https://community.cisco.com/t5/network-security/asa-5505-monitor-http-traffic/m-p/1224607#M418364 <P>Hi,</P><P>Any suggestion about how to correctly monitor HTTP Traffic from a certain host ?</P><P></P><P>I just received a request to log, for a specific period of time, http traffic from a host on the inside network to internet and to generate a sort of human readable output format.</P><P></P><P>It can either be log to a syslog, FTP etc...</P><P></P><P>I know how to use filter, but this request got me a little confused.</P><P></P><P>Any idea ?</P> Fri, 21 Feb 2020 11:17:40 GMT nrnick 2020-02-21T11:17:40Z https://community.cisco.com/t5/network-security/asa-5505-monitor-http-traffic/m-p/1224607#M418364 <P>Hi,</P><P>Any suggestion about how to correctly monitor HTTP Traffic from a certain host ?</P><P></P><P>I just received a request to log, for a specific period of time, http traffic from a host on the inside network to internet and to generate a sort of human readable output format.</P><P></P><P>It can either be log to a syslog, FTP etc...</P><P></P><P>I know how to use filter, but this request got me a little confused.</P><P></P><P>Any idea ?</P> Fri, 21 Feb 2020 11:17:40 GMT https://community.cisco.com/t5/network-security/asa-5505-monitor-http-traffic/m-p/1224607#M418364 nrnick 2020-02-21T11:17:40Z https://community.cisco.com/t5/network-security/asa-5505-monitor-http-traffic/m-p/1224608#M418365 <HTML><HEAD></HEAD><BODY><P>You need to inspect HTTP under your policy map for your ASA to log web addresses that are being accessed. After doing that, you would need to log to a syslog server, and then filter by the IP address that you want. If you have a lot of users, there's not a way that I know of that will allow you to pick just one address. (I don't think you can create an ACL to log against.) So, you could have a ton of traffic coming through that you'd have to filter through.</P><P></P><P>HTH,</P><P></P><P>John</P></BODY></HTML> Mon, 16 Feb 2009 22:03:18 GMT https://community.cisco.com/t5/network-security/asa-5505-monitor-http-traffic/m-p/1224608#M418365 John Blakley 2009-02-16T22:03:18Z https://community.cisco.com/t5/network-security/asa-5505-monitor-http-traffic/m-p/1224609#M418369 <HTML><HEAD></HEAD><BODY><P>Create a "capture" file which is easily readable and exportable. I'm assuming you want to know what website IP addresses this inside host is going to???</P><P></P><P>Easy.</P><P></P><P>First, create an ACL to watch for traffic to the internet on port 80 from the inside host IP address. Lets call the ACL "http-snoop" and assume the inside IP address is 192.168.1.15 - just for example.</P><P></P><P>HOST(config)# access-list http-snoop permit tcp host 192.168.1.15 any eq 80</P><P></P><P>Then, create a capture session - let's call it "watchingyou" - and apply it to the interfaces you want to capture on and reference the above ACL...</P><P></P><P>HOST(config)# capture watchingyou access-list http-snoop interface inside</P><P></P><P>Now.. just let it run.</P><P></P><P>When you want to see what you've captured, just type..</P><P></P><P>HOST# show capture watchingyou</P><P></P><P>And you'll see line-by-line each outbound request from that host to the internet on port 80.</P><P></P><P>When you're done, "no" the capture line above then "no" the access-list. Also, if you do a "show capture" you'll see the remaining capture file and you can "no" that to erase it when you're done.</P><P></P><P>Hope that helps.</P><P></P><P>Jeremy Ault</P><P></P></BODY></HTML> Thu, 19 Feb 2009 22:50:51 GMT https://community.cisco.com/t5/network-security/asa-5505-monitor-http-traffic/m-p/1224609#M418369 jeremyault 2009-02-19T22:50:51Z