cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1325
Views
0
Helpful
5
Replies
markus.albisser1
Beginner

ASA capture with SFR

Dear all

 

I have a short question to you guys, when I run a capture on the outside (Internet) interface of an ASA-5545 (the ASA has the SFR module installed and acts as a NGFW) with the following command:

capture capin interface outside match ip host 100.100.100.100 any

 

And then checking this capture with the command:

show capture capin dump

 

Are the details I see now how this data really enters the interface? Without any applied Service Policy Rules, without any applied ACLs and before the Firepower module would take any actions? Means when I see a certain flag in the dump within the protocol, I can assume this flag has been sent by the source IP address and has not been changed by my ASA firewall within a policy?

 

Of course you have a good article which describes this behavior, where the capture applies to?

 

Thank you

Markus

1 ACCEPTED SOLUTION

Accepted Solutions
Marvin Rhoads
VIP Community Legend

An ASA capture on an interfaces does indeed show you the raw traffic entering the interface, prior to any action potentially taken by the ASA to evaluate the flow or disposition of the packet(s).

View solution in original post

5 REPLIES 5
balaji.bandi
VIP Master

check below blog will give you some idea what interface using to capture :

 

https://popravak.wordpress.com/2017/03/17/packet-capture-with-sourcefire-cli/

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

Hi Balaji

 

Thank you for this link. Helpful troubleshooting steps when logging on the SFR module! This is what I can do, check the logging there and compare it with the capture from the ASA. 

Nevermind, do you know if the ASA capture is really on the ingress of the interface, therefore before the SFR module comes in charge? That the ASA capture gets the raw-data before anything within the ASA has been handled?

 

Thanks

Markus

you need to understand the traffic flow how this process works, and where you capturing.

https://www.ciscopress.com/articles/article.asp?p=2730336&seqNum=7

 

 

image.png

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

Great diagram, thanks Balaji for this post. This is what I looked for. Together with Marvin's answer below, this answers my question.

 

Thank you

Markus

Marvin Rhoads
VIP Community Legend

An ASA capture on an interfaces does indeed show you the raw traffic entering the interface, prior to any action potentially taken by the ASA to evaluate the flow or disposition of the packet(s).

View solution in original post