabitEthernet0/2       DMZ                    10.1.1.1        255.255.255.0   CONFIG
GigabitEthernet0/3.1     failover               169.254.0.1     255.255.255.252 unset
GigabitEthernet0/3.2     failover-state         169.254.0.5     255.255.255.252 unset
Management0/0            TESTDMZ                10.2.2.2        255.255.255.0   CONFIG
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0/0       outside                1.1.1.1         255.255.255.0   CONFIG
GigabitEthernet0/1       inside                 192.168.1.1     255.255.255.0   CONFIG
GigabitEthernet0/2       DMZ                    10.1.1.1        255.255.255.0   CONFIG
GigabitEthernet0/3.1     failover               169.254.0.2     255.255.255.252 unset
GigabitEthernet0/3.2     failover-state         169.254.0.6     255.255.255.252 unset
Management0/0            TESTDMZ                10.2.2.2        255.255.255.0   CONFIG


############
### Here we are going to apply the packet capture on an interface (in this case the “inside” interface”)
### we’re specifying to capture the last 10000000 packets
ErdmanorASA(config)# capture steve interface inside access-list temp_packet_capture buffer 10000000 packet-length 1522


############
### this command shows any current captures that are taking place (your capture should be in there if you set one up)
ErdmanorASA(config)# sh capture
capture steve type raw-data access-list temp_packet_capture buffer 10000000 packet-length 1522 interface Inside [Capturing - 301082 bytes]
capture steve2 type raw-data access-list temp_packet_capture buffer 10000000 packet-length 1522 interface Ouside [Capturing - 298168 bytes]

############
### show the capture you just made
ErdmanorASA(config)# sh capture temp_packet_capture


ErdmanorASA(config)# show cap steve

2024 packets captured

   1: 16:30:31.895690 192.168.1.10.44441 > 8.8.8.8.5120: S 4293989912:4293989912(0) win 14600 <mss 1380,sackOK,timestamp 408760499 0,nop,wscale 9>
   2: 16:30:31.895903 8.8.8.8.5120 > 192.168.1.10.44441: S 4128260078:4128260078(0) ack 4293989913 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 173100302 408760499>
   3: 16:30:31.896193 192.168.1.10.44441 > 8.8.8.8.5120: . ack 4128260079 win 29 <nop,nop,timestamp 408760499 173100302>
   4: 16:30:31.896514 192.168.1.10.44441 > 8.8.8.8.5120: P 4293989913:4293990409(496) ack 4128260079 win 29 <nop,nop,timestamp 408760499 173100302>
   5: 16:30:32.097300 192.168.1.10.44441 > 8.8.8.8.5120: P 4293989913:4293990409(496) ack 4128260079 win 29 <nop,nop,timestamp 408760550 173100302>
   6: 16:30:32.097452 10.52.11.6.5120 > 192.168.1.10.44441: . ack 4293990409 win 256 <nop,nop,timestamp 173100322 408760499,nop,nop,sack sack 1 {4293989913:4293990409} >
   7: 16:30:32.469412 10.52.11.6.5120 > 192.168.1.10.44441: P 4128260079:4128260495(416) ack 4293990409 win 256 <nop,nop,timestamp 173100359 408760499>
   8: 16:30:32.469564 192.168.1.10.44441 > 8.8.8.8.5120: . ack 4128260495 win 31 <nop,nop,timestamp 408760643 173100359>
   9: 16:30:32.469625 192.168.1.10.44441 > 8.8.8.8.5120: P 4293990409:4293990490(81) ack 4128260495 win 31 <nop,nop,timestamp 408760643 173100359>
  10: 16:30:32.469824 192.168.1.10.44441 > 8.8.8.8.5120: P 4293990490:4293990572(82) ack 4128260495 win 31 <nop,nop,timestamp 408760643 173100359>
...
...


ErdmanorASA(config)#   sh log | grep 192.168.1.10
%ASA-6-302014: Teardown TCP connection 1082311710 for outside:8.8.8.8/443 to inside:192.168.1.10/54210 duration 0:00:00 bytes 7295 TCP Reset-I
%ASA-6-302014: Teardown TCP connection 1082311788 for outside:8.8.8.8/443 to inside:192.168.1.10/54211 duration 0:00:00 bytes 5856 TCP FINs
ErdmanorASA(config)#   sh log | grep 192.168.1.10
%ASA-6-302014: Teardown TCP connection 1082312752 for outside:8.8.8.8/443 to inside:192.168.1.10/54212 duration 0:00:00 bytes 7295 TCP Reset-I
%ASA-6-302014: Teardown TCP connection 1082312815 for outside:8.8.8.8/443 to inside:192.168.1.10/54213 duration 0:00:00 bytes 5856 TCP FINs



##############
###To clean-up the ASA when you're done
##############



##############
### to kill the capture you created
no capture temp_packet_capture


##############
###
ErdmanorASA(config)# access-list temp_packet_capture permit ip host 192.168.1.10 host 8.8.8.8 log error
ErdmanorASA(config)# access-list temp_packet_capture permit ip host 8.8.8.8 host 192.168.1.10 log error

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)
Tagged , , , , . Bookmark the permalink.

Comments are closed.