How to configure a packet capture in the Cisco ASA
Are you tired of having to google search every time you need to configure your firewall or router? Take your CISCO skills to the next level in short order with Transcender. They offer free practice exams and an exam pass guarantee, worked for me or else I wouldn’t recommend them!
So you want to learn how to capture packets with the Cisco ASA? Are you looking for some easy to follow instructions to assist with capturing packets? We then you’re in the right place! Here you will learn how to set up a packet capture in the cisco ASA and view them via the CLI or via a web browser. I’ll also explain how to save the ASA packet capture in a .pcap file and view it with wireshark.
In order to capture packets in the Cisco ASA you’ll need to configure the following:
- Access list
- Capture list
The access list will specify what IP’s addresses you want in the packet capture. You can make the access list for the packet capture as long as you like just keep in mind the file size can get large quickly making the packet capture analysis difficult.
Example of the access-list
access-list captured line 1 extended permit ip host 10.80.28.5 host 10.80.2.10
access-list captured line 2 extended permit ip host 10.80.2.10 host 10.80.28.5
access-list captured line 3 extended permit ip host 10.80.28.4 host 10.80.2.10
access-list captured line 4 extended permit ip host 10.80.2.10 host 10.80.28.4
The Capture list will specify the interface and packet length which you’ll be analyzing for further analysis and review.
Example of the capture access list:
capture captured access-list captured interface outside packet-length 1522
capture captured access-list captured interface inside packet-length 1522
You can view the packet capture in the Cisco ASA one of two ways. First via web browser and second via the console. To view the packet capture in the Cisco ASA via console you’ll need to enter the following command:
show capture captured
OR view the packet capture via a web browser and optionally save and view in wireshark
https://192.168.1.1/admin/capture/captured
where 192.168.1.1 is the ip address of your Cisco ASA inside interface
and add /pcap and it will download as a .pcap file which can then be analyzed in wireshark
To remove all the packet capture commands enter the following commands:
clear configure access-list captured
No capture captured
Here is a list of the following commands necessary to configure a packet capture with Cisco ASA.
access-list captured line 1 extended permit ip host 10.80.28.5 host 10.80.2.10
access-list captured line 2 extended permit ip host 10.80.2.10 host 10.80.28.5
access-list captured line 3 extended permit ip host 10.80.28.4 host 10.80.2.10
access-list captured line 4 extended permit ip host 10.80.2.10 host 10.80.28.4
capture captured access-list captured interface outside packet-length 1522
capture captured access-list captured interface inside packet-length 1522
show capture captured
clear configure access-list captured
No capture captured
I hope this helps anyone trying to figure out how to configure the Cisco ASA to capture packet. If you know of any other simple methods to capture and view packets with cisco gear please post them in the comments section.
What if you are running multiple contexts? I can capture but I can save to pcap or view it through https. The contexts do have access to https
Jay
each context should have it’s own internal interface which may or may not be local to your PC -
so what is your issue? You can’t access the context from your PC via https? also check your url to make sure all is good
For ASDM user, you can use Wizards>Packet Capture Wizard
hey thanks Ash!
Thanks for this excellent article really helped me out.
hi,
appologies if i sound like have no idea about what i am talking about.
how would u configure your cisco firewall to dump all the packets for a perticular port no to a share on the network.
thanks for your help
Regards
G
@G
just change the access list in for the packet capture -
access-list captured line 1 extended permit ip host 10.80.28.5 host 10.80.2.10
access-list captured line 2 extended permit ip host 10.80.2.10 host 10.80.28.5
change that to
access-list captured line 1 extended permit tcp host 10.80.28.5 host 10.80.2.10 eq 53
access-list captured line 2 extended permit tcp host 10.80.2.10 host 10.80.28.5 eq 53
all I did was change the IP to TCP and then tell the access list which port by appending eq 53 to the end.. the number after eq can be what ever port you want to monitor
Very good info sir, thank you!
how can i apply port based bidirectional captures on asa 5505 ….
same as above.. just expand on the access list – try try and try again.. let me know if you still can’t figure it out
@rinku
ports hard harder to capture because you won’t know the response port.. so just specify the destination port in line one for example – or just specify IP only and then you can sort on port number with wireshark – bidirectional is going to take place regardless – line 1 is traffic to – and line 2 is traffic from
so in the example below line one looks for 10.80.28.5 to send mail from 10.80.2.10 -
line two is going to capture the response packets
again though.. I recommend doing just straight IP ACL and not port specific -
access-list captured line 1 extended permit tcp host 10.80.28.5 host 10.80.2.10 eq 25
access-list captured line 2 extended permit ip host 10.80.2.10 host 10.80.28.5
Sorry, I am new to this!
How would I configure the firewall to capture all data through a particular interface or all traffic through the device(port Mirror, Sniffer)?
Thank you for the help.
ED
access-list captured permit ip any any
capture captured access-list captured interface outside packet-length 1522
capture captured access-list captured interface inside packet-length 1522
this would capture all data from and to inside and outside interface
@kurt
That worked great.
Thank again!!
How do you clear the capture buffer?
sorry I see how.
what if you are not a GUI monkey and want to transfer the real pcap file to a host all from CLI?
@winblowz
what? lol
you have to open and save the pcap from a internet browser, this is the only save option to get the pcap off the asa.
ps
this is all CLI – no GUI =)
not completely true, to get the file from the CLI use copy:
copy capture: ?
cache: Copy to cache: file system
disk0: Copy to disk0: file system
disk1: Copy to disk1: file system
flash: Copy to flash: file system
ftp: Copy to ftp: file system
smb: Copy to smb: file system
system: Copy to system: file system
tftp: Copy to tftp: file system
I’m trying to do the same thing you told Ed:
access-list captured permit ip any any
capture captured access-list captured interface outside packet-length 1522
capture captured access-list captured interface inside packet-length 1522
this would capture all data from and to inside and outside interface
If I added these acl’s – Would all my traffic still flow like normal, so nothing is stopped?
Also for my ASA5520, we have 4 ports, int gi 0/3 (labeled Sniffer) is not being used. I would like this to be the sniffer port, as I already have a cable going from it to the server port with the sniffer software installed.
Am I reading your access-lists wrong? As I just see the asa capturing from both the inside int and the outside int, but not outputting which interface you would like to have the captured data sent to.
How would I go about sending the captured data via my int gi 0/3 to the sniffer port on the server?
the ACL will not stop traffic however if you have a large amount of production traffic it’s going to have some performance impact.. I would try to limit it to IP addresses
I’ve never set up a port monitor or span on ASA.. not sure if you can.. just do the capture like I said and then open it up in a web browser to download the pcap – then you can open the pcap in your sniffer
Hi guys,
sure you can set up port mirroring on the ASA, see here:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1411559
Best,
jaykay
@jaykay
thanks jaykay – here are the commands to set up a port monitor the old school way.. just like we do in our switches..
hostname(config)# interface ethernet 0/1
hostname(config-if)# switchport monitor ethernet 0/0
hostname(config-if)# switchport monitor ethernet 0/2
So with this you’ll plug your laptop oo PC in port ethernet 0/1 – all traffic from 0/0 and 0/2 will be pushed to 0/1 – set up wireshark to monitor traffic and there ya go
If i captured the data i want to meaning of each reply.
e.g. S – SYN
A- ACK R
R- reset etc.
If reset come from src then what meaning and come from dest then what is that mean.
Can any one of share this in details.
If i captured the data i want to meaning of each reply.
e.g. S – SYN
A- ACK R
R- reset etc.
If reset come from src then what meaning and come from dest then what is that mean.
Can any one of share this in details.
reset mean the connect is being closed and the two devices are communicating properly and the information e / communication exchange is completed
there is a command through which you can import captured packerts on your system from CLI console…
copy /pcap capture: tftp:
I hope this would be helpful for you all.
I’ll have to try that today!! thanks =)