Cisco ASA: Packet Capture

Packet capture with access list
You can use access-list to group the interesting traffic, then use the capture command.

access-list pcap1 extended permit ip host 172.16.0.12 any4
capture capin type raw-data access-list pcap1 interface inside

If you use ASA version 9, remember do not use the keyword any when creating access-list. This keyword supports both ipv4 and ipv6, you will receive this error when you try to use the capture command.
ERROR: Capture doesn't support access-list containing mixed policies

You can see the capture log by using show capture capin

cyruslab-asa(config)# sh capture capin

3422 packets captured

   1: 22:17:51.486287       802.1Q vlan#999 P0 172.16.0.12.61742 > 58.152.203.25.14871:  udp 103
   2: 22:17:51.711923       802.1Q vlan#999 P0 172.16.0.12.61742 > 46.160.63.76.49001:  udp 103
   3: 22:17:51.712228       802.1Q vlan#999 P0 172.16.0.12.61742 > 37.146.167.216.49653:  udp 103
   4: 22:17:51.712273       802.1Q vlan#999 P0 172.16.0.12.61742 > 110.253.59.106.27776:  udp 103
   5: 22:17:51.712304       802.1Q vlan#999 P0 172.16.0.12.61742 > 125.60.156.192.7826:  udp 103
   6: 22:17:51.837786       802.1Q vlan#999 P0 172.16.0.12.61742 > 85.151.68.50.24309:  udp 103
   7: 22:17:51.975123       802.1Q vlan#999 P0 172.16.0.12.61742 > 87.236.21.42.49793:  udp 103
   8: 22:17:51.975977       802.1Q vlan#999 P0 172.16.0.12.61742 > 83.149.46.194.19046:  udp 103
   9: 22:17:52.533541       802.1Q vlan#999 P0 172.16.0.12.61742 > 89.69.238.66.54312:  udp 103
  10: 22:17:52.709619       802.1Q vlan#999 P0 172.16.0.12.61742 > 111.37.5.250.12991:  udp 103
  11: 22:17:52.710504       802.1Q vlan#999 P0 172.16.0.12.61742 > 84.110.4.27.16108:  udp 103
  12: 22:17:53.391733       802.1Q vlan#999 P0 172.16.0.12.61918 > 74.125.198.113.80: . 1204702756:1204704136(1380) ack 1182879063 win 16449
  13: 22:17:53.391810       802.1Q vlan#999 P0 172.16.0.12.61918 > 74.125.198.113.80: P 1204704136:1204704515(379) ack 1182879063 win 16449
  14: 22:17:53.711709       802.1Q vlan#999 P0 172.16.0.12.61742 > 175.142.45.156.11798:  udp 103
  15: 22:17:53.712609       802.1Q vlan#999 P0 172.16.0.12.61742 > 188.124.91.12.55010:  udp 103
  16: 22:17:53.799183       802.1Q vlan#999 P0 172.16.0.12.61918 > 74.125.198.113.80: . ack 1182879438 win 16356
  17: 22:17:54.713433       802.1Q vlan#999 P0 172.16.0.12.61742 > 187.79.66.247.62638:  udp 103
  18: 22:17:54.714333       802.1Q vlan#999 P0 172.16.0.12.61742 > 94.28.146.123.6881:  udp 103
  19: 22:17:54.714577       802.1Q vlan#999 P0 172.16.0.12.61742 > 95.159.147.252.29297:  udp 103
  20: 22:17:54.715264       802.1Q vlan#999 P0 172.16.0.12.61742 > 87.156.54.100.48133:  udp 103
  21: 22:17:54.716118       802.1Q vlan#999 P0 172.16.0.12.61742 > 14.43.138.87.56122:  udp 103
  22: 22:17:54.717034       802.1Q vlan#999 P0 172.16.0.12.61742 > 62.210.132.20.49290:  udp 103
  23: 22:17:54.717949       802.1Q vlan#999 P0 172.16.0.12.61742 > 125.236.220.206.61739:  udp 103
  24: 22:17:54.718834       802.1Q vlan#999 P0 172.16.0.12.61742 > 119.240.30.222.14376:  udp 103
  25: 22:17:54.810489       802.1Q vlan#999 P0 172.16.0.12.61742 > 210.195.109.193.28757:  udp 103
  26: 22:17:54.830386       802.1Q vlan#999 P0 172.16.0.12.61742 > 61.223.12.133.6881:  udp 103
  27: 22:17:55.049771       802.1Q vlan#999 P0 172.16.0.12.61742 > 93.125.91.92.38717:  udp 103
  28: 22:17:55.050732       802.1Q vlan#999 P0 172.16.0.12.61742 > 201.8.2.52.31698:  udp 103

Save the pcap file

cyruslab-asa(config)# copy /pcap capture:capin flash:/capin.pcap

Source capture name [capin]?

Destination filename [capin.pcap]?
!!!!!!!!!!!!!!!!!!!!!!!!!!!!
1240 packets copied in 0.80 secs

Or you can transfer to a file server.

cyruslab-asa(config)# copy /pcap capture:capin tftp://10.0.0.5

Source capture name [capin]?

Address or name of remote host [10.0.0.5]?

Destination filename [capin]? capin.pcap
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
2624 packets copied in 0.300 secs

If the pcap file is in flash, you can use the secure copy to copy the file as well.

Step 1: Turn on secure copy

conf t
ssh scopy enable

Step 2: Download putty scp, and use this command on your computer’s command prompt.

D:\pscp>pscp admin@10.0.0.1:capin.pcap d:\temp
admin@10.0.0.1's password:
capin.pcap                | 111 kB |  56.0 kB/s | ETA: 00:00:00 | 100%
Fatal: Received unexpected end-of-file from server

Capture without access-list
Access-list is not necessary to do packet capture.

cyruslab-asa(config)# capture capin match ip 172.16.0.12 255.255.255.255 any
Advertisements
This entry was posted in ASA/PIX, Firewall, Security and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s