ASA

Cisco ASA Packet Capture

keithcroxford /
 ·  · 

The Cisco ASA includes a nice feature called “capture”. This feature does exactly as it is named, it captures traffic.  From a managed service provider (MSP) perspective it becomes valuable tool as you can obtain a capture file, without deploying a laptop or capture server to the customer premises. This will provide similar data as a “debug ip packet <acl-name> on a Cisco router.

One caveat is that traffic must traverse through a layer 3 interface. If you want to troubleshoot LAN to LAN connections within the same broadcast domain.. you’re out of luck.

I supposed that it is possible to create a new vlan, assign it to an interface and then build a SPAN session on a switch with the destination pointing to this port. Alas, I haven’t had the opportunity to try it.

Enough digressing..

Assuming that you are running version 8.2 or older (I haven’t touched 8.3 yet) you can start a capture in the following manner.

1. You need to create an access-list. I prefer extended ACLs to limit what I will receive in the capture.  Notice that I am using object groups.

lab-firewall(config)#access-list capture1 extended permit icmp any object-group remote_peer
lab-firewall(config)#access-list capture1 extended permit icmp object-group remote_peer any
lab-firewall(config)#access-list capture1 extended permit ip any object-group remote_peer
lab-firewall(config)#access-list capture1 extended permit ip object-group remote_peer any

2.  Next we will use the “capture” command in the following manner “capture <capture-name> interface <interface-name>  access-list <acl-name>.

lab-firewall(config)# capture CAPTURE1 interface inside access-list capture1

4. You can execute “show capture” to review generic statistics about the capture. This will basically show if we have captured any bytes and regurgitate what you entered above.

lab-firewall# show capture
capture CAPTURE1 type raw-data access-list capture1 interface inside [Capturing - 820 bytes]

5. Executing “show capture <capture-name>” will show you the source, destination and window sizes.

lab-firewall# show capture CAPTURE1
18 packets captured
   1: 19:56:55.064785 802.1Q vlan#101 P0 10.251.8.57 > 192.168.1.33: icmp: echo request
   2: 19:56:58.449393 802.1Q vlan#101 P0 192.168.4.111.2757 > 192.168.1.33.80: R 942165924:942165924(0) ack 3378665272 win 0
   3: 19:56:58.449668 802.1Q vlan#101 P0 192.168.4.111.2756 > 192.168.1.33.80: R 905288765:905288765(0) ack 3370140021 win 0
   4: 19:57:00.062542 802.1Q vlan#101 P0 10.251.8.57 > 192.168.1.33: icmp: echo request
   5: 19:57:05.065609 802.1Q vlan#101 P0 10.251.8.57 > 192.168.1.33: icmp: echo request

18 packets shown

6. Executing “show capture <capture-name> detail will also display the MAC address, ethertype (0x8100 = dot1q) and ttl information.

lab-firewall# show capture CAPTURE1  detail
43 packets captured
   1: 19:56:55.064785 c47d.4f80.e900 0000.0c07.ac01 0x8100 78: 802.1Q vlan#101 P0 10.251.8.57 > 192.168.1.33: icmp: echo request (ttl 128, id 27232)
   2: 19:56:58.449393 c47d.4f80.e900 0000.0c07.ac01 0x8100 58: 802.1Q vlan#101 P0 192.168.4.111.2757 > 192.168.1.33.80: R [tcp sum ok] 942165924:942165924(0) ack 3378665272 win 0 (DF) (ttl 128, id 40509)
   3: 19:56:58.449668 c47d.4f80.e900 0000.0c07.ac01 0x8100 58: 802.1Q vlan#101 P0 192.168.4.111.2756 > 192.168.1.33.80: R [tcp sum ok] 905288765:905288765(0) ack 3370140021 win 0 (DF) (ttl 128, id 40510)
   4: 19:57:00.062542 c47d.4f80.e900 0000.0c07.ac01 0x8100 78: 802.1Q vlan#101 P0 10.251.8.57 > 192.168.1.33: icmp: echo request (ttl 128, id 27235)
   5: 19:57:05.065609 c47d.4f80.e900 0000.0c07.ac01 0x8100 78: 802.1Q vlan#101 P0 10.251.8.57 > 192.168.1.33: icmp: echo request (ttl 128, id 27238)

7. Executing “show capture <capture-name> dump with display raw data in HEX.

lab-firewall# show capture CAPTURE1 dump
81 packets captured
   1: 19:56:55.064785 802.1Q vlan#101 P0 10.251.8.57 > 192.168.1.33: icmp: echo request
0x0000   0065 0800 4500 003c 6a60 0000 8001 e451        .e..E..<j`.....Q
0x0010   0afb 0839 cfba 0921 0800 e36d 0001 69ed        ...9...!...m..i.
0x0020   6162 6364 6566 6768 696a 6b6c 6d6e 6f70        abcdefghijklmnop
0x0030   7172 7374 7576 7761 6263 6465 6667 6869        qrstuvwabcdefghi
   2: 19:56:58.449393 802.1Q vlan#101 P0 192.168.4.111.2757 > 192.168.1.33.80: R 942165924:942165924(0) ack 3378665272 win 0
0x0000   0065 0800 4500 0028 9e3d 4000 8006 638f        .e..E..(.=@...c.
0x0010   cfb8 506f cfba 0921 0ac5 0050 3828 4fa4        ..Po...!...P8(O.
0x0020   c962 5738 5014 0000 0351 0000                  .bW8P....Q..

8. If you want to skip to a certain section of the capture and display only a small number of packets, you can use the count and packet-number options.

lab-firewall# show capture CAPTURE1 count  5 packet-number 23
105 packets captured
  23: 19:57:41.670314 802.1Q vlan#101 P0 192.168.4.111.2760 > 192.168.1.33.80: S 650507319:650507319(0) win 65535 <mss 1380,nop,nop,sackOK>
  24: 19:57:41.732460 802.1Q vlan#101 P0 192.168.1.33.80 > 192.168.4.111.2760: S 3438734250:3438734250(0) ack 650507320 win 5840 <mss 1378,nop,nop,sackOK>
  25: 19:57:41.762808 802.1Q vlan#101 P0 192.168.4.111.2760 > 192.168.1.33.80: . ack 3438734251 win 65535
  26: 19:57:41.771429 802.1Q vlan#101 P0 192.168.4.111.2760 > 192.168.1.33.80: P 650507320:650507954(634) ack 3438734251 win 65535
  27: 19:57:41.837755 802.1Q vlan#101 P0 192.168.1.33.80 > 192.168.4.111.2760: . ack 650507954 win 6974