Cisco ASA – Packet Capture

The packet capture process is useful when you troubleshoot connectivity problems or monitor suspicious activity. In addition, you can create multiple captures in order to analyze different types of traffic on multiple interfaces.

Collecting captures on ASA

You can enable captures on ASA either from CLI or from ASDM

Enable captures on ASDM

Go to wizards and select packet capture wizard, it will take you through 6 simple self-explanatory steps, once done with captures select save captures. This has been illustrated as below :

118097-configure-asa-01

  1. Navigate to Wizards > Packet Capture Wizard in order to start the packet capture configuration, as shown:

118097-configure-asa-02

118097-configure-asa-03

118097-configure-asa-04

118097-configure-asa-05

118097-configure-asa-06

118097-configure-asa-07

118097-configure-asa-08

118097-configure-asa-09

10. The captured packets are shown in this window for both the ingress and egress traffic. Click Save captures in order to save the capture information.

118097-configure-asa-10

118097-configure-asa-11

118097-configure-asa-12

118097-configure-asa-13


Enable captures in CLI

This is the syntax to apply capture

capture <name of capture>

These are the options available

access-list Capture packets that match access-list, when you specify access-list make sure that you specify the traffic in both direction if you want to capture bi-directional traffic
buffer Default is 512 KB and you can configure it upto 32 MB, you do not need to change this in most cases. Just a note of caution – applying captures will add to  memory utilization so keep an eye on memory before enabling captures  with max buffer
circular-buffer Overwrite buffer from beginning when full, default is non-circular
ethernet-type EtherType is a two-octet field in an Ethernet frame. It is used to  indicate which protocol is encapsulated in the PayLoad of an Ethernet  Frame. Default is IP

 

Here is link for iana assigned ethernet type numbers http://www.iana.org/assignments/ethernet-numbers

headers-only Capture only L2, L3 and L4 headers of packet without data in them, useful for collecting partial packet capture
interface Used to specify the interface on which you want to apply the capture
match Capture packets matching five-tuple – 5 tuple consists of

 

->   Type of protocol – eg ip, gre, esp, icmp etc>

->   Source Destination IP

->   and other specific detail related to type of protocol specified for  example in case of tcp it would be src dst port or in case of icmp it  would be icmp type (optional)

packet-length Defines maximum length of each packet to capture, default is 1518 bytes which is the mtu in most cases, maximum is 9216 bytes
real-time Display captured packets in real-time. Warning: using this option with a slow console connection may result in an excessive amount of non-displayed packets due to performance limitations. This is very rarely useful
trace This keyword enables you to check the output of packet tracer for  each packet, note that this will show packet tracer output only for  inbound packets. This is useful in cases when you want to check  the various checks in firewall for consecutive packets as the normal  packet tracer command will always show you output for new connection check the view packet capture section to learn how to check the trace output.
type These are the various option available here

 

 

asp-drop  Capture packets dropped with a particular reason

isakmp    Capture encrypted and decrypted ISAKMP payloads

raw-data   Capture inbound and outbound packets on one or more interfaces

tls-proxy   Capture decrypted inbound and outbound data from TLS Proxy on one or more interfaces

webvpn    Capture WebVPN transactions for a specified user

 

You need to know what you are looking for when you want to collect  these captures, for example asp drop captures might generate lot of  output so unless you dont know what kind of drop you are looking for you  might end up looking at lot of packets

Example of capture

capture capin interface inside match ip host 1.1.1.1 host 2.2.2.2 —-> this will use defaults for other parameters


Viewing captures

You can view captures in 2 ways view it on CLI/ASDM or in other words view it on the device itself or you can view it on a packet analyser after exporting it in pcap form

Let us examine each of them closely

Viewing it on the device itself

You can watch the captures in real time when you enable it on asdm or you can watch it real time when you enable capture on cli using the option “real-time” (not really recommended as it may lead to excessive amount of non displayed packets in some cases)

Once you are done with capturing you can view them by issuing the command show capture <capname> this will display minimum information – src dst ip, src dst port, timestamp and ethertype

You can view some more information by using the extended form of show cap <capname>

 

show cap <capname> <one of the keywords below>

access-list Display packets matching access-list
count Display <number> of packets in capture – lets you display specified number of packets
detail Display more information for each packet – like src dst mac address, ttl, ip id – this has been illustrated in Scenario 1
dump Display hex dump for each packet – shows datagram in hex
packet-number Display packet <number> in capture – lets you view captures starting from a specified packet number
trace Display extended trace information for each packet – used if capture is set using the trace keyword as mentioned above, this will show the output of packet tracer for each packet in the inbound direction

Viewing it on a packet analyzer tool

You can export these captures and save them on your PC and view it using a packet analyzer tool like wireshark (open source tool available for free on internet). there are 2 ways of doing this

Export via https

For this you need to enable http server on your ASA and you need to know the credentials used to access asa via asdm (default is no username no password)

Comamnds to enable http server

asa#config t

asa(config)# http server enable

asa(config)# crypto key generate rsa modulus 1024

Note: This is for creating keys because we communicate with asa via https, if you have ssh access you probably have these keys

Once you have enabled http server on asa go to your browser and give the following in the url field

 

https://<ip address of asa>/capture/<capname>/pcap

if it is in multiple context mode you have to specify the context

https://<ip address of asa>/capture/<context name>/<capname>/pcap

After you enter this you will be prompted for username password and once you enter that the captures are stored on your PC and you can open them in a packet anaylser tool

Download pcap from CLI

It is also possible to move a file from the ASA to a FTP server using this command:

copy /pcap capture:CAP1 ftp://user:pass@192.168.1.1/CAP1.pcap

Viewing the output at the CLI

To see what has been captures issue the following command from the CLI:
show capture CAP1

The capture output for a TCP flow follows this template:

HH:MM:SS.ms [ether-hdr] src-addr.src-port dest-addr.dst-port: tcp-flags [header-check] [checksum-info] sequence-number ack-number tcp-window urgent-info tcp-options

Let’s look more closely into what the ‘tcp-flags’ can show us.

Here is an example TCP capture broken down.

User 1.1.1.1 is accessing the website located at 2.2.2.2.

1: 15:01:45.052762 1.1.1.1.12869 > 2.2.2.2.80: S 3624439037:3624439037(0) win 8192

The S here indicates this is a SYN.

2: 15:01:45.053403 2.2.2.2.80 > 1.1.1.1.12869: S 285283040:285283040(0) ack 3624439038 win 8192

This packet has both a S (syn) and an ack. Notice here the source of this packet is the webserver 2.2.2.2. To really tell who initiated this flow originally look at the ports. You see that the source IP is coming from port 80 and it’s going to port 12869. This tells us this is return traffic and the original request was really TO port 80.

3: 15:01:45.054501 1.1.1.1.12869 > 2.2.2.2.80: . ack 285283041 win 260

Here is the ack. This signifies the completion of the 3 way handshake. If you see this in the capture you know that communication is taking place properly.

4: 15:01:45.054852 1.1.1.1.12869 > 2.2.2.2.80: P 3624439038:3624439328(290) ack 285283041 win 260

Now the requester is sending a Push. This means – show me the data!

5: 15:01:45.244463 2.2.2.2.80 > 1.1.1.1.12869: . ack 3624439328 win 260

The next packet is another ack. The webserver says ok, I got your push.

6: 15:01:46.344296 2.2.2.2.80 > 1.1.1.1.12869: . 285283041:285284301(1260) ack 3624439328 win 260
7: 15:01:46.344418 2.2.2.2.80 > 1.1.1.1.12869: . 285284301:285285561(1260) ack 3624439328 win 260

Look carefully here. The header check here is simply “.” which indicates data being sent. And it makes sense that data is being sent from the webserver to the user.


Clearing/Removing Captures

“Clearing” the capture refers to getting rid of the data in the capture. To do this, issue the following command:

clear capture <Capture-Name>

“Removing” a capture means to delete its contents and the listener from the ASA. To do this, issue this command:

no capture <Capture-Name>

Once done always make sure that you remove the captures using the above command.

 

 

 

One thought on “Cisco ASA – Packet Capture

Add yours

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Website Powered by WordPress.com.

Up ↑

%d bloggers like this: