topic Packet Capture in ASDM vs. CLI in Network Security

Packet Capture in ASDM vs. CLI

Kevin Melton — Mon, 11 Mar 2019 20:12:12 GMT

Forum

One of the features I have always loved on the ASA was the ability to use the packet capture. If I remember correctly, I have been using this feature maybe since version 6.x in the PIX. It has helped solve many network issues and questions.

We now of course have the feature in ASDM that allows Packet Capture also. I have had a quesiton for a long time, but had not posted it as I dont often think of it. Today I found myself working at a client site and was working with Packet Captures and ACL's, and it made me remember the question. here goes:

When building a capture on the CLI, we have some prerequites. First we need an ACL to match for interesting traffic for the capture buffer. Then we name the capture, and reference the ACL while applying to an interface. This is all we need to do to get the capture up and running.

When building a capture on the ASDM, we have some options for building out just like in CLI. You can pick whatever ACL you want to use that ASDM sees configured on the box, or you can "Manage" the ACL's ( and I guess create a new one) by hitting the "Manage" button.

The one thing that is different is that the ASDM Packet Capture Wizard wants an "ingress" and "egress" interface for the Wizard. There does not seem to be a way to only capture on one (1) interface in the Packet Capture Wizard in ASDM.

So the question at hand would be "Can one use the ASDM Packet Capture Wizard and only assign one interface, and if so, how?

Thanks

Kevin

Re: Packet Capture in ASDM vs. CLI

csaxena — Fri, 25 Mar 2011 03:59:21 GMT

Hello Kevin,

Please refer to this document for details:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml#configurationPACKETCAP

Hope this helps. Please reply back if you need more info.

Regards,

Chirag

P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.

Re: Packet Capture in ASDM vs. CLI

Kevin Melton — Mon, 11 Apr 2011 15:32:44 GMT

I already had that manual. The reason I had posted the question out to this Forum was due to the fact that in the manual, it only discusses using an Ingress and egress interface. That is why I posted what I posted.

I do appreciate you throwing the manual back to me though. I am still looking for the answer to my original question, which is:

Can Packet Capture in the ASDM be used with only an Ingress or Egress (and NOT both) like it can be in CLI?

Thanks

Re: Packet Capture in ASDM vs. CLI

Shrikant Sundaresh — Mon, 11 Apr 2011 18:22:39 GMT

Hi Kevin,

I myself am a huge fan of the CLI for taking captures and for troubleshooting as well.

However, we generally do apply captures on two interfaces, to see the packet entering, and packet leaving the ASA.

I tried capturing using only ingress interface on the ASDM, but i don't think that would be possible.

The good thing though is that it applies two different captures, and does not combine the ingress and egress parameters.

So essentially, the packet capture wizard is allowing you to setup two separate captures on two separate interfaces.

I do agree, that sometimes we use captures only on one interface just to see if a particular traffic is even reaching the ASA or not.

Unfortunately, I think all we can do in the ASDM for this scenario, is to ignore the parameters in the egress interface screen, and the captured packets that follow. A better configuration would be to configure traffic for the egress interface, which is not expected at all, so we don't see unnecessary data.

-Shrikant

Re: Packet Capture in ASDM vs. CLI

Kevin Melton — Mon, 11 Apr 2011 18:50:13 GMT

Shrikant

Thanks for taking the time to submit such a thorough answer. This is what I had been looking for. You have provided me with a sanity check.

Thank You

Kevin