https://community.cisco.com/t5/network-security/packet-capture-cisco-asa/m-p/5119363#M1113081 <P>that how TCP handshake look like&nbsp;<BR />first you see "S" meaning this packet is SYN&nbsp;<BR />then you see "S" and also "ACK" this meaning SYN+ACK<BR />lastly you see only "ACK" which is end of TCP handshake&nbsp;</P> <P>after that any capture with "P" is meaning PACKET and not relate to TCP handshake&nbsp;</P> <P>MHM</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot (502).png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/219503i58A502B7E8570FFD/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot (502).png" alt="Screenshot (502).png" /></span></P> Wed, 29 May 2024 11:26:06 GMT MHM Cisco World 2024-05-29T11:26:06Z https://community.cisco.com/t5/network-security/packet-capture-cisco-asa/m-p/5117789#M1113035 <P>Hi team,</P><P>I have captured some TCP traffic in Cisco ASA. But from that capture, I'm unable to examine the TCP handshake flow.</P><OL><LI>Looks like, TCP flags are placed in random order.&nbsp; Is ASA capturing the traffic in sequence order?</LI><LI>What is the flag for SYNC ACK in ASA? I'm unable to fix SYNC ACK in capture.</LI><LI>Also, what is P ACK? It's used to Push data? or Just ACK for data received?</LI></OL><P>Logs:-</P><P>35: 06:20:52.259340 802.1Q vlan#AAA P0 X.X.X.X.35908 &gt; Y.Y.Y.Y.9443: S 3384631045:3384631045(0) win 29200 &lt;mss 1460,nop,nop,sackOK,nop,wscale 7&gt;<BR />38: 06:20:52.289108 802.1Q vlan#AAA P0 X.X.X.X.35908 &gt; Y.Y.Y.Y.9443: . ack 1259971722 win 229<BR />39: 06:20:52.299834 802.1Q vlan#AAA P0 X.X.X.X.35908 &gt; Y.Y.Y.Y.9443: P 3384631046:3384631563(517) ack 1259971722 win 229</P><P>44: 06:20:52.329343 802.1Q vlan#AAA P0 Y.Y.Y.Y.9443 &gt; X.X.X.X.35908: . ack 3384631563 win 237<BR />46: 06:20:52.344220 802.1Q vlan#AAA P0 Y.Y.Y.Y.9443 &gt; X.X.X.X.35908: . 1259971722:1259973094(1372) ack 3384631563 win 237<BR />47: 06:20:52.344250 802.1Q vlan#AAA P0 Y.Y.Y.Y.9443 &gt; X.X.X.X.35908: P 1259973094:1259973157(63) ack 3384631563 win 237<BR />48: 06:20:52.344449 802.1Q vlan#AAA P0 X.X.X.X.35908 &gt; Y.Y.Y.Y.9443: . ack 1259973157 win 251<BR />50: 06:20:52.346112 802.1Q vlan#AAA P0 X.X.X.X.35908 &gt; Y.Y.Y.Y.9443: P 3384631563:3384631729(166) ack 1259973157 win 251</P><P>58: 06:20:52.380031 802.1Q vlan#AAA P0 Y.Y.Y.Y.9443 &gt; X.X.X.X.35908: P 1259973157:1259973163(6) ack 3384631729 win 245<BR />59: 06:20:52.380031 802.1Q vlan#AAA P0 Y.Y.Y.Y.9443 &gt; X.X.X.X.35908: P 1259973163:1259973248(85) ack 3384631729 win 245<BR />60: 06:20:52.380229 802.1Q vlan#AAA P0 X.X.X.X.35910 &gt; Y.Y.Y.Y.9443: . ack 652854020 win 229<BR />61: 06:20:52.380580 802.1Q vlan#AAA P0 X.X.X.X.35908 &gt; Y.Y.Y.Y.9443: . ack 1259973248 win 251<BR />62: 06:20:52.381251 802.1Q vlan#AAA P0 X.X.X.X.35908 &gt; Y.Y.Y.Y.9443: P 3384631729:3384632070(341) ack 1259973248 win 251<BR />64: 06:20:52.408090 802.1Q vlan#AAA P0 Y.Y.Y.Y.9443 &gt; X.X.X.X.35908: P 1259973248:1259973397(149) ack 3384632070 win 254<BR />65: 06:20:52.408807 802.1Q vlan#AAA P0 X.X.X.X.35908 &gt; Y.Y.Y.Y.9443: P 3384632070:3384632139(69) ack 1259973397 win 272<BR />66: 06:20:52.410531 802.1Q vlan#AAA P0 X.X.X.X.35908 &gt; Y.Y.Y.Y.9443: F 3384632139:3384632139(0) ack 1259973397 win 272<BR />68: 06:20:52.441215 802.1Q vlan#AAA P0 Y.Y.Y.Y.9443 &gt; X.X.X.X.35908: P 1259973397:1259973466(69) ack 3384632140 win 254<BR />69: 06:20:52.441261 802.1Q vlan#AAA P0 Y.Y.Y.Y.9443 &gt; X.X.X.X.35908: F 1259973466:1259973466(0) ack 3384632140 win 254<BR />70: 06:20:52.441505 802.1Q vlan#AAA P0 X.X.X.X.35908 &gt; Y.Y.Y.Y.9443: R 3384632140:3384632140(0) win 0<BR />71: 06:20:52.441551 802.1Q vlan#AAA P0 X.X.X.X.35908 &gt; Y.Y.Y.Y.9443: R 3384632140:3384632140(0) win 0</P> Mon, 27 May 2024 16:03:41 GMT https://community.cisco.com/t5/network-security/packet-capture-cisco-asa/m-p/5117789#M1113035 Magesh Kumar 2024-05-27T16:03:41Z https://community.cisco.com/t5/network-security/packet-capture-cisco-asa/m-p/5117793#M1113036 <P>I would suggest understand the ASA Flags :</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113602-ptn-113602.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113602-ptn-113602.html</A></P> <P>better you can export PCAP to Wireshark you get better view (if you are not familiar with cli)</P> <P>&nbsp;</P> Mon, 27 May 2024 16:22:03 GMT https://community.cisco.com/t5/network-security/packet-capture-cisco-asa/m-p/5117793#M1113036 balaji.bandi 2024-05-27T16:22:03Z https://community.cisco.com/t5/network-security/packet-capture-cisco-asa/m-p/5117801#M1113037 <P>did you use any match in your capture to filter the src/dest IP and scr/dest l4 port ?</P> <P>MHM</P> Mon, 27 May 2024 16:51:11 GMT https://community.cisco.com/t5/network-security/packet-capture-cisco-asa/m-p/5117801#M1113037 MHM Cisco World 2024-05-27T16:51:11Z https://community.cisco.com/t5/network-security/packet-capture-cisco-asa/m-p/5117808#M1113038 <P>Yes. I've created capture with source and destination IP's.</P><P>Thanks,</P><P>Magesh Kumar G</P> Mon, 27 May 2024 17:06:40 GMT https://community.cisco.com/t5/network-security/packet-capture-cisco-asa/m-p/5117808#M1113038 Magesh Kumar 2024-05-27T17:06:40Z https://community.cisco.com/t5/network-security/packet-capture-cisco-asa/m-p/5119363#M1113081 <P>that how TCP handshake look like&nbsp;<BR />first you see "S" meaning this packet is SYN&nbsp;<BR />then you see "S" and also "ACK" this meaning SYN+ACK<BR />lastly you see only "ACK" which is end of TCP handshake&nbsp;</P> <P>after that any capture with "P" is meaning PACKET and not relate to TCP handshake&nbsp;</P> <P>MHM</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot (502).png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/219503i58A502B7E8570FFD/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot (502).png" alt="Screenshot (502).png" /></span></P> Wed, 29 May 2024 11:26:06 GMT https://community.cisco.com/t5/network-security/packet-capture-cisco-asa/m-p/5119363#M1113081 MHM Cisco World 2024-05-29T11:26:06Z https://community.cisco.com/t5/network-security/packet-capture-cisco-asa/m-p/5122420#M1113213 <P>Looks like problem with Destination server. After restarted the services in destination server, ASA capture showing TCP handshake sequentially.</P><P>Thanks all.</P> Sat, 01 Jun 2024 09:08:10 GMT https://community.cisco.com/t5/network-security/packet-capture-cisco-asa/m-p/5122420#M1113213 Magesh Kumar 2024-06-01T09:08:10Z https://community.cisco.com/t5/network-security/packet-capture-cisco-asa/m-p/5122432#M1113216 <P>By the way you need to run packet capture'</P> <P>Then clear conn this force the server and clinet to start new tcp session</P> <P>If yoh capture then session already done the you will capture only "P" not the tcp handshake then P</P> <P>MHM</P> Sat, 01 Jun 2024 09:39:27 GMT https://community.cisco.com/t5/network-security/packet-capture-cisco-asa/m-p/5122432#M1113216 MHM Cisco World 2024-06-01T09:39:27Z