Lori Hyde tells you how to capture packets directly from the Cisco ASA without using a separate packet-sniffing utility, first by setting up an ACL to define the traffic and then using the capture command.
Whether you are troubleshooting a difficult problem or chasing some interesting traffic, sometimes you need to pull a packet capture. Of course, you could configure and deploy a sniffer, but that is not the only solution you have at your fingertips. You can pull the packet capture directly from the Cisco ASA firewall. The Cisco ASA makes this an easy process.
There are at least two ways to configure your ASA to capture packets. If you prefer the GUI interface of the ASDM, you can use the Packet Capture Wizard tool by selecting it from the wizard menu.
However, I've found that if you don't mind getting your hands dirty, so to speak, the CLI interface is the way to go. You can identify the traffic you are looking for with an ACL and then set your interface to capture based on the ACL results. Here's an example of how easy it is to do this.
In this example, I want to capture all IP packets between a host at 192.168.80.51 and the test ASA at 192.168.81.52.
The first step is to set a quick ACL:
access-list testcap extended permit ip host 192.168.80.51 host 192.168.81.52
Then, we set up the capture using the capture command. We'll reference our ACL (testcap) as our "interesting" traffic, and we'll specify which interface we want to look at:
myasa# capture testcap interface inside
Admittedly, this is probably the command in its simplest form. There are many options you can configure as part of this command, including setting buffer sizes, setting a circular-buffer that overwrites itself when full, and selecting webvpn or isakmp traffic. The point is, with two quick commands, we've got a packet capture going! It just doesn't get much easier than that.
A quick show capture command verifies my capture is running.
myasa# sh capture
capture testcap type raw-data interface INSIDE [Capturing - 4314 bytes]
To stop the capture, use the no form of this command.
myasa # no capture testcapNow let's look at the results. Here again, we have choices. We can look at the traffic via a browser directly from the ASA by opening an http link (Figure A) like the following:
Click to enlarge.
While we see the traffic and much of the information, we cannot see all the detail of a regular packet capture. However, we can save this info as a libpcap file with the following command, and then open this file with Wireshark or such.
https://192.168.81.52/capture/testcap/pcapFigure B shows this file when opened with Wireshark.
Click to enlarge.
The command line also provides options for looking at your data.
myasa# show capture testcap ?
access-list Display packets matching access list
count Display <number> of packets in capture
decode Display decode information for each packet
detail Display more information for each packet
dump Display hex dump for each packet
packet-number Display packet <number> in capture
trace Display extended trace information for each packet
| Output modifiers
Let's look at the first nine packets.
myasa# show capture testcap count 9
4532 packets captured
1: 13:46:31.052746 192.168.81.52.22 > 192.168.80.51.2057: P 1290581619:1290581687(68) ack 941116409 win 8192
2: 13:46:31.052884 192.168.80.51.2057 > 192.168.81.52.22: . ack 1290581687 win 65207
3: 13:46:38.374583 arp who-has 192.168.80.219 tell 192.168.82.51
4: 13:46:38.521655 arp who-has 192.168.80.204 tell 192.168.82.51
5: 13:46:39.803120 192.168.81.52.443 > 192.168.80.51.3968: P 787673978:787675438(1460) ack 3043311886 win 8192
6: 13:46:39.803150 192.168.81.52.443 > 192.168.80.51.3968: P 787675438:787675589(151) ack 3043311886 win 8192
7: 13:46:39.803257 192.168.81.52.443 > 192.168.80.51.3968: P 787675589:787677049(1460) ack 3043311886 win 8192
8: 13:46:39.803272 192.168.81.52.443 > 192.168.80.51.3968: P 787677049:787677200(151) ack 3043311886 win 8192
9: 13:46:39.803287 192.168.81.52.443 > 192.168.80.51.3968: P 787677200:787677883(683) ack 3043311886 win 8192
9 packets shown
We can also look at an entire packet from the CLI.
myasa# show capture testcap detail packet-number 5 dump
4532 packets captured
5: 13:46:39.803120 0022.5597.25b9 0014.3815.89fb 0x0800 1514: 192.168.81.52.443 > 192.168.80.51.3968: P [tcp sum ok] 787673978:787675438(1460) ack 30 43311886 win 8192 (ttl 255, id 54032)
0x0000 4500 05dc d310 0000 ff06 c052 c0a8 5134 E..........R..Q4
0x0010 c0a8 5033 01bb 0f80 2ef2 f37a b565 410e ..P3.......z.eA.
0x0020 5018 2000 5488 0000 1703 0106 4654 db31 P. .T.......FT.1
0x0030 b3d4 0a5b 3295 f719 d82a 8767 6b8b dae1 ...[2....*.gk...
0x0040 0a54 0ea8 c8c4 1c61 c45c e321 452e 6ab6 .T.....a.\.!E.j.
0x0050 ba80 4e94 3801 d973 b4fe 97d4 8b2f 9e77 ..N.8..s...../.w
*Only a partial result is displayed.
So save your hardware or laptop sniffers for other parts of your network. Use your ASA to gather those snippets of network traffic that you need. But remember: in general, be kind to your ASA. When possible, create specific ACLs to refine the traffic you want to capture. Monitor your ASA while capturing packets and adjust the buffers if you need to. And, as always, refer to www.cisco.com for more detailed information.
Want to learn more about router and switch management? Automatically sign up for our free Cisco Technology newsletter, delivered each Friday!