I believe that Cisco introduced the ability to capture packets in or around version 7.x of the PIX/ASA platforms as well as the FWSM. Along with the Packet Tracer this may simply be one of the most powerful troubleshooting tools in the Firewall arsenal. The ability to capture packets in real time without consuming a large amount of resources on the Firewall is incredibly powerful. Whether its the act of troubleshooting connectivity problems through the Firewall or simply watching suspicious traffic Another powerful feature is the ability to create multiple packet captures and watching them in real time or simply downloading them, and analyzing them with your favorite packet capture utility.
Available Capture Options
- ACL: Capture packets that match a specific access-list
- Buffer: Configure the size of capture buffer, default is 512 KB
- Ethernet type: Capture Ethernet packets of a particular type
- Headers only: Capture only L2, L3 and L4 headers of packets
- Interface: Capture packets on a specific interface inside, outside or dmz
- Match: Capture packets matching five-tuple
- Packet Length: Configure maximum length to save from each packet
- Real Time: Display captured packets in real-time.
- Trace: Trace the captured packets
The Accelerated Security Path or ASP
It’s worth mentioning or at that vary least talking a little bit about the ASP as it relates to the overall flow or the beginning of the flow as packets inter the ingress interface either outside, inside or dmz interfaces on the ASA. The following is a brief overview of the Accelerated Security Path or ASP process.
The Session Management Path
- Performing the ACL checks
- Performing route lookups
- Building NAT / XLAT Translations
- Establishing sessions for the Fast Path
The Fast Path
- Performing IP checksums
- Performing session lookup
- Performing TCP sequence number checks
- Using NAT / XLAT translations based on existing Session Management
- Performing Layer 3, and Layer 4 header checks
The Control Plane Path
- Layer 7 packet inspection
- Dynamic port inspection
Ok well enough about the Accelerated Security Path, and on to Packet Captures. Along with Packet Tracer this has to be one of the best trouble shooting tools in the ASA arsenal. Lets create a simple test capture to capture traffic coming from a single host on the inside with a simple ACL.
Creating A Simple Packet Capture
ASA#configure terminal
ASA(config)#access-list test permit ip host 192.168.254.15 any
ASA(config)#capture test interface inside access-list test circular-buffer
ASA(config)#
Lets take a quick look at the test capture and see if we are getting any bytes
ASA(config)#show capture
capture test type raw access-list test interface inside circular-buffer [Capturing - 19688 bytes]
ASA#(config)#
Now lets take an even closer look at the test capture and see exactly what’s being
ASA(config)#show capture test 1: 21:48:37.331205 802.1Q vlan#2 P0 192.168.254.15.3885 > 216.69.149.90.443: . 3104448463:3104448464(1) ack 2115367911 win 32768 2: 21:48:46.351468 802.1Q vlan#2 P0 192.168.254.15.3885 > 216.69.149.90.443: . 3104448464:3104449844(1380) ack 2115367911 win 32768 3: 21:48:46.354321 802.1Q vlan#2 P0 192.168.254.15.3885 > 216.69.149.90.443: P 3104449844:3104450907(1063) ack 2115367911 win 32768 4: 21:48:46.785893 802.1Q vlan#2 P0 192.168.254.15.3885 > 216.69.149.90.443: . ack 2115368361 win 32543 5: 21:49:08.324415 802.1Q vlan#2 P0 192.168.254.15.60573 > 64.126.4.212.53: udp 38 6: 21:49:08.324842 802.1Q vlan#2 P0 192.168.254.15.55260 > 64.126.4.212.53: udp 36
Disable the capture and removing the ACL from the configuration
ASA(config)#no capture test
ASA(config)#clear configure access-list test
ASA(config)#
ASA(config)#show access-list test
ASA(config)#
ASA(config)#show capture
ASA(config)#
ASA(config)#exit
ASA#
Downloading and saving the PCAP file from the ASA
This is one of those really cool features that Cisco added to allow Firewall Admins to down load captures files in PCAP form directly from the ASA to be analyzed with your favorite packet analyzer such as Ehteral or WireSHARK or to send off to TAC for further investigation.
- https://192.168.254.1/admin/capture/test/pcap
- copy capture:test ftp://user:pass@192.168.254.17/test.pcap
- copy capture:test disk0://test.pcap or copy capture:test disk1://test.pcap
One of really cool features when creating captures is that you don’t necessarily have to be in configuration mode in order to create a capture. For example if you wanted to simply capture packets on a particular interface lets say the outside interface you could simply create the capture without going into configuration mode. The reason for this is due to the fact that the capture itself is not relying on an ACL in order to perform the capture.
ASA#capture test interface outside circular-buffer
ASA#show capture
test type raw-data interface outside[Capturing - 397505 bytes]
ASA#
Now lets take a look at just the first 10 lines from the previous capture
ASA#show capture test count 10 1: 09:36:01.447257 802.1Q vlan#3 P0 arp who-has 64.126.55.103 tell 64.126.48.1 2: 09:36:01.484883 802.1Q vlan#3 P0 arp who-has 74.222.203.18 tell 74.222.192.1 3: 09:36:01.525653 802.1Q vlan#3 P0 arp who-has 74.222.194.42 tell 74.222.192.1 4: 09:36:01.583053 802.1Q vlan#3 P0 arp who-has 64.151.7.165 tell 64.151.0.1 5: 09:36:01.688257 802.1Q vlan#3 P0 arp who-has 64.126.34.82 tell 64.126.32.1 6: 09:36:01.703592 802.1Q vlan#3 P0 arp who-has 64.126.37.206 tell 64.126.32.1 7: 09:36:01.805424 802.1Q vlan#3 P0 arp who-has 64.126.57.79 tell 64.126.56.1 8: 09:36:01.861542 802.1Q vlan#3 P0 arp who-has 64.126.42.43 tell 64.126.40.1 9: 09:36:01.867920 802.1Q vlan#3 P0 arp who-has 64.126.52.133 tell 64.126.48.1 10: 09:36:02.147911 802.1Q vlan#3 P0 arp who-has 64.126.38.100 tell 64.126.32.1
Now that we have the capture running lets donwload the PCAP file from the ASA
https://192.168.254.1/admin/capture/test/pcap
I hope you found this post on ASA Packet Capture helpful and informative. Be sure to let me know what you think by leaving suggestions, and feedback in the comments section below. You can find out more about these and other articles be checking out recent posts and archives. To learn more about myself be sure to check out the About page. And as always thanks again for visiting The Packet.