https://community.cisco.com/t5/network-security/cisco-pix-capture-question/m-p/1285725#M859329 <HTML><HEAD></HEAD><BODY><P>Hi there Nicholas,</P><P></P><P>The capture command captures ALL traffic coming in or going out of the interface.</P><P></P><P>eg</P><P></P><P>capture blah interface outside </P><P></P><P>will create a capture file called blah that captures all traffic coming in or leaving the 'outside' interface.</P><P></P><P>Brad</P></BODY></HTML> Wed, 17 Jun 2009 01:33:09 GMT bmcginn 2009-06-17T01:33:09Z https://community.cisco.com/t5/network-security/cisco-pix-capture-question/m-p/1285724#M859327 <P>Hello,</P><P>I've been able to find information on setting up a CAPTURE for incoming traffic. However, I am having a hard time setting up a CAPTURE for traffic heading out of my network to the Internet.</P><P></P><P>Can someone please assist in how I can set this up?</P><P></P><P>Thank you in advance.</P><P></P> Mon, 11 Mar 2019 15:44:27 GMT https://community.cisco.com/t5/network-security/cisco-pix-capture-question/m-p/1285724#M859327 TheJax2009 2019-03-11T15:44:27Z https://community.cisco.com/t5/network-security/cisco-pix-capture-question/m-p/1285725#M859329 <HTML><HEAD></HEAD><BODY><P>Hi there Nicholas,</P><P></P><P>The capture command captures ALL traffic coming in or going out of the interface.</P><P></P><P>eg</P><P></P><P>capture blah interface outside </P><P></P><P>will create a capture file called blah that captures all traffic coming in or leaving the 'outside' interface.</P><P></P><P>Brad</P></BODY></HTML> Wed, 17 Jun 2009 01:33:09 GMT https://community.cisco.com/t5/network-security/cisco-pix-capture-question/m-p/1285725#M859329 bmcginn 2009-06-17T01:33:09Z https://community.cisco.com/t5/network-security/cisco-pix-capture-question/m-p/1285726#M859331 <HTML><HEAD></HEAD><BODY><P>Thanks for the reply Brad..just one follow up question. </P><P></P><P>I am trying to identify if a system on my LAN is communitucating with port 25 on any server outside of my network. In the capture, I see the address I use for PAT as the source. I need to be able to see their internal address 172.16.x.x. Is this something that can be done with CAPTURE? If so, can you please provide some guidance?</P><P></P><P>Thanks again.</P><P></P></BODY></HTML> Wed, 17 Jun 2009 11:20:29 GMT https://community.cisco.com/t5/network-security/cisco-pix-capture-question/m-p/1285726#M859331 TheJax2009 2009-06-17T11:20:29Z https://community.cisco.com/t5/network-security/cisco-pix-capture-question/m-p/1285727#M859336 <HTML><HEAD></HEAD><BODY><P>Hi Nicholas,</P><P></P><P>You can do this if you configure the capture on your inside interface. The commands would look something like this:</P><P></P><P>! Create an ACL to limit the capture to SMTP traffic from your internal host</P><P>access-list capin-acl permit tcp host 172.16.x.x any eq 25</P><P>access-list capin-acl permit tcp any eq 25 host 172.16.x.x</P><P>!</P><P>! Configure the capture</P><P>! </P><P>capture capin access-list capin-acl interface inside packet-length 1518 buffer <SIZE></SIZE></P><P></P><P>This assumes the interface that your host sits on is named "inside". If not, just change "inside" to your interface name. The buffer is optional, but will let you capture more data than the default buffer will hold.</P><P></P><P>You can then look at the capture with the 'show capture capin' command or download it by browsing to <A class="jive-link-custom" href="https://" target="_blank">https://</A><ASA_IP>/capture/capin/pcap.</ASA_IP></P><P></P><P>Finally, here is the command reference for the 'capture' command:</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c1.html#wp2108895" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c1.html#wp2108895</A></P><P></P><P>Hope that helps.</P><P></P><P>-Mike</P></BODY></HTML> Wed, 17 Jun 2009 14:48:55 GMT https://community.cisco.com/t5/network-security/cisco-pix-capture-question/m-p/1285727#M859336 robertson.michael 2009-06-17T14:48:55Z https://community.cisco.com/t5/network-security/cisco-pix-capture-question/m-p/1285728#M859340 <HTML><HEAD></HEAD><BODY><P>Thanks very much! That did the trick.</P></BODY></HTML> Wed, 17 Jun 2009 15:56:33 GMT https://community.cisco.com/t5/network-security/cisco-pix-capture-question/m-p/1285728#M859340 TheJax2009 2009-06-17T15:56:33Z