How to configure a packet capture in the Cisco ASA

So you want to learn how to capture packets with the Cisco ASA? Are you looking for some easy to follow instructions to assist with capturing packets? We then you’re in the right place! Here you will learn how to set up a packet capture in the cisco ASA and view them via the CLI or via a web browser. I’ll also explain how to save the ASA packet capture in a .pcap file and view it with wireshark.

Recommended reading list to further expand your brain on this subject:

In order to capture packets in the Cisco ASA you’ll need to configure the following:

  1. Access list
  2. Capture list

The access list will specify what IP’s addresses you want in the packet capture. You can make the access list for the packet capture as long as you like just keep in mind the file size can get large quickly making the packet capture analysis difficult.

Example of the access-list

access-list captured line 1 extended permit ip host 10.80.28.5 host 10.80.2.10
access-list captured line 2 extended permit ip host 10.80.2.10 host 10.80.28.5
access-list captured line 3 extended permit ip host 10.80.28.4 host 10.80.2.10
access-list captured line 4 extended permit ip host 10.80.2.10 host 10.80.28.4

The Capture list will specify the interface and packet length which you’ll be analyzing for further analysis and review.

Example of the capture access list:

capture captured access-list captured interface outside packet-length 1522
capture captured access-list captured interface inside packet-length 1522

You can view the packet capture in the Cisco ASA one of two ways. First via web browser and second via the console. To view the packet capture in the Cisco ASA via console you’ll need to enter the following command:

show capture captured

OR view the packet capture via a web browser and optionally save and view in wireshark

https://192.168.1.1/admin/capture/captured

where 192.168.1.1 is the ip address of your Cisco ASA inside interface

and add /pcap and it will download as a .pcap file which can then be analyzed in wireshark

To remove all the packet capture commands enter the following commands:

clear configure access-list captured
No capture captured

Here is a list of the following commands necessary to configure a packet capture with Cisco ASA.

access-list captured line 1 extended permit ip host 10.80.28.5 host 10.80.2.10
access-list captured line 2 extended permit ip host 10.80.2.10 host 10.80.28.5
access-list captured line 3 extended permit ip host 10.80.28.4 host 10.80.2.10
access-list captured line 4 extended permit ip host 10.80.2.10 host 10.80.28.4
capture captured access-list captured interface outside packet-length 1522
capture captured access-list captured interface inside packet-length 1522
show capture captured

clear configure access-list captured
No capture captured

I hope this helps anyone trying to figure out how to configure the Cisco ASA to capture packet. If you know of any other simple methods to capture and view packets with cisco gear please post them in the comments section.

2008
02/08
CATEGORY
Cisco
Write comment
  • Trackback are closed
  • Comments (10)
    • Jay
    • September 25th, 2008

    What if you are running multiple contexts? I can capture but I can save to pcap or view it through https. The contexts do have access to https

    • Kurt
    • October 1st, 2008

    Jay
    each context should have it’s own internal interface which may or may not be local to your PC -
    so what is your issue? You can’t access the context from your PC via https? also check your url to make sure all is good

    • Ash
    • June 2nd, 2009

    For ASDM user, you can use Wizards>Packet Capture Wizard

  4. hey thanks Ash!

    • f1reman
    • February 10th, 2010

    Thanks for this excellent article really helped me out.

    • G
    • April 13th, 2010

    hi,

    appologies if i sound like have no idea about what i am talking about.

    how would u configure your cisco firewall to dump all the packets for a perticular port no to a share on the network.

    thanks for your help

    Regards
    G

  7. @G

    just change the access list in for the packet capture -

    access-list captured line 1 extended permit ip host 10.80.28.5 host 10.80.2.10
    access-list captured line 2 extended permit ip host 10.80.2.10 host 10.80.28.5

    change that to

    access-list captured line 1 extended permit tcp host 10.80.28.5 host 10.80.2.10 eq 53
    access-list captured line 2 extended permit tcp host 10.80.2.10 host 10.80.28.5 eq 53

    all I did was change the IP to TCP and then tell the access list which port by appending eq 53 to the end.. the number after eq can be what ever port you want to monitor

    • so awesome
    • April 26th, 2010

    Very good info sir, thank you!

    • rinku
    • June 30th, 2010

    how can i apply port based bidirectional captures on asa 5505 ….

    • Kurt
    • June 30th, 2010

    @rinku

    ports hard harder to capture because you won’t know the response port.. so just specify the destination port in line one for example – or just specify IP only and then you can sort on port number with wireshark – bidirectional is going to take place regardless – line 1 is traffic to – and line 2 is traffic from

    so in the example below line one looks for 10.80.28.5 to send mail from 10.80.2.10 –
    line two is going to capture the response packets

    again though.. I recommend doing just straight IP ACL and not port specific -

    access-list captured line 1 extended permit tcp host 10.80.28.5 host 10.80.2.10 eq 25
    access-list captured line 2 extended permit ip host 10.80.2.10 host 10.80.28.5