Skip to main content

Cisco ASA Packet Capturing


Cisco ASA firewall has a very useful traffic capturing feature. Captured traffic that goes through firewall can be saved in pcap files that later can be downloaded, viewed and analysed in most of live capturing programs liketcpdump or wireshark


To capture network packets on ASA, first define an access-list that marks intresting traffic. In this example we'll define acl that will capture all icmp traffic designated to internal host 192.168.1.1: 


ASA1(config)#access-list inside_test permit icmp any host 192.168.1.1


Next, we use capture command after which folows name of capture and access-list with interesting traffic, following the name of an interface on which we "sniff" , which captures traffic: 

ASA1(config)#capture inside_interface access-list inside_test interface inside


To see captured traffic hit the show capture command with the name of capture

ASA1#show capture inside_interface 10 packets captured 1: 01:49:24.087474 10.20.10.2 > 192.168.1.1: icmp: echo request 2: 01:49:24.087474 192.168.1.1 > 10.20.10.2: icmp: echo reply 3: 01:49:24.087474 10.20.10.2 > 192.168.1.1: icmp: echo request 4: 01:49:24.087474 192.168.1.1 > 10.20.10.2: icmp: echo reply 5: 01:49:24.087474 10.20.10.2 > 192.168.1.1: icmp: echo request 6: 01:49:24.087474 192.168.1.1 > 10.20.10.2: icmp: echo reply 7: 01:49:24.087474 10.20.10.2 > 192.168.1.1: icmp: echo request 8: 01:49:24.087474 192.168.1.1 > 10.20.10.2: icmp: echo reply 9: 01:49:24.087474 10.20.10.2 > 192.168.1.1: icmp: echo request 10: 01:49:24.087474 192.168.1.1 > 10.20.10.2: icmp: echo reply 10 packets shown
(Captured file can also be viewed directly on ASA via http link http://ip_of_firewall/capture/inside_interface/pcap.) 

Deleting captured files: 

ASA1# no capture inside_interface

Labels:

Comments

Post a Comment

Popular posts from this blog

Cisco three-layer hierarchical model

Because networks can be extremely complicated, with multiple protocols and diverse technologies, Cisco has developed a layered hierarchical model for designing a reliable network infrastructure. This three-layer model helps you design, implement, and maintain a scalable
Post a Comment
Read more

Access Control Lists (extended)

Access Control List  or  ACL  is a technic of controling network traffic. It is a list of rules with which traffic flow can be manipulated - permitted or denied. By default, traffic flow from the interface with the higher security level (for example "inside" interface) to interface with the lower security level (example "outside" interface) is allowed by default, but the flow of traffic from "outside" to the "inside" interface must be explicitly permited. 
Post a Comment
Read more

Classes of IP addresses

TCP/IP defines five classes of IP addresses: class A, B, C, D, and E. Each class has a range of valid IP addresses. The value of the first octet determines the class. IP addresses
Post a Comment
Read more