The packet capture process is useful when you troubleshoot connectivity problems or monitor suspicious activity. In addition, you can create multiple captures in order to analyze different types of traffic on multiple interfaces.
Collecting captures on ASA
You can enable captures on ASA either from CLI or from ASDM
Enable captures on ASDM
Go to wizards and select packet capture wizard, it will take you through 6 simple self-explanatory steps, once done with captures select save captures. This has been illustrated as below :
- Navigate to Wizards > Packet Capture Wizard in order to start the packet capture configuration, as shown:
2. The Capture Wizard opens. Click Next.
3. In the new window, provide the parameters that are used in order to capture the INGRESS traffic. Select inside for the Ingress Interface and provide the source and the destination IP addresses of the packets to be captured, along with their subnet mask, in the respective space provided. Also, choose the packet type to be captured by the ASA (IP is the packet type chosen here), as shown:
Click Next.
4. Select outside for the Egress Interface and provide the source and the destination IP addresses, along with their subnet mask, in the respective spaces provided. If Network Address Translation (NAT) is performed on the Firewall, take this into consideration as well.
5. Enter the appropriate Packet Size and the Buffer Size in the respective space provided, as this data is required in order for the capture to take place. Also, remember to check the Use circular buffer check box if you want to use the circular buffer option. Circular buffers never fill up. As the buffer reaches its maximum size, older data is discarded and the capture continues. In this example, circular buffer is not used, so the check box is not checked.
Click Next.
6. This window shows the Access-lists that must be configured on the ASA so that the desired packets are captured, and it shows the type of packets to be captured (IP packets are captured in this example). Click Next.
7. Click Start in order to start the packet capture, as shown here:
8. As the packet capture is started, attempt to ping the outside network from the inside network so that the packets that flow between the source and the destination IP addresses are captured by the ASA capture buffer.
9. Click Get Capture Buffer in order to view the packets that are captured by the ASA capture buffer.
10. The captured packets are shown in this window for both the ingress and egress traffic. Click Save captures in order to save the capture information.
11. From the Save Captures window, choose the required format in which the capture buffer is to be saved. This is either ASCII or PCAP. Click the radio button next to the format names. Then, click Save ingress capture or Save egress capture as required. The PCAP files can be opened with capture analyzers, such as Wireshark, and it is the preferred method.
12. From the Save capture file window, provide the file name and the location to where the capture file is to be saved. Click Save.
13. Click Finish.
Enable captures in CLI
This is the syntax to apply capture
capture <name of capture>
These are the options available
| access-list | Capture packets that match access-list, when you specify access-list make sure that you specify the traffic in both direction if you want to capture bi-directional traffic |
| buffer | Default is 512 KB and you can configure it upto 32 MB, you do not need to change this in most cases. Just a note of caution – applying captures will add to memory utilization so keep an eye on memory before enabling captures with max buffer |
| circular-buffer | Overwrite buffer from beginning when full, default is non-circular |
| ethernet-type | EtherType is a two-octet field in an Ethernet frame. It is used to indicate which protocol is encapsulated in the PayLoad of an Ethernet Frame. Default is IP
Here is link for iana assigned ethernet type numbers http://www.iana.org/assignments/ethernet-numbers |
| headers-only | Capture only L2, L3 and L4 headers of packet without data in them, useful for collecting partial packet capture |
| interface | Used to specify the interface on which you want to apply the capture |
| match | Capture packets matching five-tuple – 5 tuple consists of
-> Type of protocol – eg ip, gre, esp, icmp etc> -> Source Destination IP -> and other specific detail related to type of protocol specified for example in case of tcp it would be src dst port or in case of icmp it would be icmp type (optional) |
| packet-length | Defines maximum length of each packet to capture, default is 1518 bytes which is the mtu in most cases, maximum is 9216 bytes |
| real-time | Display captured packets in real-time. Warning: using this option with a slow console connection may result in an excessive amount of non-displayed packets due to performance limitations. This is very rarely useful |
| trace | This keyword enables you to check the output of packet tracer for each packet, note that this will show packet tracer output only for inbound packets. This is useful in cases when you want to check the various checks in firewall for consecutive packets as the normal packet tracer command will always show you output for new connection check the view packet capture section to learn how to check the trace output. |
| type | These are the various option available here
asp-drop Capture packets dropped with a particular reason isakmp Capture encrypted and decrypted ISAKMP payloads raw-data Capture inbound and outbound packets on one or more interfaces tls-proxy Capture decrypted inbound and outbound data from TLS Proxy on one or more interfaces webvpn Capture WebVPN transactions for a specified user
You need to know what you are looking for when you want to collect these captures, for example asp drop captures might generate lot of output so unless you dont know what kind of drop you are looking for you might end up looking at lot of packets |
Example of capture
capture capin interface inside match ip host 1.1.1.1 host 2.2.2.2 —-> this will use defaults for other parameters
Viewing captures
You can view captures in 2 ways view it on CLI/ASDM or in other words view it on the device itself or you can view it on a packet analyser after exporting it in pcap form
Let us examine each of them closely
Viewing it on the device itself
You can watch the captures in real time when you enable it on asdm or you can watch it real time when you enable capture on cli using the option “real-time” (not really recommended as it may lead to excessive amount of non displayed packets in some cases)
Once you are done with capturing you can view them by issuing the command show capture <capname> this will display minimum information – src dst ip, src dst port, timestamp and ethertype
You can view some more information by using the extended form of show cap <capname>
show cap <capname> <one of the keywords below>
| access-list | Display packets matching access-list |
| count | Display <number> of packets in capture – lets you display specified number of packets |
| detail | Display more information for each packet – like src dst mac address, ttl, ip id – this has been illustrated in Scenario 1 |
| dump | Display hex dump for each packet – shows datagram in hex |
| packet-number | Display packet <number> in capture – lets you view captures starting from a specified packet number |
| trace | Display extended trace information for each packet – used if capture is set using the trace keyword as mentioned above, this will show the output of packet tracer for each packet in the inbound direction |
Viewing it on a packet analyzer tool
You can export these captures and save them on your PC and view it using a packet analyzer tool like wireshark (open source tool available for free on internet). there are 2 ways of doing this
Export via https
For this you need to enable http server on your ASA and you need to know the credentials used to access asa via asdm (default is no username no password)
Comamnds to enable http server
Note: This is for creating keys because we communicate with asa via https, if you have ssh access you probably have these keys |
Once you have enabled http server on asa go to your browser and give the following in the url field
https://<ip address of asa>/capture/<capname>/pcap
if it is in multiple context mode you have to specify the context
https://<ip address of asa>/capture/<context name>/<capname>/pcap
After you enter this you will be prompted for username password and once you enter that the captures are stored on your PC and you can open them in a packet anaylser tool
Download pcap from CLI
It is also possible to move a file from the ASA to a FTP server using this command:
copy /pcap capture:CAP1 ftp://user:pass@192.168.1.1/CAP1.pcap
Viewing the output at the CLI
To see what has been captures issue the following command from the CLI:
show capture CAP1
The capture output for a TCP flow follows this template:
HH:MM:SS.ms [ether-hdr] src-addr.src-port dest-addr.dst-port: tcp-flags [header-check] [checksum-info] sequence-number ack-number tcp-window urgent-info tcp-options
Let’s look more closely into what the ‘tcp-flags’ can show us.
Here is an example TCP capture broken down.
User 1.1.1.1 is accessing the website located at 2.2.2.2.
1: 15:01:45.052762 1.1.1.1.12869 > 2.2.2.2.80: S 3624439037:3624439037(0) win 8192
The S here indicates this is a SYN.
2: 15:01:45.053403 2.2.2.2.80 > 1.1.1.1.12869: S 285283040:285283040(0) ack 3624439038 win 8192
This packet has both a S (syn) and an ack. Notice here the source of this packet is the webserver 2.2.2.2. To really tell who initiated this flow originally look at the ports. You see that the source IP is coming from port 80 and its going to port 12869. This tells us this is return traffic and the original request was really TO port 80.
3: 15:01:45.054501 1.1.1.1.12869 > 2.2.2.2.80: . ack 285283041 win 260
Here is the ack. This signifies the completion of the 3 way handshake. If you see this in the capture you know that communication is taking place properly.
4: 15:01:45.054852 1.1.1.1.12869 > 2.2.2.2.80: P 3624439038:3624439328(290) ack 285283041 win 260
Now the requester is sending a Push. This means show me the data!
5: 15:01:45.244463 2.2.2.2.80 > 1.1.1.1.12869: . ack 3624439328 win 260
The next packet is another ack. The webserver says ok, I got your push.
6: 15:01:46.344296 2.2.2.2.80 > 1.1.1.1.12869: . 285283041:285284301(1260) ack 3624439328 win 260
7: 15:01:46.344418 2.2.2.2.80 > 1.1.1.1.12869: . 285284301:285285561(1260) ack 3624439328 win 260
Look carefully here. The header check here is simply . which indicates data being sent. And it makes sense that data is being sent from the webserver to the user.
Clearing/Removing Captures
“Clearing” the capture refers to getting rid of the data in the capture. To do this, issue the following command:
clear capture <Capture-Name>
“Removing” a capture means to delete its contents and the listener from the ASA. To do this, issue this command:
no capture <Capture-Name>
Once done always make sure that you remove the captures using the above command.
Defaults
These are the ASA system default values:
- The default type is raw-data.
- The default buffer size is 512 KB.
- The default Ethernet type is IP packets.
- The default packet-length is 1,518 bytes.
Leave a Reply