Packet Capture on ASA using CLI

Posted: October 6, 2013 in Uncategorized
0

!- I suggest capturing only with an access list applied to limit the size of the capture buffer as well as to limit the amount of stuff you will have to wade through when reviewing the capture. You define an access list on the Cisco ASA and then you assign it to an interface so that it will capture the offending traffic for review

#access-list p extended permit ip any host 172.16.1.1
#access-list p extended permit ip host 172.16.1.1 any
#cap p-cap access-list p interface inside

!-show the running capture and its output to the CLI of the device:

#sh capture p-cap

#http://<ASAIPaddress>/admin/capture/<capturename>

This works well for quick viewing but what about a more detailed analysis with something like Wireshark?  Browse to:

#http://<ASA IP Address>/admin/capture/<capturename>/PCAP

This will prompt you to save or open a file.  Save with the “.pcap” extension and open with Wireshark. When you are done capturing you can (and should!) stop the capture with the negated “no” command:

#no capture <capturename>

Be sure to check out the help with this command with the “?” command.  There are plenty of fine tuning options to accommodate your capturing needs.

# capture TEST ?
access-list      Capture packets that match access-list
buffer           Configure size of capture buffer, default is 512 KB
circular-buffer  Overwrite buffer from beginning when full, default is non-circular
ethernet-type    Capture Ethernet packets of a particular type, default is IP
headers-only     Capture only L2, L3 and L4 headers of packet without data in them
interface        Capture packets on a specific interface
match            Capture packets matching five-tuple
packet-length    Configure maximum length to save from each packet, default
is 1518 bytes
real-time        Display captured packets in real-time. Warning: using this option with a slow console connection may result in an excessive amount of non-displayed packets due to performance limitations.
trace            Trace the captured packets
type             Capture packets based on a particular type

########################################################################

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s