In the course of time, it becomes necessary to run packet captures in order to understand where issues are within a network. In this case, I’ve done this so many times I figured it would be easy enough to write a quick blog on it.
DISCLAIMER: Make sure you know what access-list or lists you’re modifying in Config mode.
######################################
### Here we will go over exactly how
### to create a packet capture and
### how to view it via the CLI as well as
### how to download it in PCAP file
######################################
##########
### enter system global config mode
##########
Configure terminal
conf t
##########
### START with creating an access list that is going to capture data from ALL directions needed
###
### Make sure that if you're just monitoring traffic between two hosts, that you setup your ACL like this:
##########
ErdmanorASA(config)# access-list temp_packet_capture permit ip host 192.168.1.10 host 8.8.8.8 log error
ErdmanorASA(config)# access-list temp_packet_capture permit ip host 8.8.8.8 host 192.168.1.10 log error
### you may need to know some interface specific information, so don’t forget to:
ErdmanorASA(config)# sh ip add
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 outside 1.1.1.1 255.255.255.0 CONFIG
GigabitEthernet0/1 inside 192.168.1.1 255.255.255.0 CONFIG
GigabitEthernet0/2 DMZ 10.1.1.1 255.255.255.0 CONFIG
GigabitEthernet0/3.1 failover 169.254.0.1 255.255.255.252 unset
GigabitEthernet0/3.2 failover-state 169.254.0.5 255.255.255.252 unset
Management0/0 TESTDMZ 10.2.2.2 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 outside 1.1.1.1 255.255.255.0 CONFIG
GigabitEthernet0/1 inside 192.168.1.1 255.255.255.0 CONFIG
GigabitEthernet0/2 DMZ 10.1.1.1 255.255.255.0 CONFIG
GigabitEthernet0/3.1 failover 169.254.0.2 255.255.255.252 unset
GigabitEthernet0/3.2 failover-state 169.254.0.6 255.255.255.252 unset
Management0/0 TESTDMZ 10.2.2.2 255.255.255.0 CONFIG
############
### Here we are going to apply the packet capture on an interface (in this case the “inside” interface”)
### we’re specifying to capture the last 10000000 packets
ErdmanorASA(config)# capture steve interface inside access-list temp_packet_capture buffer 10000000 packet-length 1522
############
### this command shows any current captures that are taking place (your capture should be in there if you set one up)
ErdmanorASA(config)# sh capture
capture steve type raw-data access-list temp_packet_capture buffer 10000000 packet-length 1522 interface Inside [Capturing - 301082 bytes]
capture steve2 type raw-data access-list temp_packet_capture buffer 10000000 packet-length 1522 interface Ouside [Capturing - 298168 bytes]
############
### show the capture you just made
ErdmanorASA(config)# sh capture temp_packet_capture
ErdmanorASA(config)# show cap steve
2024 packets captured
1: 16:30:31.895690 192.168.1.10.44441 > 8.8.8.8.5120: S 4293989912:4293989912(0) win 14600 <mss 1380,sackOK,timestamp 408760499 0,nop,wscale 9>
2: 16:30:31.895903 8.8.8.8.5120 > 192.168.1.10.44441: S 4128260078:4128260078(0) ack 4293989913 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 173100302 408760499>
3: 16:30:31.896193 192.168.1.10.44441 > 8.8.8.8.5120: . ack 4128260079 win 29 <nop,nop,timestamp 408760499 173100302>
4: 16:30:31.896514 192.168.1.10.44441 > 8.8.8.8.5120: P 4293989913:4293990409(496) ack 4128260079 win 29 <nop,nop,timestamp 408760499 173100302>
5: 16:30:32.097300 192.168.1.10.44441 > 8.8.8.8.5120: P 4293989913:4293990409(496) ack 4128260079 win 29 <nop,nop,timestamp 408760550 173100302>
6: 16:30:32.097452 10.52.11.6.5120 > 192.168.1.10.44441: . ack 4293990409 win 256 <nop,nop,timestamp 173100322 408760499,nop,nop,sack sack 1 {4293989913:4293990409} >
7: 16:30:32.469412 10.52.11.6.5120 > 192.168.1.10.44441: P 4128260079:4128260495(416) ack 4293990409 win 256 <nop,nop,timestamp 173100359 408760499>
8: 16:30:32.469564 192.168.1.10.44441 > 8.8.8.8.5120: . ack 4128260495 win 31 <nop,nop,timestamp 408760643 173100359>
9: 16:30:32.469625 192.168.1.10.44441 > 8.8.8.8.5120: P 4293990409:4293990490(81) ack 4128260495 win 31 <nop,nop,timestamp 408760643 173100359>
10: 16:30:32.469824 192.168.1.10.44441 > 8.8.8.8.5120: P 4293990490:4293990572(82) ack 4128260495 win 31 <nop,nop,timestamp 408760643 173100359>
...
...
ErdmanorASA(config)# sh log | grep 192.168.1.10
%ASA-6-302014: Teardown TCP connection 1082311710 for outside:8.8.8.8/443 to inside:192.168.1.10/54210 duration 0:00:00 bytes 7295 TCP Reset-I
%ASA-6-302014: Teardown TCP connection 1082311788 for outside:8.8.8.8/443 to inside:192.168.1.10/54211 duration 0:00:00 bytes 5856 TCP FINs
ErdmanorASA(config)# sh log | grep 192.168.1.10
%ASA-6-302014: Teardown TCP connection 1082312752 for outside:8.8.8.8/443 to inside:192.168.1.10/54212 duration 0:00:00 bytes 7295 TCP Reset-I
%ASA-6-302014: Teardown TCP connection 1082312815 for outside:8.8.8.8/443 to inside:192.168.1.10/54213 duration 0:00:00 bytes 5856 TCP FINs
##############
###To clean-up the ASA when you're done
##############
##############
### to kill the capture you created
no capture temp_packet_capture
##############
###
ErdmanorASA(config)# access-list temp_packet_capture permit ip host 192.168.1.10 host 8.8.8.8 log error
ErdmanorASA(config)# access-list temp_packet_capture permit ip host 8.8.8.8 host 192.168.1.10 log error
### Here we will go over exactly how
### to create a packet capture and
### how to view it via the CLI as well as
### how to download it in PCAP file
######################################
##########
### enter system global config mode
##########
Configure terminal
conf t
##########
### START with creating an access list that is going to capture data from ALL directions needed
###
### Make sure that if you're just monitoring traffic between two hosts, that you setup your ACL like this:
##########
ErdmanorASA(config)# access-list temp_packet_capture permit ip host 192.168.1.10 host 8.8.8.8 log error
ErdmanorASA(config)# access-list temp_packet_capture permit ip host 8.8.8.8 host 192.168.1.10 log error
### you may need to know some interface specific information, so don’t forget to:
ErdmanorASA(config)# sh ip add
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 outside 1.1.1.1 255.255.255.0 CONFIG
GigabitEthernet0/1 inside 192.168.1.1 255.255.255.0 CONFIG
GigabitEthernet0/2 DMZ 10.1.1.1 255.255.255.0 CONFIG
GigabitEthernet0/3.1 failover 169.254.0.1 255.255.255.252 unset
GigabitEthernet0/3.2 failover-state 169.254.0.5 255.255.255.252 unset
Management0/0 TESTDMZ 10.2.2.2 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 outside 1.1.1.1 255.255.255.0 CONFIG
GigabitEthernet0/1 inside 192.168.1.1 255.255.255.0 CONFIG
GigabitEthernet0/2 DMZ 10.1.1.1 255.255.255.0 CONFIG
GigabitEthernet0/3.1 failover 169.254.0.2 255.255.255.252 unset
GigabitEthernet0/3.2 failover-state 169.254.0.6 255.255.255.252 unset
Management0/0 TESTDMZ 10.2.2.2 255.255.255.0 CONFIG
############
### Here we are going to apply the packet capture on an interface (in this case the “inside” interface”)
### we’re specifying to capture the last 10000000 packets
ErdmanorASA(config)# capture steve interface inside access-list temp_packet_capture buffer 10000000 packet-length 1522
############
### this command shows any current captures that are taking place (your capture should be in there if you set one up)
ErdmanorASA(config)# sh capture
capture steve type raw-data access-list temp_packet_capture buffer 10000000 packet-length 1522 interface Inside [Capturing - 301082 bytes]
capture steve2 type raw-data access-list temp_packet_capture buffer 10000000 packet-length 1522 interface Ouside [Capturing - 298168 bytes]
############
### show the capture you just made
ErdmanorASA(config)# sh capture temp_packet_capture
ErdmanorASA(config)# show cap steve
2024 packets captured
1: 16:30:31.895690 192.168.1.10.44441 > 8.8.8.8.5120: S 4293989912:4293989912(0) win 14600 <mss 1380,sackOK,timestamp 408760499 0,nop,wscale 9>
2: 16:30:31.895903 8.8.8.8.5120 > 192.168.1.10.44441: S 4128260078:4128260078(0) ack 4293989913 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 173100302 408760499>
3: 16:30:31.896193 192.168.1.10.44441 > 8.8.8.8.5120: . ack 4128260079 win 29 <nop,nop,timestamp 408760499 173100302>
4: 16:30:31.896514 192.168.1.10.44441 > 8.8.8.8.5120: P 4293989913:4293990409(496) ack 4128260079 win 29 <nop,nop,timestamp 408760499 173100302>
5: 16:30:32.097300 192.168.1.10.44441 > 8.8.8.8.5120: P 4293989913:4293990409(496) ack 4128260079 win 29 <nop,nop,timestamp 408760550 173100302>
6: 16:30:32.097452 10.52.11.6.5120 > 192.168.1.10.44441: . ack 4293990409 win 256 <nop,nop,timestamp 173100322 408760499,nop,nop,sack sack 1 {4293989913:4293990409} >
7: 16:30:32.469412 10.52.11.6.5120 > 192.168.1.10.44441: P 4128260079:4128260495(416) ack 4293990409 win 256 <nop,nop,timestamp 173100359 408760499>
8: 16:30:32.469564 192.168.1.10.44441 > 8.8.8.8.5120: . ack 4128260495 win 31 <nop,nop,timestamp 408760643 173100359>
9: 16:30:32.469625 192.168.1.10.44441 > 8.8.8.8.5120: P 4293990409:4293990490(81) ack 4128260495 win 31 <nop,nop,timestamp 408760643 173100359>
10: 16:30:32.469824 192.168.1.10.44441 > 8.8.8.8.5120: P 4293990490:4293990572(82) ack 4128260495 win 31 <nop,nop,timestamp 408760643 173100359>
...
...
ErdmanorASA(config)# sh log | grep 192.168.1.10
%ASA-6-302014: Teardown TCP connection 1082311710 for outside:8.8.8.8/443 to inside:192.168.1.10/54210 duration 0:00:00 bytes 7295 TCP Reset-I
%ASA-6-302014: Teardown TCP connection 1082311788 for outside:8.8.8.8/443 to inside:192.168.1.10/54211 duration 0:00:00 bytes 5856 TCP FINs
ErdmanorASA(config)# sh log | grep 192.168.1.10
%ASA-6-302014: Teardown TCP connection 1082312752 for outside:8.8.8.8/443 to inside:192.168.1.10/54212 duration 0:00:00 bytes 7295 TCP Reset-I
%ASA-6-302014: Teardown TCP connection 1082312815 for outside:8.8.8.8/443 to inside:192.168.1.10/54213 duration 0:00:00 bytes 5856 TCP FINs
##############
###To clean-up the ASA when you're done
##############
##############
### to kill the capture you created
no capture temp_packet_capture
##############
###
ErdmanorASA(config)# access-list temp_packet_capture permit ip host 192.168.1.10 host 8.8.8.8 log error
ErdmanorASA(config)# access-list temp_packet_capture permit ip host 8.8.8.8 host 192.168.1.10 log error