Data Centers

Easy packet captures straight from the Cisco ASA firewall

Lori Hyde tells you how to capture packets directly from the Cisco ASA without using a separate packet-sniffing utility, first by setting up an ACL to define the traffic and then using the capture command.

Whether you are troubleshooting a difficult problem or chasing some interesting traffic, sometimes you need to pull a packet capture. Of course, you could configure and deploy a sniffer, but that is not the only solution you have at your fingertips. You can pull the packet capture directly from the Cisco ASA firewall. The Cisco ASA makes this an easy process.

There are at least two ways to configure your ASA to capture packets. If you prefer the GUI interface of the ASDM, you can use the Packet Capture Wizard tool by selecting it from the wizard menu.

However, I've found that if you don't mind getting your hands dirty, so to speak, the CLI interface is the way to go. You can identify the traffic you are looking for with an ACL and then set your interface to capture based on the ACL results. Here's an example of how easy it is to do this.

In this example, I want to capture all IP packets between a host at 192.168.80.51 and the test ASA at 192.168.81.52.

The first step is to set a quick ACL:

access-list testcap extended permit ip host 192.168.80.51 host 192.168.81.52

Then, we set up the capture using the capture command. We'll reference our ACL (testcap) as our "interesting" traffic, and we'll specify which interface we want to look at:

myasa# capture testcap interface inside

Admittedly, this is probably the command in its simplest form. There are many options you can configure as part of this command, including setting buffer sizes, setting a circular-buffer that overwrites itself when full, and selecting webvpn or isakmp traffic. The point is, with two quick commands, we've got a packet capture going! It just doesn't get much easier than that.

A quick show capture command verifies my capture is running.

myasa# sh capture
capture testcap type raw-data interface INSIDE [Capturing - 4314 bytes]

To stop the capture, use the no form of this command.

myasa # no capture testcap
Now let's look at the results. Here again, we have choices. We can look at the traffic via a browser directly from the ASA by opening an http link (Figure A) like the following:
https://192.168.81.52/admin/capture/testcap

Figure A

Click to enlarge.

While we see the traffic and much of the information, we cannot see all the detail of a regular packet capture. However, we can save this info as a libpcap file with the following command, and then open this file with Wireshark or such.

https://192.168.81.52/capture/testcap/pcap
Figure B shows this file when opened with Wireshark.

Figure B

Click to enlarge.

The command line also provides options for looking at your data.

myasa# show capture testcap ?
  access-list    Display packets matching access list
  count          Display <number> of packets in capture
  decode         Display decode information for each packet
  detail         Display more information for each packet
  dump           Display hex dump for each packet
  packet-number  Display packet <number> in capture
  trace          Display extended trace information for each packet
  |              Output modifiers
  <cr>

Let's look at the first nine packets.

myasa# show capture testcap count 9
4532 packets captured
   1: 13:46:31.052746 192.168.81.52.22 > 192.168.80.51.2057: P 1290581619:1290581687(68) ack 941116409 win 8192
   2: 13:46:31.052884 192.168.80.51.2057 > 192.168.81.52.22: . ack 1290581687 win 65207
   3: 13:46:38.374583 arp who-has 192.168.80.219 tell 192.168.82.51
   4: 13:46:38.521655 arp who-has 192.168.80.204 tell 192.168.82.51
   5: 13:46:39.803120 192.168.81.52.443 > 192.168.80.51.3968: P 787673978:787675438(1460) ack 3043311886 win 8192
   6: 13:46:39.803150 192.168.81.52.443 > 192.168.80.51.3968: P 787675438:787675589(151) ack 3043311886 win 8192
   7: 13:46:39.803257 192.168.81.52.443 > 192.168.80.51.3968: P 787675589:787677049(1460) ack 3043311886 win 8192
   8: 13:46:39.803272 192.168.81.52.443 > 192.168.80.51.3968: P 787677049:787677200(151) ack 3043311886 win 8192
   9: 13:46:39.803287 192.168.81.52.443 > 192.168.80.51.3968: P 787677200:787677883(683) ack 3043311886 win 8192
9 packets shown

We can also look at an entire packet from the CLI.

myasa# show capture testcap detail packet-number 5 dump
4532 packets captured
   5: 13:46:39.803120 0022.5597.25b9 0014.3815.89fb 0x0800 1514: 192.168.81.52.443 > 192.168.80.51.3968: P [tcp sum ok] 787673978:787675438(1460) ack 30                   43311886 win 8192 (ttl 255, id 54032)
0x0000   4500 05dc d310 0000 ff06 c052 c0a8 5134        E..........R..Q4
0x0010   c0a8 5033 01bb 0f80 2ef2 f37a b565 410e        ..P3.......z.eA.
0x0020   5018 2000 5488 0000 1703 0106 4654 db31        P. .T.......FT.1
0x0030   b3d4 0a5b 3295 f719 d82a 8767 6b8b dae1        ...[2....*.gk...
0x0040   0a54 0ea8 c8c4 1c61 c45c e321 452e 6ab6        .T.....a.\.!E.j.
0x0050   ba80 4e94 3801 d973 b4fe 97d4 8b2f 9e77        ..N.8..s...../.w

*Only a partial result is displayed.

So save your hardware or laptop sniffers for other parts of your network. Use your ASA to gather those snippets of network traffic that you need. But remember: in general, be kind to your ASA. When possible, create specific ACLs to refine the traffic you want to capture. Monitor your ASA while capturing packets and adjust the buffers if you need to. And, as always, refer to www.cisco.com for more detailed information.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Technology newsletter, delivered each Friday!

10 comments
vladek7
vladek7

>The first step is to set a quick ACL:

access-list testcap extended permit ip host 192.168.80.51 host 192.168.81.52

Then, we set up the capture using the capture command. We'll reference our ACL (testcap) as our "interesting" traffic, and we'll specify which interface we want to look at:

myasa# capture testcap interface inside

Admittedly, this is probably the command in its simplest form. There are many options you can configure as part of this command, including setting buffer sizes, setting a circular-buffer that overwrites itself when full, and selecting webvpn or isakmp traffic. The point is, with two quick commands, we've got a packet capture going! It just doesn't get much easier than that. <

I appreciate it is old article and probably no one cares anymore butĀ above is actually incorrect. I only say it because I was interested in learning how to do some troubleshooting on ASA and found this tutorial. It was frustrating few minutes before I figured out what is causing the buffer filling up within the seconds with ALL of the traffic going through my interface rather then only access-list targeted one..

To the point. the command: 'capture testcap interface inside' will trigger the capture but without applying the access list named 'testcap'. you would need to issue command in the form like below:

capture testcap_buffer interface inside access-list testcap

this will start capture on the inside interface applying access list testcap and storing packets in testcap_buffer.

I hope someone elseĀ like me will find this comment useful.

Thanks

ebalmon
ebalmon

I have a screenshot of UDP traffic and let me know what the number that appears at the end of each line and why sometimes repeats. Thanks 1: 13:54:35.157996 16.1.74.56.34479 > 173.26.113.133.161: udp 245 2: 13:54:35.158942 173.26.113.133.161 > 16.1.74.56.34479: udp 252 3: 13:58:09.909453 16.1.74.56.34479 > 173.26.113.133.161: udp 196 4: 13:58:09.910277 173.26.113.133.161 > 16.1.74.56.34479: udp 195 5: 13:58:09.943417 16.1.74.56.34479 > 173.26.113.133.161: udp 188 6: 13:58:09.943951 173.26.113.133.161 > 16.1.74.56.34479: udp 187 7: 13:58:09.982004 16.1.74.56.34479 > 173.26.113.133.161: udp 172

medfordmel
medfordmel

...and a timely one, too! I was afraid I'd have to set up a sniffer or sniffers behind one or two interfaces on my ASA to troubleshoot a conversation between an application server and its database server. I know the problem isn't my ASA, but I need to capture the conversation to demonstrate that to the application vendor. This will be much simpler and more cost-effective. Thank you!

donhawthrone
donhawthrone

What is the difference between this and the log viewer in the GUI?

BALTHOR
BALTHOR

First of all why can't I look at the firmware in the device?Why do I have to Geek it through a software program?A nickle says that the firmware is knocked out of even an optimal default setting.Click on the firmware virus scanner,the built in firewall and fax file filter and you're free.

wizard57m-cnet
wizard57m-cnet

rather than to an old zombie thread. Briefly, you've got the time stamp, IP addresses, and UDP Port being pinged. Try reposting this in the 'Q&A' forum. The 'Discussion' forum is for matters of general discussion, not specific problems in search of a solution. The 'Water Cooler' is for non- technical discussions. You can submit a question to 'Q&A' here: http://www.techrepublic.com/forum/questions/post?tag=mantle_skin;content There are TR members who specifically seek out problems in need of a solution. Although there is some overlap between the forums, you'll find more of those members in 'Q&A' than in 'Discussions' or 'Water Cooler'. Be sure to use the voting buttons to provide your feedback. Voting a '+' does not necessarily mean that a given response contained the complete solution to your problem, but that it served to guide you toward it. This is intended to serve as an aid to those who may in the future have a problem similar to yours. If they have a ready source of reference available, perhaps won't need to repeat questions previously asked and answered. If a post did contain the solution to your problem, you can also close the question by marking the helpful post as "The Answer".

medfordmel
medfordmel

Typically, the log viewer isn't including this level of detail for all traffic. If it is, your device is probably extremely overworked. Packet captures include the source and destination address and port, along with the payload (contents), of every specified packet. That's why you need to filter this command with an access list, so as not to overutilize the CPU and/or RAM in the device. To do so would seriously impair the performance of the device. This level of detail is typically required only for troubleshooting or forensic investigation of specific conversations between specific hosts behind different interfaces of the ASA. Hope this helps.

o_altrad
o_altrad

why we use more than one key to our cars,homes?

Editor's Picks