Saturday, January 11, 2014

Using Packet Capture on an ASA

You can use the packet capture feature to collect a copy of packets as they enter and exit ASA interfaces. You can define one or more capture sessions on an ASA, each operating independently. Captured packets are stored in a memory buffer and can be viewed much like a protocol analyzer or sniffer trace. You can also copy the buffer contents onto an external device for viewing and analysis.

Begin by defining an access list that will be used to identify the traffic to be captured. You can set up a capture session that doesn't use an access list at all, but it will capture all traffic passing through. The access list is used to flag packets for capature and not to permit or deny them from passing through the interface. Therefore, only the permit keyword is useful here. An implicit deny statement is at the end of the access list, which causes all other traffic to pass without being captured.

ciscoasa(config)# access-list CAPTURE1 permit tcp any any eq https
ciscoasa(config)# exit
ciscoasa# capture SAMPLE access-list ?

  WORD  Access-list name
ciscoasa# capture SAMPLE access-list CAPTURE1 ?

  buffer           Configure size of capture buffer, default is 512 KB
  circular-buffer  Overwrite buffer from beginning when full, default is
                   non-circular
  ethernet-type    Capture Ethernet packets of a particular type, default is IP
  headers-only     Capture only L2, L3 and L4 headers of packet without data in
                   them
  interface        Capture packets on a specific interface
  packet-length    Configure maximum length to save from each packet, default
                   is 1518 bytes
  real-time        Display captured packets in real-time. Warning: using this
                   option with a slow console connection may result in an
                   excessive amount of non-displayed packets due to performance
                   limitations.
  trace            Trace the captured packets
  <cr>
ciscoasa# capture SAMPLE access-list CAPTURE1 interface ?

  asa_dataplane  Capture packets on dataplane interface
  cplane         Capture packets on controlplane interface
Available interfaces to listen:
  inside         Name of interface GigabitEthernet0
  outside        Name of interface GigabitEthernet1
ciscoasa# capture SAMPLE access-list CAPTURE1 interface outside

ciscoasa# show capture
capture SAMPLE type raw-data interface outside [Capturing - 732 bytes]

ciscoasa# show capture SAMPLE

5 packets captured

   1: 09:52:20.111612 802.3 encap packet
   2: 09:53:18.806659 802.3 encap packet
   3: 09:54:18.421044 802.3 encap packet
   4: 09:54:32.083613 c200.1bb8.0000 ab00.0002.0000 0x6002 77:
                         3d00 0700 0000 0100 0303 0000 0200 0221
                         0003 0006 0000 0000 0000 0400 023c 0005
                         0002 d805 0600 0200 0107 0006 c200 1bb8
                         0000 6400 0179 9001 0101 9101 02ee 05
   5: 09:55:19.448035 802.3 encap packet
5 packets shown


The Packet Capture Wizard sets up two separate capture sessions: one on an ingress interface and one on an egress interface. Each session captures traffic in both directions, collecting packets as they enter and exit the ASA.

To use the ASDM Packet Capture Wizard, choose Wizard > Packet Capture Wizard. A window describing the five steps of the wizard will appear. Click the Next button.








Sometimes you might find that viewing the contents of a capature buffer from a command line interface becomes too cumbersome or confusing. This can happen when the capture buffer becomes very large to navigate with CLI commands or display filters.

At other times, the capture buffer might contain useful information that deserves further review. For example, you might have a PC-based tool that can import captured data for viewing and analysis. You also might want to archive the capture buffer for future use.

ciscoasa# copy capture:SAMPLE flash:sample

Source capture name [SAMPLE]?

Destination filename [sample]?
!
12 packets copied in 0.10 secs


You can also use a web browser to display a capture buffer as if you had used the show capture command. You also can download the capture buffer in PCAP format and save it as a file - all without leaving your web browser and without needing a TFTP server running on your PC.


No comments:

Post a Comment