How to configure a packet capture in the Cisco ASA
So you want to learn how to capture packets with the Cisco ASA? Are you looking for some easy to follow instructions to assist with capturing packets? We then you’re in the right place! Here you will learn how to set up a packet capture in the cisco ASA and view them via the CLI or via a web browser. I’ll also explain how to save the ASA packet capture in a .pcap file and view it with wireshark.
Recommended reading list to further expand your brain on this subject:
- Wireshark & Ethereal Network Protocol Analyzer Toolkit
- Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems
In order to capture packets in the Cisco ASA you’ll need to configure the following:
- Access list
- Capture list
The access list will specify what IP’s addresses you want in the packet capture. You can make the access list for the packet capture as long as you like just keep in mind the file size can get large quickly making the packet capture analysis difficult.
Example of the access-list
access-list captured line 1 extended permit ip host 10.80.28.5 host 10.80.2.10
access-list captured line 2 extended permit ip host 10.80.2.10 host 10.80.28.5
access-list captured line 3 extended permit ip host 10.80.28.4 host 10.80.2.10
access-list captured line 4 extended permit ip host 10.80.2.10 host 10.80.28.4
The Capture list will specify the interface and packet length which you’ll be analyzing for further analysis and review.
Example of the capture access list:
capture captured access-list captured interface outside packet-length 1522
capture captured access-list captured interface inside packet-length 1522
You can view the packet capture in the Cisco ASA one of two ways. First via web browser and second via the console. To view the packet capture in the Cisco ASA via console you’ll need to enter the following command:
show capture captured
OR view the packet capture via a web browser and optionally save and view in wireshark
https://192.168.1.1/admin/capture/captured
where 192.168.1.1 is the ip address of your Cisco ASA inside interface
and add /pcap and it will download as a .pcap file which can then be analyzed in wireshark
To remove all the packet capture commands enter the following commands:
clear configure access-list captured
No capture captured
Here is a list of the following commands necessary to configure a packet capture with Cisco ASA.
access-list captured line 1 extended permit ip host 10.80.28.5 host 10.80.2.10
access-list captured line 2 extended permit ip host 10.80.2.10 host 10.80.28.5
access-list captured line 3 extended permit ip host 10.80.28.4 host 10.80.2.10
access-list captured line 4 extended permit ip host 10.80.2.10 host 10.80.28.4
capture captured access-list captured interface outside packet-length 1522
capture captured access-list captured interface inside packet-length 1522
show capture captured
clear configure access-list captured
No capture captured
I hope this helps anyone trying to figure out how to configure the Cisco ASA to capture packet. If you know of any other simple methods to capture and view packets with cisco gear please post them in the comments section.
What if you are running multiple contexts? I can capture but I can save to pcap or view it through https. The contexts do have access to https
Jay
each context should have it’s own internal interface which may or may not be local to your PC -
so what is your issue? You can’t access the context from your PC via https? also check your url to make sure all is good
For ASDM user, you can use Wizards>Packet Capture Wizard
hey thanks Ash!