Thursday, May 24, 2012

ASA CLI Packet Capture

1.  Define Interesting traffic


ASA(config)# access-list cap-list permit tcp host 10.0.0.1 host 192.168.0.1 eq 80
ASA(config)# access-list cap-list permit tcp host 192.168.0.1 eq 80 host 10.0.0.1

2. Start the captures


ASA# capture in-cap interface inside access-list cap-list buffer 1000000 packet 1522 
ASA# capture out-cap interface outside access-list cap-list buffer 1000000 packet 1522

Please note that if there is NATting/PATting taking place you might need to create two different access lists with different Ip addresses and/or ports to capture the NATted/PATted traffic.

In ASA 8.0 and late you can do the above capture using the match option that captures BI-directionally.

ASA# capture in-cap interface inside match tcp host 10.0.0.1 host 192.168.0.1 eq 80

3. View captures

ASA# sh capture in-cap

or
show capture cap1 dump
or
show capture mycap trace packet-number 3

4. Remove captures


Use the commands








 
ASA# no capture in-cap
ASA# no capture out-cap

to remove the captures.

No comments: