Scenario:
Make: Cisco
Model: ASA 5506-X, ASA 5506 W-X, ASA 5508-X, Cisco ASA 5500 Series
Mode: CLI [SSH]
Version: ASA version 9.x or later
Description: In this article, we will discuss the stepwise method of how to do packet capture or get PCAP on Cisco ASA Firewalls. We can do the PCAP or packet capture on Cisco ASA via GUI or ASDM as well.
Introduction
The packet capture process is useful to troubleshoot connectivity problems or monitor suspicious activity. In addition, it is possible to create multiple captures in order to analyze different types of traffic on multiple interfaces.
Here considering we are looking to capture packets from the client on an inside interface with IP – 192.168.1.11 and outside 101.202.303.404
Configure Packet Capture with the CLI
Step1: Login
SSH onto Cisco ASA using username and password.
Step2: Configure Capture
Run the command to start capturing the packets.
capture <name> match any <Port type tcp or udp> host <ip address of host> any <port number>
edledge-asa#
edledge-asa# conf t
edledge-asa(config)# capture edledge.com match any tcp host 192.168.1.11 any eq 80
Step3: Start Capture
Once the capture conditions are configured in the previous step then start the packet capture. Applying captures will add to memory utilization so keep an eye on memory before enabling captures with max buffer
capture <name> interface <interface name>
edledge-asa#
edledge-asa# conf t
edledge-asa(config)# capture edledge.com interface inside
Step4: Confirm Capture
Run the command shown below to confirm if the packets are being captured.
edledge-asa#
edledge-asa# conf t
edledge-asa(config)# show capture
capture asa_dataplace type raw-data interface asa_dataplane [Capturing - 1722 bytes]
match tcp host 192.168.1.11 any eq www
Step5: Show Capture
Run the command shown below to show the captured packets.
show capture <name>
edledge-asa#
edledge-asa# conf t
edledge-asa(config)# show capture edledge.com
6 packets captured
1: 23:23:46.920286 192.168.5.11.1446 > 7.12.224.225.80: P 2805145837:2805145563(726) ack 914514553 win 499
2: 23:23:46.920454 192.168.5.11.1445 > 7.125.224.225.80: P 914545753:914514524(471) ack 2805145563 win 16384
3: 23:23:47.922346 7.12.224.225.80 > 192.168.5.11.1446 P 2805455563:2801336289(726) ack 914136454 win 499
4: 23:23:47.922452 192.168.5.11.1446 > 7.12.224.225.80: ack 914545224 win 499
5: 23:23:48.923826 7.12.224.225.80 > 192.168.5.11.1445 P 914416454:914516695(471) ack 2915145289 win 16387
6: 23:23:48.924039 192.168.5.11.1445 > 7.12.224.225.80 ack 914414595 win 496
6 packets shown
Step6: Copy Captured Packet
Copy the captured packet for further evaluation using a tool like Wireshark etc. Follow the steps mentioned below to copy the packets using tftp.
edledge-asa#
edledge-asa# conf t
edledge-asa(config)# copy /pcap capture:edledge.com tftp:
Source capture name [edledge.com]? [PRESS ENTER]
Address or name of remote host []? 192.168.1.5
Desitnation filename [edledge.com]? [PRESS ENTER]
!!!!!!!
188 packets copies in 0.59 secs
You could now use tools such as Wireshark to analyse the captured packets.
Other important topics on Cisco ASA
- Policy Based Routing/PBR Configuration on Cisco ASA – GUI
- Cisco ASA IOS Upgrade/Downgrade GUI
- Cisco Firewall or ASA Active/Standby Failover Configuration
- Unwanted ASA Failover Due To SFR Error
- Cisco ASA FirePower License Activation
Source: Knowledge Base, Internet, Cisco
EA00140