https://community.cisco.com/t5/network-security/asa-capture-with-sfr/m-p/4261822#M1076811 <P>Dear all</P><P>&nbsp;</P><P>I have a short question to you guys, when I run a capture on the outside (Internet) interface of an ASA-5545 (the ASA has the SFR module installed and acts as a NGFW) with the following command:</P><PRE>capture capin interface outside match ip host 100.100.100.100 any</PRE><P>&nbsp;</P><P>And then checking this capture with the command:</P><PRE>show capture capin dump</PRE><P>&nbsp;</P><P>Are the details I see now how this data really enters the interface? Without any applied Service Policy Rules, without any applied ACLs and before the Firepower module would take any actions? Means when I see a certain flag in the dump within the protocol, I can assume this flag has been sent by the source IP address and has not been changed by my ASA firewall within a policy?</P><P>&nbsp;</P><P>Of course you have a good article which describes this behavior, where the capture applies to?</P><P>&nbsp;</P><P>Thank you</P><P>Markus</P> Mon, 21 Dec 2020 13:27:44 GMT markus.albisser1 2020-12-21T13:27:44Z https://community.cisco.com/t5/network-security/asa-capture-with-sfr/m-p/4261822#M1076811 <P>Dear all</P><P>&nbsp;</P><P>I have a short question to you guys, when I run a capture on the outside (Internet) interface of an ASA-5545 (the ASA has the SFR module installed and acts as a NGFW) with the following command:</P><PRE>capture capin interface outside match ip host 100.100.100.100 any</PRE><P>&nbsp;</P><P>And then checking this capture with the command:</P><PRE>show capture capin dump</PRE><P>&nbsp;</P><P>Are the details I see now how this data really enters the interface? Without any applied Service Policy Rules, without any applied ACLs and before the Firepower module would take any actions? Means when I see a certain flag in the dump within the protocol, I can assume this flag has been sent by the source IP address and has not been changed by my ASA firewall within a policy?</P><P>&nbsp;</P><P>Of course you have a good article which describes this behavior, where the capture applies to?</P><P>&nbsp;</P><P>Thank you</P><P>Markus</P> Mon, 21 Dec 2020 13:27:44 GMT https://community.cisco.com/t5/network-security/asa-capture-with-sfr/m-p/4261822#M1076811 markus.albisser1 2020-12-21T13:27:44Z https://community.cisco.com/t5/network-security/asa-capture-with-sfr/m-p/4261865#M1076813 <P>check below blog will give you some idea what interface using to capture :</P> <P>&nbsp;</P> <P><A href="https://popravak.wordpress.com/2017/03/17/packet-capture-with-sourcefire-cli/" target="_blank">https://popravak.wordpress.com/2017/03/17/packet-capture-with-sourcefire-cli/</A></P> Mon, 21 Dec 2020 15:00:16 GMT https://community.cisco.com/t5/network-security/asa-capture-with-sfr/m-p/4261865#M1076813 balaji.bandi 2020-12-21T15:00:16Z https://community.cisco.com/t5/network-security/asa-capture-with-sfr/m-p/4261896#M1076814 <P>Hi Balaji</P><P>&nbsp;</P><P>Thank you for this link. Helpful troubleshooting steps when logging on the SFR module! This is what I can do, check the logging there and compare it with the capture from the ASA.&nbsp;</P><P>Nevermind, do you know if the ASA capture is really on the ingress of the interface, therefore before the SFR module comes in charge? That the ASA capture gets the raw-data before anything within the ASA has been handled?</P><P>&nbsp;</P><P>Thanks</P><P>Markus</P> Mon, 21 Dec 2020 15:40:56 GMT https://community.cisco.com/t5/network-security/asa-capture-with-sfr/m-p/4261896#M1076814 markus.albisser1 2020-12-21T15:40:56Z https://community.cisco.com/t5/network-security/asa-capture-with-sfr/m-p/4261907#M1076815 <P>you need to understand the traffic flow how this process works, and where you capturing.</P> <P><A href="https://www.ciscopress.com/articles/article.asp?p=2730336&amp;seqNum=7" target="_blank">https://www.ciscopress.com/articles/article.asp?p=2730336&amp;seqNum=7</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 901px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/100060i3195CF9F6FAA329B/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> Mon, 21 Dec 2020 16:13:56 GMT https://community.cisco.com/t5/network-security/asa-capture-with-sfr/m-p/4261907#M1076815 balaji.bandi 2020-12-21T16:13:56Z https://community.cisco.com/t5/network-security/asa-capture-with-sfr/m-p/4262184#M1076835 <P>An ASA capture on an interfaces does indeed show you the raw traffic entering the interface, prior to any action potentially taken by the ASA to evaluate the flow or disposition of the packet(s).</P> Tue, 22 Dec 2020 03:52:55 GMT https://community.cisco.com/t5/network-security/asa-capture-with-sfr/m-p/4262184#M1076835 Marvin Rhoads 2020-12-22T03:52:55Z https://community.cisco.com/t5/network-security/asa-capture-with-sfr/m-p/4262198#M1076837 <P>Great diagram, thanks Balaji for this post. This is what I looked for. Together with Marvin's answer below, this answers my question.</P><P>&nbsp;</P><P>Thank you</P><P>Markus</P> Tue, 22 Dec 2020 05:11:19 GMT https://community.cisco.com/t5/network-security/asa-capture-with-sfr/m-p/4262198#M1076837 markus.albisser1 2020-12-22T05:11:19Z