Back to Home

Capture packets on a Cisco ASA

There are many situations where you need to be able to capture traffic at ANY point in the network. Whether it testing from the client side, server side, or any transit component, such as your ASA. Since the traditional tools such as tcpdump or Wireshark aren’t available, you will have to use the proprietary tools on the ASA itself.

You will start off by creating an ACL to match the traffic you are wanting to capture. This should be a strict, such as a source and dest that are experiencing the issues you are troubleshooting:

access-list test.capacl extended permit ip host 192.168.0.10 host 10.5.5.1 
access-list test.capacl extended permit ip host 10.5.5.1  host 192.168.0.10

Now that you have configured the access list to match your traffic, you can start the capture. I am capturing traffic before and after it goes over the VPN, so I will monitor the interface closest to the source, which is the ‘inside’ interface. There aren’t any “required” options besides the name but if you don’t specify an ACL and interface, you won’t match any traffic. There are a few options you may want to use other than those two:

  • type (default is raw-data but there are other options such as ISAKMP)
  • headers-only (no data, just headers; similar to tcpdump -q)
  • buffer (default is 512KB. Increase with caution, you don’t want to use up all your memory)
  • real-time (have output display in your terminal)
  • *more* — use ‘capture ?’ to see all options

We will go with the basics; access-list and interface:

fw01# capture test-cap access-list test.capacl interface inside

After this, you can check your console to see if the traffic is matching your ACL and being captured with ‘show capture’; if the bytes are a non-zero value and increasing, it’s working!

fw01# show capture 
capture test-cap type raw-data access-list test.capacl interface inside [Capturing - 1560 bytes]

If you want to see the content, you have to specify the capture name:

fw01# show capture test-cap

12 packets captured

   1: 01:47:27.675914       802.1Q vlan#100 P0 192.168.0.10 > 10.5.5.1: icmp: echo request 
   2: 01:47:27.761236       802.1Q vlan#100 P0 10.5.5.1 > 192.168.0.10: icmp: echo reply 
   3: 01:47:28.678431       802.1Q vlan#100 P0 192.168.0.10 > 10.5.5.1: icmp: echo request 
   4: 01:47:28.763708       802.1Q vlan#100 P0 10.5.5.1 > 192.168.0.10: icmp: echo reply 
   5: 01:47:29.688425       802.1Q vlan#100 P0 192.168.0.10 > 10.5.5.1: icmp: echo request 
   6: 01:47:29.773687       802.1Q vlan#100 P0 10.5.5.1 > 192.168.0.10: icmp: echo reply 
   7: 01:47:30.693262       802.1Q vlan#100 P0 192.168.0.10 > 10.5.5.1: icmp: echo request 
   8: 01:47:30.778493       802.1Q vlan#100 P0 10.5.5.1 > 192.168.0.10: icmp: echo reply 
   9: 01:47:31.695703       802.1Q vlan#100 P0 192.168.0.10 > 10.5.5.1: icmp: echo request 
  10: 01:47:31.781011       802.1Q vlan#100 P0 10.5.5.1 > 192.168.0.10: icmp: echo reply 
  11: 01:47:32.698999       802.1Q vlan#100 P0 192.168.0.10 > 10.5.5.1: icmp: echo request 
  12: 01:47:32.784184       802.1Q vlan#100 P0 10.5.5.1 > 192.168.0.10: icmp: echo reply 
12 packets shown

So if you were troubleshooting connectivity and you see this successful ICMP traffic, the loss you are experiencing must be somewhere else. Now you can assure that packets are hitting the firewall and this should help you verify your high level packet flow, to hopefully pinpoint where the issue is. If you want to see more information, there are a few more useful options when displaying the capture:

  • access-list (yes, you can use an additional access-list to filter the output of ‘show capture’)
  • count (# of packets to display)
  • detail (display more information such as TTL, DF bit, etc)
  • dump (display the hex dump for each packet)
  • *more* — use ‘show capture ?’ to view all options

So if you would like to view the hex dump of 1 packet, you can with:

fw01# show capture cap-test count 1 dump

60 packets captured

   1: 01:47:27.675914       802.1Q vlan#100 P0 192.168.0.10 > 10.5.5.1: icmp: echo request
0x0000	 c08c 608c 2990 0050 569c 4211 8100 000a	..`.)..PV.B.....

0x0010	 0800 4500 0060 0000 4000 4001 a9a6 c0a8	..E..`[email protected]@.....

0x0020	 0a87 c0a8 051f 0800 74cd 5122 0000 0000	........t.Q"....

0x0030	 0000 0000 0000 af71 2c55 0000 0000 4c49	.......q,U....LI

0x0040	 0a00 0000 0000 0000 0000 0000 0000 0000	................

0x0050	 0000 0000 0000 0000 0000 0000 0000 0000	................

0x0060	 0000 0000 0000 0000 0000 0000 0000 0000	................

0x0070	 0000                                   	.. 
1 packet shown

Often, you may have a large capture and you don’t want to sift through it on the ASA. You might want to look at the capture file in wireshark or tcpdump. You can do so by copying the file via tftp to a workstation or server. But how will the output be formatted… with just headers, hex dumps or .. ? Well, when you transfer it via copy, you specify to use pcap format, which you will be able to read in just about any packet analysis program as it is the most commonly used. You can do this via:

fw01# copy /pcap capture:cap-test tftp:TFTP-SERVER-IP

Awesome! So although the ASA capture utility isn’t as versatile as tcpdump or wireshark for example, it is still great to start with and verify packet flow, etc. And if you want to save a larger capture for future analysis, it can be copied and opened with another packet analysis tool. From there you can use your advanced filters, etc.

I hope you enjoyed the basic tutorial on how to use the ASA capture utility… perhaps soon I will write one up on how to effectively use packet-tracer, which is yet another useful ASA command line tool for verifying packet flow and it will also give you a better understanding of how the ASA processes packets. (order of NAT/ACL processing, route lookup, etc.)

Cheers!

Configure HAProxy to remove host on Nagios scheduled downtime

Decrypt F5 SSL traffic for troubleshooting