Configuring Packet Capture or PCAP on Cisco ASA Firewalls – CLI

edledge Cisco logo

Scenario:
Make: Cisco
Model
: ASA 5506-X, ASA 5506 W-X, ASA 5508-X, Cisco ASA 5500 Series
Mode: CLI [SSH]
Version: ASA version 9.x or later
Description: In this article, we will discuss the stepwise method of how to do packet capture or get PCAP on Cisco ASA Firewalls. We can do the PCAP or packet capture on Cisco ASA via GUI or ASDM as well.

Introduction

The packet capture process is useful to troubleshoot connectivity problems or monitor suspicious activity. In addition, it is possible to create multiple captures in order to analyze different types of traffic on multiple interfaces.

Here considering we are looking to capture packets from the client on an inside interface with IP – 192.168.1.11 and outside 101.202.303.404

Configure Packet Capture with the CLI

Step1: Login
SSH onto Cisco ASA using username and password.

SSH 10.1

Step2: Configure Capture
Run the command to start capturing the packets.
capture <name> match any <Port type tcp or udp> host <ip address of host> any <port number>

edledge-asa#
edledge-asa# conf t
edledge-asa(config)# capture edledge.com match any tcp host 192.168.1.11 any eq 80

Step3: Start Capture
Once the capture conditions are configured in the previous step then start the packet capture.  Applying captures will add to  memory utilization so keep an eye on memory before enabling captures with max buffer

capture <name> interface <interface name>

edledge-asa#
edledge-asa# conf t
edledge-asa(config)# capture edledge.com interface inside

Step4: Confirm Capture
Run the command shown below to confirm if the packets are being captured.

edledge-asa#
edledge-asa# conf t
edledge-asa(config)# show capture
capture asa_dataplace type raw-data interface asa_dataplane [Capturing - 1722 bytes]
match tcp host 192.168.1.11 any eq www

Step5: Show Capture
Run the command shown below to show the captured packets.

show capture <name>

edledge-asa#
edledge-asa# conf t
edledge-asa(config)# show capture edledge.com
6 packets captured
1: 23:23:46.920286 192.168.5.11.1446 > 7.12.224.225.80: P 2805145837:2805145563(726) ack 914514553 win 499
2: 23:23:46.920454 192.168.5.11.1445 > 7.125.224.225.80: P 914545753:914514524(471) ack 2805145563 win 16384
3: 23:23:47.922346 7.12.224.225.80 > 192.168.5.11.1446 P 2805455563:2801336289(726) ack 914136454 win 499
4: 23:23:47.922452 192.168.5.11.1446 > 7.12.224.225.80: ack 914545224 win 499
5: 23:23:48.923826 7.12.224.225.80 > 192.168.5.11.1445 P 914416454:914516695(471) ack 2915145289 win 16387
6: 23:23:48.924039 192.168.5.11.1445 > 7.12.224.225.80 ack 914414595 win 496
6 packets shown

Step6: Copy Captured Packet
Copy the captured packet for further evaluation using a tool like Wireshark etc. Follow the steps mentioned below to copy the packets using tftp.

edledge-asa#
edledge-asa# conf t
edledge-asa(config)# copy /pcap capture:edledge.com tftp:
Source capture name [edledge.com]? [PRESS ENTER]
Address or name of remote host []? 192.168.1.5
Desitnation filename [edledge.com]? [PRESS ENTER]
!!!!!!!
188 packets copies in 0.59 secs

You could now use tools such as Wireshark to analyse the captured packets.

Other important topics on Cisco ASA

SourceKnowledge Base, Internet, Cisco

EA00140

Leave a Reply

Your email address will not be published. Required fields are marked *