The packet capture process is useful when you troubleshoot connectivity problems or monitor suspicious activity. In addition, you can create multiple captures in order to analyze different types of traffic on multiple interfaces.
Collecting captures on ASA
You can enable captures on ASA either from CLI or from ASDM
Enable captures on ASDM
Go to wizards and select packet capture wizard, it will take you through 6 simple self-explanatory steps, once done with captures select save captures. This has been illustrated as below :
- Navigate to Wizards > Packet Capture Wizard in order to start the packet capture configuration, as shown:
10. The captured packets are shown in this window for both the ingress and egress traffic. Click Save captures in order to save the capture information.
Enable captures in CLI
This is the syntax to apply capture
capture <name of capture>
These are the options available
|access-list||Capture packets that match access-list, when you specify access-list make sure that you specify the traffic in both direction if you want to capture bi-directional traffic|
|buffer||Default is 512 KB and you can configure it upto 32 MB, you do not need to change this in most cases. Just a note of caution – applying captures will add to memory utilization so keep an eye on memory before enabling captures with max buffer|
|circular-buffer||Overwrite buffer from beginning when full, default is non-circular|
|ethernet-type||EtherType is a two-octet field in an Ethernet frame. It is used to indicate which protocol is encapsulated in the PayLoad of an Ethernet Frame. Default is IP
Here is link for iana assigned ethernet type numbers http://www.iana.org/assignments/ethernet-numbers
|headers-only||Capture only L2, L3 and L4 headers of packet without data in them, useful for collecting partial packet capture|
|interface||Used to specify the interface on which you want to apply the capture|
|match||Capture packets matching five-tuple – 5 tuple consists of
-> Type of protocol – eg ip, gre, esp, icmp etc>
-> Source Destination IP
-> and other specific detail related to type of protocol specified for example in case of tcp it would be src dst port or in case of icmp it would be icmp type (optional)
|packet-length||Defines maximum length of each packet to capture, default is 1518 bytes which is the mtu in most cases, maximum is 9216 bytes|
|real-time||Display captured packets in real-time. Warning: using this option with a slow console connection may result in an excessive amount of non-displayed packets due to performance limitations. This is very rarely useful|
|trace||This keyword enables you to check the output of packet tracer for each packet, note that this will show packet tracer output only for inbound packets. This is useful in cases when you want to check the various checks in firewall for consecutive packets as the normal packet tracer command will always show you output for new connection check the view packet capture section to learn how to check the trace output.|
|type||These are the various option available here
asp-drop Capture packets dropped with a particular reason
isakmp Capture encrypted and decrypted ISAKMP payloads
raw-data Capture inbound and outbound packets on one or more interfaces
tls-proxy Capture decrypted inbound and outbound data from TLS Proxy on one or more interfaces
webvpn Capture WebVPN transactions for a specified user
You need to know what you are looking for when you want to collect these captures, for example asp drop captures might generate lot of output so unless you dont know what kind of drop you are looking for you might end up looking at lot of packets
Example of capture
capture capin interface inside match ip host 126.96.36.199 host 188.8.131.52 —-> this will use defaults for other parameters
You can view captures in 2 ways view it on CLI/ASDM or in other words view it on the device itself or you can view it on a packet analyser after exporting it in pcap form
Let us examine each of them closely
Viewing it on the device itself
You can watch the captures in real time when you enable it on asdm or you can watch it real time when you enable capture on cli using the option “real-time” (not really recommended as it may lead to excessive amount of non displayed packets in some cases)
Once you are done with capturing you can view them by issuing the command show capture <capname> this will display minimum information – src dst ip, src dst port, timestamp and ethertype
You can view some more information by using the extended form of show cap <capname>
show cap <capname> <one of the keywords below>
|access-list||Display packets matching access-list|
|count||Display <number> of packets in capture – lets you display specified number of packets|
|detail||Display more information for each packet – like src dst mac address, ttl, ip id – this has been illustrated in Scenario 1|
|dump||Display hex dump for each packet – shows datagram in hex|
|packet-number||Display packet <number> in capture – lets you view captures starting from a specified packet number|
|trace||Display extended trace information for each packet – used if capture is set using the trace keyword as mentioned above, this will show the output of packet tracer for each packet in the inbound direction|
Viewing it on a packet analyzer tool
You can export these captures and save them on your PC and view it using a packet analyzer tool like wireshark (open source tool available for free on internet). there are 2 ways of doing this
Export via https
For this you need to enable http server on your ASA and you need to know the credentials used to access asa via asdm (default is no username no password)
Comamnds to enable http server
Note: This is for creating keys because we communicate with asa via https, if you have ssh access you probably have these keys
Once you have enabled http server on asa go to your browser and give the following in the url field
https://<ip address of asa>/capture/<capname>/pcap
if it is in multiple context mode you have to specify the context
https://<ip address of asa>/capture/<context name>/<capname>/pcap
After you enter this you will be prompted for username password and once you enter that the captures are stored on your PC and you can open them in a packet anaylser tool
Download pcap from CLI
It is also possible to move a file from the ASA to a FTP server using this command:
copy /pcap capture:CAP1 ftp://user:firstname.lastname@example.org/CAP1.pcap
Viewing the output at the CLI
To see what has been captures issue the following command from the CLI:
show capture CAP1
The capture output for a TCP flow follows this template:
HH:MM:SS.ms [ether-hdr] src-addr.src-port dest-addr.dst-port: tcp-flags [header-check] [checksum-info] sequence-number ack-number tcp-window urgent-info tcp-options
Let’s look more closely into what the ‘tcp-flags’ can show us.
Here is an example TCP capture broken down.
User 184.108.40.206 is accessing the website located at 220.127.116.11.
1: 15:01:45.052762 18.104.22.168.12869 > 22.214.171.124.80: S 3624439037:3624439037(0) win 8192
The S here indicates this is a SYN.
2: 15:01:45.053403 126.96.36.199.80 > 188.8.131.52.12869: S 285283040:285283040(0) ack 3624439038 win 8192
This packet has both a S (syn) and an ack. Notice here the source of this packet is the webserver 184.108.40.206. To really tell who initiated this flow originally look at the ports. You see that the source IP is coming from port 80 and its going to port 12869. This tells us this is return traffic and the original request was really TO port 80.
3: 15:01:45.054501 220.127.116.11.12869 > 18.104.22.168.80: . ack 285283041 win 260
Here is the ack. This signifies the completion of the 3 way handshake. If you see this in the capture you know that communication is taking place properly.
4: 15:01:45.054852 22.214.171.124.12869 > 126.96.36.199.80: P 3624439038:3624439328(290) ack 285283041 win 260
Now the requester is sending a Push. This means show me the data!
5: 15:01:45.244463 188.8.131.52.80 > 184.108.40.206.12869: . ack 3624439328 win 260
The next packet is another ack. The webserver says ok, I got your push.
6: 15:01:46.344296 220.127.116.11.80 > 18.104.22.168.12869: . 285283041:285284301(1260) ack 3624439328 win 260
7: 15:01:46.344418 22.214.171.124.80 > 126.96.36.199.12869: . 285284301:285285561(1260) ack 3624439328 win 260
Look carefully here. The header check here is simply . which indicates data being sent. And it makes sense that data is being sent from the webserver to the user.
“Clearing” the capture refers to getting rid of the data in the capture. To do this, issue the following command:
clear capture <Capture-Name>
“Removing” a capture means to delete its contents and the listener from the ASA. To do this, issue this command:
no capture <Capture-Name>
Once done always make sure that you remove the captures using the above command.