So you want to learn how to capture packets with the Cisco ASA? Are you looking for some easy to follow instructions to assist with capturing packets? We then you’re in the right place! Here you will learn how to set up a packet capture in the cisco ASA and view them via the CLI or via a web browser. I’ll also explain how to save the ASA packet capture in a .pcap file and view it with wireshark.
In order to capture packets in the Cisco ASA you’ll need to configure the following:
- Access list
- Capture list
The access list will specify what IP’s addresses you want in the packet capture. You can make the access list for the packet capture as long as you like just keep in mind the file size can get large quickly making the packet capture analysis difficult.
Example of the access-list
access-list captured line 1 extended permit ip host 10.80.28.5 host 10.80.2.10
access-list captured line 2 extended permit ip host 10.80.2.10 host 10.80.28.5
access-list captured line 3 extended permit ip host 10.80.28.4 host 10.80.2.10
access-list captured line 4 extended permit ip host 10.80.2.10 host 10.80.28.4
The Capture list will specify the interface and packet length which you’ll be analyzing for further analysis and review.
Example of the capture access list:
capture captured access-list captured interface outside packet-length 1522
capture captured access-list captured interface inside packet-length 1522
You can view the packet capture in the Cisco ASA one of two ways. First via web browser and second via the console. To view the packet capture in the Cisco ASA via console you’ll need to enter the following command:
show capture captured
OR view the packet capture via a web browser and optionally save and view in wireshark
https://192.168.1.1/admin/capture/captured
where 192.168.1.1 is the ip address of your Cisco ASA inside interface
and add /pcap and it will download as a .pcap file which can then be analyzed in wireshark
To remove all the packet capture commands enter the following commands:
clear configure access-list captured
No capture captured
Here is a list of the following commands necessary to configure a packet capture with Cisco ASA.
access-list captured line 1 extended permit ip host 10.80.28.5 host 10.80.2.10
access-list captured line 2 extended permit ip host 10.80.2.10 host 10.80.28.5
access-list captured line 3 extended permit ip host 10.80.28.4 host 10.80.2.10
access-list captured line 4 extended permit ip host 10.80.2.10 host 10.80.28.4
capture captured access-list captured interface outside packet-length 1522
capture captured access-list captured interface inside packet-length 1522
show capture captured
clear configure access-list captured
No capture captured
I hope this helps anyone trying to figure out how to configure the Cisco ASA to capture packet. If you know of any other simple methods to capture and view packets with cisco gear please post them in the comments section.
What if you are running multiple contexts? I can capture but I can save to pcap or view it through https. The contexts do have access to https
Jay
each context should have it’s own internal interface which may or may not be local to your PC –
so what is your issue? You can’t access the context from your PC via https? also check your url to make sure all is good
For ASDM user, you can use Wizards>Packet Capture Wizard
hey thanks Ash!
hi,
appologies if i sound like have no idea about what i am talking about.
how would u configure your cisco firewall to dump all the packets for a perticular port no to a share on the network.
thanks for your help
Regards
G
@G
just change the access list in for the packet capture –
access-list captured line 1 extended permit ip host 10.80.28.5 host 10.80.2.10
access-list captured line 2 extended permit ip host 10.80.2.10 host 10.80.28.5
change that to
access-list captured line 1 extended permit tcp host 10.80.28.5 host 10.80.2.10 eq 53
access-list captured line 2 extended permit tcp host 10.80.2.10 host 10.80.28.5 eq 53
all I did was change the IP to TCP and then tell the access list which port by appending eq 53 to the end.. the number after eq can be what ever port you want to monitor
Very good info sir, thank you!
how can i apply port based bidirectional captures on asa 5505 ….
@rinku
ports hard harder to capture because you won’t know the response port.. so just specify the destination port in line one for example – or just specify IP only and then you can sort on port number with wireshark – bidirectional is going to take place regardless – line 1 is traffic to – and line 2 is traffic from
so in the example below line one looks for 10.80.28.5 to send mail from 10.80.2.10 –
line two is going to capture the response packets
again though.. I recommend doing just straight IP ACL and not port specific –
access-list captured line 1 extended permit tcp host 10.80.28.5 host 10.80.2.10 eq 25
access-list captured line 2 extended permit ip host 10.80.2.10 host 10.80.28.5
Sorry, I am new to this!
How would I configure the firewall to capture all data through a particular interface or all traffic through the device(port Mirror, Sniffer)?
Thank you for the help.
ED
access-list captured permit ip any any
capture captured access-list captured interface outside packet-length 1522
capture captured access-list captured interface inside packet-length 1522
this would capture all data from and to inside and outside interface
@kurt
That worked great.
Thank again!!
How do you clear the capture buffer?
sorry I see how.
what if you are not a GUI monkey and want to transfer the real pcap file to a host all from CLI?
@winblowz
what? lol
you have to open and save the pcap from a internet browser, this is the only save option to get the pcap off the asa.
ps
this is all CLI – no GUI =)
not completely true, to get the file from the CLI use copy:
copy capture: ?
cache: Copy to cache: file system
disk0: Copy to disk0: file system
disk1: Copy to disk1: file system
flash: Copy to flash: file system
ftp: Copy to ftp: file system
smb: Copy to smb: file system
system: Copy to system: file system
tftp: Copy to tftp: file system
same as above.. just expand on the access list – try try and try again.. let me know if you still can’t figure it out
I’m trying to do the same thing you told Ed:
access-list captured permit ip any any
capture captured access-list captured interface outside packet-length 1522
capture captured access-list captured interface inside packet-length 1522
this would capture all data from and to inside and outside interface
If I added these acl’s – Would all my traffic still flow like normal, so nothing is stopped?
Also for my ASA5520, we have 4 ports, int gi 0/3 (labeled Sniffer) is not being used. I would like this to be the sniffer port, as I already have a cable going from it to the server port with the sniffer software installed.
Am I reading your access-lists wrong? As I just see the asa capturing from both the inside int and the outside int, but not outputting which interface you would like to have the captured data sent to.
How would I go about sending the captured data via my int gi 0/3 to the sniffer port on the server?
the ACL will not stop traffic however if you have a large amount of production traffic it’s going to have some performance impact.. I would try to limit it to IP addresses
I’ve never set up a port monitor or span on ASA.. not sure if you can.. just do the capture like I said and then open it up in a web browser to download the pcap – then you can open the pcap in your sniffer
Hi guys,
sure you can set up port mirroring on the ASA, see here:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1411559
Best,
jaykay
@jaykay
thanks jaykay – here are the commands to set up a port monitor the old school way.. just like we do in our switches..
hostname(config)# interface ethernet 0/1
hostname(config-if)# switchport monitor ethernet 0/0
hostname(config-if)# switchport monitor ethernet 0/2
So with this you’ll plug your laptop oo PC in port ethernet 0/1 – all traffic from 0/0 and 0/2 will be pushed to 0/1 – set up wireshark to monitor traffic and there ya go
If i captured the data i want to meaning of each reply.
e.g. S – SYN
A- ACK R
R- reset etc.
If reset come from src then what meaning and come from dest then what is that mean.
Can any one of share this in details.
If i captured the data i want to meaning of each reply.
e.g. S – SYN
A- ACK R
R- reset etc.
If reset come from src then what meaning and come from dest then what is that mean.
Can any one of share this in details.
reset mean the connect is being closed and the two devices are communicating properly and the information e / communication exchange is completed
there is a command through which you can import captured packerts on your system from CLI console…
copy /pcap capture: tftp:
I hope this would be helpful for you all.
I’ll have to try that today!! thanks =)
I have trouble sometimes analysing the results of this packet capture, especially the meaing of these different flags. S, P, R. I cant find document on this. anyone who has document or links on these flags and analysis in ASA packet capture?
I have citrix issue which can’t authenticate from external, and I did capture. but most of the flags is “R”, i know it reset, but why the host is resetting? thanks in advance for any input.
send me the packet capture to kturner at absolutenetworks dot biz and I’ll see what I can do for you =)
Lots of R’s could mean a couple things so I’d need to see the pcap
Kurt,
I am having a hard time locating the exact meaning of the capture flags from an ASA. I see Mau ask the same question. Is there documentation on the capture flags? If so, will you send it to me?
tj.reed@conservation.ca.gov
Thanks,
You’ll need to create the rsa sha keys etc and enable https – if this isn’t supported in your version of firmware you can download it at cisco.com
TCP Flags
A, ACK- (Acknowledge) The receiver will send an ACK that equals the senders sequence number plus the Len, or amount of data, at the TCP layer.
SYN, and FIN flags count as 1 byte. The ACK can also be thought of as the sequence number of the next octet the receiver expects to receive.
S, SYN- Synchronize is used during session setup to agree on initial sequence numbers. Sequence numbers are random.
F, FIN- Finish is used during a graceful session close to show that the sender has no more data to send.
R, RST- Reset is an instantaneous abort in both directions (abnormal session disconnection).
P, PSH- Push forces data delivery without waiting for buffers to fill. This is used for interactive traffic. The data will also be delivered to the application on the receiving end with out buffering.
U, URG- Urgent- Data is sent out of band.
host can rest if it packet syc is out of of order – so look at the sync order.. there is a lot of other reasons but they all point to the application layer of whatever you’re troubleshooting.
For ASAs with Multiple Contexts use the following
https://fwsm-ip-address/capture/context_name/captest
Ex:
Https:/198.168.1.1/capture/CPC-internal/capCPC/pcap