Sign in Subscribe
ASA

Pix & ASA Packet capturing via cli

moonie

2 min read
Pix & ASA Packet capturing via cli

Quite a useful feature on Cisco Pix & ASAs is the ability to capture packets and then analyze it with wireshark if needed. The following config sets up the capture for all traffic between two hosts 1.1.1.137 and 10.25.0.143 on the outside interface of our firewall. We will also set the buffer (you might want to "show mem" and check you have enough spare before hand!)

m00nie-pix(config)#no access-list cap101
m00nie-pix(config)#access-list cap101 permit ip host 1.1.1.1 host 10.25.0.143
m00nie-pix(config)#access-list cap101 permit ip host 10.25.0.143 host 1.1.1.1
m00nie-pix(config)#^Z
m00nie-pix#capture capturing access-list cap101 interface outside buffer 1024000 packet-leng 1541 circular-buffer

After this we can view the captured traffic with the following two commands:

m00nie-pix# show capture capturing
3 packets captured
09:50:19.463965 1.1.1.137 > 10.25.0.143:  udp 50
09:50:20.963756 1.1.1.137 > 10.25.0.143:  udp 50
09:50:22.463797 1.1.1.137 > 10.25.0.143:  udp 50
3 packets shown
m00nie-pix# show capture capturing de
6 packets captured
09:50:19.463965 00e0.f420.e005 000f.2471.0617 0x0800 92: 1.1.1137 > 10.252.0.143:  udp 50 (ttl 128, id 17574)
09:50:20.963756 00e0.f420.e005 000f.2471.0617 0x0800 92: 1.1.1.137 > 10.252.0.143:  udp 50 (ttl 128, id 17583)
09:50:22.463797 00e0.f420.e005 000f.2471.0617 0x0800 92: 1.1.1.137 > 10.252.0.143:  udp 50 (ttl 128, id 17620)
09:50:26.218296 00e0.f420.e005 000f.2471.0617 0x0800 92: 1.1.1.137 > 10.252.0.143:  udp 50 (ttl 128, id 17744)
09:50:27.717721 00e0.f420.e005 000f.2471.0617 0x0800 92: 1.1.1.137 > 10.252.0.143:  udp 50 (ttl 128, id 17795)
09:50:29.217746 00e0.f420.e005 000f.2471.0617 0x0800 92: 1.1.1.137 > 10.252.0.143:  udp 50 (ttl 128, id 17804)
6 packets shown

If the capture is quite large or messy you can also grab it via https from the firewall and import the file into wireshark. Just send your browser to https://"<Firewall IP>"/admin/capture/"<your capture name>/pcap
download the file and open with wireshark.

If at any time you need to clear the buffer (but still keep the capture running!) use the "clear capture (capturename)" command. If you want to clear the buffer and stop the capture use the "no capture (capturename)" command. The asdm also has a fairly decent guided tool for packet capture found in Wizards>Packet Capture Wizard.

m00nie :)

Sign up for more like this.

Enter your email
Subscribe