topic Re: Capturing 'interesting' traffic on a ASA in Network Security

Capturing 'interesting' traffic on a ASA

Andy White — Mon, 11 Mar 2019 16:54:54 GMT

Hello,

A while back a Cisco engineer configured a capture on our Cisco ASA via the CLI and I can't remember how he did this. I have a source and destination address I'm interested in and in both directions, he managed to create some sort of access- list and then display the logging in the CLI only for that capture filtering out the rest of the CLI logging.

For example I want to capture traffic between 192.168.1.11 (inside interface) and 212.58.224.138 (outside interface)

Any idea what this config might look like for me to add?

Thanks

Re: Capturing 'interesting' traffic on a ASA

resoares — Fri, 08 Jan 2010 11:36:56 GMT

Hi Andy,

Use the command capture with the configured ACLs, but keep in your mind that only incoming traffic can be captured. If you want to capture the traffic that comes from inside and outside, you will need to create to capture as well.

Br,

Re: Capturing 'interesting' traffic on a ASA

resoares — Fri, 08 Jan 2010 11:50:03 GMT

I mean, two captures 🙂

Re: Capturing 'interesting' traffic on a ASA

Kureli Sankar — Fri, 08 Jan 2010 13:22:39 GMT

7.2.4 or above you can do captures with just one line with the match keyword.

cap capin int inside match ip host 192.168.1.11 host 212.58.224.138

sh cap capin - to display packets

clear cap capin - to collect fresh packets

no cap capin - to remove

This will collect bi-directional traffic between the two hosts.

If you don't run a code where the "match" word is present then, you can follow this document

https://supportforums.cisco.com/docs/DOC-1222

-KS

Re: Capturing 'interesting' traffic on a ASA

Andy White — Fri, 08 Jan 2010 14:56:18 GMT

I am on 8.0.4.48

So would something like this work (looking as the CLI ? command)

access-list mycap extended permit ip host 192.168.1.11 host 212.58.224.138
access-list mycap extended permit ip host 212.58.224.138 host 192.168.1.11
capture mycap type raw-data access-list mycap interface inside

sh cap mycap

Thanks

Re: Capturing 'interesting' traffic on a ASA

resoares — Fri, 08 Jan 2010 15:07:38 GMT

Try this one:

access-list mycap extended permit ip host 192.168.1.11 host 212.58.224.138

access-list mycap1 extended permit ip host 212.58.224.138 host 192.168.1.11

capture mycap type raw-data access-list mycap interface inside

capture mycap1 type raw-data access-list mycap1 interface outside

Br,

Re: Capturing 'interesting' traffic on a ASA

Andy White — Fri, 08 Jan 2010 15:55:39 GMT

so will this only capture from 212.58.224.138 to host 192.168.1.11 (mycap1)? Then do I swap to:

capture mycap type raw-data access-list mycap interface outside to see traffice from the other direction?

Re: Capturing 'interesting' traffic on a ASA

Kureli Sankar — Fri, 08 Jan 2010 16:31:38 GMT

Did you refer the link that I enclosed?

If you can use the "match" key word then you hit the jackpot.

You can see bi-directional traffic with just two capture lines.

cap capin int inside match ip host 192.168.1.11 any

cap capout int outside match ip any host 212.58.224.138

If you cannot use the match keyword then you need

2 acls for inside capture.

2 acls for the outside capture.

access-l test-in permi ip host 192.168.1.11 any

access-l test-in permit ip any host 192.168.1.11

cap capin access-l test-in int inside packet-l 1518

access-l test-out permit ip host 212.58.224.138 any

access-l test-out permit ip any host 212.58.224.138

cap capout access-l test-out int outside packet-len 1518

-KS

Re: Capturing 'interesting' traffic on a ASA

rassoul.ghaznavi — Sat, 19 Nov 2011 09:42:08 GMT

This might be an interest:

http://www.network-blog.com/ittech/post/2011/11/11/Capture-and-view-traffic-on-the-Cisco-routers-and-firewalls.aspx