topic Reading Show capture output in Network Security

Reading Show capture output

mahesh18 — Tue, 12 Mar 2019 01:43:25 GMT

Hi Everyone,

I config packet capture on my ASA for learning purpose only.

Here is the output

ciscoasa# sh capture CAP detail

14 packets captured

1: 19:00:38.503071 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 70: 802.1Q vlan#1 P0 192.168.52.5.3367 > 195.157.47.7.80: S [tcp sum ok] 3114444719:3114444719(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK> (DF) (ttl 128, id 6299)

2: 19:00:38.670024 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 58: 802.1Q vlan#1 P0 192.168.52.5.3367 > 195.157.47.7.80: . [tcp sum ok] 3114444720:3114444720(0) ack 3866590340 win 16560 (DF) (ttl 128, id 6300)

3: 19:00:38.670421 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 344: 802.1Q vlan#1 P0 192.168.52.5.3367 > 195.157.47.7.80: P [tcp sum ok] 3114444720:3114445006(286) ack 3866590340 win 16560 (DF) (ttl 128, id 6301)

4: 19:00:38.836825 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 58: 802.1Q vlan#1 P0 192.168.52.5.3367 > 195.157.47.7.80: . [tcp sum ok] 3114445006:3114445006(0) ack 3866590786 win 16448 (DF) (ttl 128, id 6302)

5: 19:00:38.837099 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 58: 802.1Q vlan#1 P0 192.168.52.5.3367 > 195.157.47.7.80: F [tcp sum ok] 3114445006:3114445006(0) ack 3866590786 win 16448 (DF) (ttl 128, id 6303)

6: 19:00:38.894591 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 70: 802.1Q vlan#1 P0 192.168.52.5.3368 > 195.157.47.7.80: S [tcp sum ok] 2730530586:2730530586(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK> (DF) (ttl 128, id 6304)

7: 19:00:38.900206 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 70: 802.1Q vlan#1 P0 192.168.52.5.3369 > 195.157.47.7.80: S [tcp sum ok] 248443417:248443417(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK> (DF) (ttl 128, id 6305)

8: 19:00:39.058834 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 58: 802.1Q vlan#1 P0 192.168.52.5.3368 > 195.157.47.7.80: . [tcp sum ok] 2730530587:2730530587(0) ack 1839683549 win 16560 (DF) (ttl 128, id 6306)

9: 19:00:39.059216 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 355: 802.1Q vlan#1 P0 192.168.52.5.3368 > 195.157.47.7.80: P [tcp sum ok] 2730530587:2730530884(297) ack 1839683549 win 16560 (DF) (ttl 128, id 6307)

10: 19:00:39.064846 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 58: 802.1Q vlan#1 P0 192.168.52.5.3369 > 195.157.47.7.80: . [tcp sum ok] 248443418:248443418(0) ack 3562924249 win 16560 (DF) (ttl 128, id 6308)

11: 19:00:39.227832 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 58: 802.1Q vlan#1 P0 192.168.52.5.3368 > 195.157.47.7.80: . [tcp sum ok] 2730530884:2730530884(0) ack 1839684017 win 16443 (DF) (ttl 128, id 6309)

12: 19:00:39.228305 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 58: 802.1Q vlan#1 P0 192.168.52.5.3368 > 195.157.47.7.80: F [tcp sum ok] 2730530884:2730530884(0) ack 1839684017 win 16443 (DF) (ttl 128, id 6310)

13: 19:00:44.672130 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 58: 802.1Q vlan#1 P0 192.168.52.5.3369 > 195.157.47.7.80: F [tcp sum ok] 248443418:248443418(0) ack 3562924249 win 16560 (DF) (ttl 128, id 6314)

14: 19:00:44.835283 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 58: 802.1Q vlan#1 P0 192.168.52.5.3369 > 195.157.47.7.80: . [tcp sum ok] 248443419:248443419(0) ack 3562924250 win 16560 (DF) (ttl 128, id 6319)

14 packets shown

ciscoasa#

Need to know which lines show

syn sent to remote site

syn,ack coming to host

ack going to remote site

Regards

MAhesh

Reading Show capture output

James Leinweber — Wed, 15 May 2013 14:15:40 GMT

I believe the flag letters in front of the "[tcp sum ok]" translate as S=SYN, F=FIN, P=PUSH. The firewall tends to erase URGENT in its default configuration.

-- Jim Leinweber, WI State Lab of Hygiene

Reading Show capture output

sokakkar — Wed, 15 May 2013 16:25:24 GMT

Mahesh,

Captures you pasted are unidirectional i.e. flow captured is only for 192.168.52.5 > 195.157.47.7:

Following shows syn and then ack (no syn,ack)

1: 19:00:38.503071 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 70: 802.1Q vlan#1 P0 192.168.52.5.3367 > 195.157.47.7.80: S [tcp sum ok] 3114444719:3114444719(0) win 8192 (DF) (ttl 128, id 6299)

Can you paste the commands you added to take captures?

Sourav

Reading Show capture output

mahesh18 — Wed, 15 May 2013 19:33:16 GMT

Hi Sourav,

i config only 1 command

access-list CAP permit tcp host 192.168.52.6 host 195.157.47.7 eq 80

Thanks

Mahesh

Reading Show capture output

sokakkar — Wed, 15 May 2013 20:09:44 GMT

Hi Mahesh,

Add another acl for reverse flow as well:

access-list CAP permit tcp host 195.157.47.7 eq 80 host 192.168.52.6

clear the capture data using 'clear capture cap_name'.

Access the server and check captures.

Sourav

Reading Show capture output

mahesh18 — Wed, 15 May 2013 23:09:33 GMT

Hi Sourav,

Here is output of sh capture

ciscoasa# sh capture CAP

26 packets captured

1: 17:04:58.488698 802.1Q vlan#1 P0 192.168.52.5.1353 > 195.157.47.7.80: S 3950215981:3950215981(0) win 8192

2: 17:04:58.654369 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1353: S 588135039:588135039(0) ack 3950215982 win 5840

3: 17:04:58.654766 802.1Q vlan#1 P0 192.168.52.5.1353 > 195.157.47.7.80: . ack 588135040 win 16560

4: 17:04:58.655056 802.1Q vlan#1 P0 192.168.52.5.1353 > 195.157.47.7.80: P 3950215982:3950216268(286) ack 588135040 win 16560

5: 17:04:58.820926 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1353: . ack 3950216268 win 54

6: 17:04:58.821780 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1353: P 588135040:588135485(445) ack 3950216268 win 54

7: 17:04:58.821826 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1353: F 588135485:588135485(0) ack 3950216268 win 54

8: 17:04:58.823199 802.1Q vlan#1 P0 192.168.52.5.1353 > 195.157.47.7.80: . ack 588135486 win 16448

9: 17:04:58.823840 802.1Q vlan#1 P0 192.168.52.5.1353 > 195.157.47.7.80: F 3950216268:3950216268(0) ack 588135486 win 16448

10: 17:04:58.883667 802.1Q vlan#1 P0 192.168.52.5.1354 > 195.157.47.7.80: S 3383221129:3383221129(0) win 8192

11: 17:04:58.884063 802.1Q vlan#1 P0 192.168.52.5.1355 > 195.157.47.7.80: S 2736013711:2736013711(0) win 8192

12: 17:04:58.989618 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1353: . ack 3950216269 win 54

13: 17:04:59.046826 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1354: S 762110939:762110939(0) ack 3383221130 win 5840

14: 17:04:59.047208 802.1Q vlan#1 P0 192.168.52.5.1354 > 195.157.47.7.80: . ack 762110940 win 16560

15: 17:04:59.047467 802.1Q vlan#1 P0 192.168.52.5.1354 > 195.157.47.7.80: P 3383221130:3383221427(297) ack 762110940 win 16560

16: 17:04:59.050320 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1355: S 443725471:443725471(0) ack 2736013712 win 5840

17: 17:04:59.050671 802.1Q vlan#1 P0 192.168.52.5.1355 > 195.157.47.7.80: . ack 443725472 win 16560

18: 17:04:59.212772 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1354: . ack 3383221427 win 54

19: 17:04:59.213673 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1354: P 762110940:762111407(467) ack 3383221427 win 54

20: 17:04:59.213703 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1354: F 762111407:762111407(0) ack 3383221427 win 54

21: 17:04:59.214130 802.1Q vlan#1 P0 192.168.52.5.1354 > 195.157.47.7.80: . ack 762111408 win 16443

22: 17:04:59.214634 802.1Q vlan#1 P0 192.168.52.5.1354 > 195.157.47.7.80: F 3383221427:3383221427(0) ack 762111408 win 16443

23: 17:04:59.379252 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1354: . ack 3383221428 win 54

24: 17:05:04.660366 802.1Q vlan#1 P0 192.168.52.5.1355 > 195.157.47.7.80: F 2736013712:2736013712(0) ack 443725472 win 16560

25: 17:05:04.825061 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1355: F 443725472:443725472(0) ack 2736013713 win 46

26: 17:05:04.825473 802.1Q vlan#1 P0 192.168.52.5.1355 > 195.157.47.7.80: . ack 443725473 win 16560

So which is syn,ack coming from remote website to host?

Also i am blocking single website is there any reason that 26 lines output is generated for this?

Thanks

Mahesh

Reading Show capture output

sokakkar — Thu, 16 May 2013 12:00:31 GMT

Mahesh,

Here are the syn, syn-ack, ack for this connection:

1: 17:04:58.488698 802.1Q vlan#1 P0 192.168.52.5.1353 > 195.157.47.7.80: S 3950215981:3950215981(0) win 8192

2: 17:04:58.654369 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1353: S 588135039:588135039(0) ack 3950215982 win 5840

3: 17:04:58.654766 802.1Q vlan#1 P0 192.168.52.5.1353 > 195.157.47.7.80: . ack 588135040 win 16560

S stands for Syn. Frame 2 above is the syn-ack packet coming from server to host.

What do you mean when you say 'i am blocking single website'? How exactly are you trying to block the single website on ASA?

Sourav

Reading Show capture output

mahesh18 — Thu, 16 May 2013 14:23:21 GMT

Hi Sourav,

I was blocking the website by ACL on the ASA.

Thanks

Mahesh

Reading Show capture output

sokakkar — Thu, 16 May 2013 14:25:06 GMT

Using IP or FQDN?

Can you post the access-list?

Sourav

Reading Show capture output

mahesh18 — Thu, 16 May 2013 18:08:03 GMT

Hi Sourav,

I am blocking it by IP say

access-list extended inside deny tcp host 192.168.52.5 host 195.157.47.7 eq 80

Thanks

Mahesh

Reading Show capture output

sokakkar — Thu, 16 May 2013 18:21:50 GMT

Well, in that case ASA should deny the very first packet sent by client to server i.e. SYN.

Can you post 'show run access-group' and make sure that access-group is indeed applied on inside in outbound directions?

Also, please post output of:

packet-tracer input inside tcp 192.168.52.5 discard 195.157.47.7 80

Sourav

Reading Show capture output

mahesh18 — Thu, 16 May 2013 21:41:43 GMT

Hi Sourav,

Currently access group is applied on inside interface -- direction is in.

Do i need to config ACL in out direction on inside interface?

Will post the output shortly.

Thanks

Mahesh

Reading Show capture output

mahesh18 — Thu, 16 May 2013 23:12:11 GMT

Hi Sourav,

Here is current config

access-list inside_access_in extended permit ip any any

access-list CAP extended permit tcp host 192.168.52.5 host 195.157.47.7 eq www log

access-list CAP extended permit tcp host 195.157.47.7 eq www host 192.168.52.5 log

access-group inside_access_in in interface inside

ciscoasa# packet-tracer input inside tcp 192.168.52.5 discard 195.157.47.7 80

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 4

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.52.0 255.255.255.0 inside

Phase: 5

Type: ACCESS-LIST

Subtype: log

Result: DROP

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended deny tcp host 192.168.52.5 host 195.157.47.7 eq www log

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Thanks

MAhesh

Reading Show capture output

sokakkar — Fri, 17 May 2013 12:28:39 GMT

Mahesh,

Rule looks fine. You shouldn't see any traffic going out of ASA in captures. Just clear the captures, clear any existing connections for client machine and try again and see if there are any packets seen on outside interface of ASA.

clear capture

clear connection address 192.168.52.5

Sourav

Re: Reading Show capture output

absuizo14 — Tue, 24 Sep 2019 05:52:46 GMT

What does P=Push mean?