Begin by defining an access list that will be used to identify the traffic to be captured. You can set up a capture session that doesn't use an access list at all, but it will capture all traffic passing through. The access list is used to flag packets for capature and not to permit or deny them from passing through the interface. Therefore, only the permit keyword is useful here. An implicit deny statement is at the end of the access list, which causes all other traffic to pass without being captured.
ciscoasa(config)# access-list CAPTURE1 permit tcp any any eq https
ciscoasa(config)# exit
ciscoasa# capture SAMPLE access-list ?
WORD Access-list name
ciscoasa# capture SAMPLE access-list CAPTURE1 ?
buffer Configure size of capture buffer, default is 512 KB
circular-buffer Overwrite buffer from beginning when full, default is
non-circular
ethernet-type Capture Ethernet packets of a particular type, default is IP
headers-only Capture only L2, L3 and L4 headers of packet without data in
them
interface Capture packets on a specific interface
packet-length Configure maximum length to save from each packet, default
is 1518 bytes
real-time Display captured packets in real-time. Warning: using this
option with a slow console connection may result in an
excessive amount of non-displayed packets due to performance
limitations.
trace Trace the captured packets
<cr>
ciscoasa# capture SAMPLE access-list CAPTURE1 interface ?
asa_dataplane Capture packets on dataplane interface
cplane Capture packets on controlplane interface
Available interfaces to listen:
inside Name of interface GigabitEthernet0
outside Name of interface GigabitEthernet1
ciscoasa# capture SAMPLE access-list CAPTURE1 interface outside
ciscoasa# show capture
capture SAMPLE type raw-data interface outside [Capturing - 732 bytes]
ciscoasa# show capture SAMPLE
5 packets captured
1: 09:52:20.111612 802.3 encap packet
2: 09:53:18.806659 802.3 encap packet
3: 09:54:18.421044 802.3 encap packet
4: 09:54:32.083613 c200.1bb8.0000 ab00.0002.0000 0x6002 77:
3d00 0700 0000 0100 0303 0000 0200 0221
0003 0006 0000 0000 0000 0400 023c 0005
0002 d805 0600 0200 0107 0006 c200 1bb8
0000 6400 0179 9001 0101 9101 02ee 05
5: 09:55:19.448035 802.3 encap packet
5 packets shown
The Packet Capture Wizard sets up two separate capture sessions: one on an ingress interface and one on an egress interface. Each session captures traffic in both directions, collecting packets as they enter and exit the ASA.
To use the ASDM Packet Capture Wizard, choose Wizard > Packet Capture Wizard. A window describing the five steps of the wizard will appear. Click the Next button.
Sometimes you might find that viewing the contents of a capature buffer from a command line interface becomes too cumbersome or confusing. This can happen when the capture buffer becomes very large to navigate with CLI commands or display filters.
At other times, the capture buffer might contain useful information that deserves further review. For example, you might have a PC-based tool that can import captured data for viewing and analysis. You also might want to archive the capture buffer for future use.
ciscoasa# copy capture:SAMPLE flash:sample
Source capture name [SAMPLE]?
Destination filename [sample]?
!
12 packets copied in 0.10 secs
You can also use a web browser to display a capture buffer as if you had used the show capture command. You also can download the capture buffer in PCAP format and save it as a file - all without leaving your web browser and without needing a TFTP server running on your PC.
