01-08-2010 02:53 AM - edited 03-11-2019 09:54 AM
Hello,
A while back a Cisco engineer configured a capture on our Cisco ASA via the CLI and I can't remember how he did this. I have a source and destination address I'm interested in and in both directions, he managed to create some sort of access- list and then display the logging in the CLI only for that capture filtering out the rest of the CLI logging.
For example I want to capture traffic between 192.168.1.11 (inside interface) and 212.58.224.138 (outside interface)
Any idea what this config might look like for me to add?
Thanks
01-08-2010 03:36 AM
Hi Andy,
Use the command capture with the configured ACLs, but keep in your mind that only incoming traffic can be captured. If you want to capture the traffic that comes from inside and outside, you will need to create to capture as well.
Br,
01-08-2010 03:50 AM
I mean, two captures :-)
01-08-2010 05:22 AM
7.2.4 or above you can do captures with just one line with the match keyword.
cap capin int inside match ip host 192.168.1.11 host 212.58.224.138
sh cap capin - to display packets
clear cap capin - to collect fresh packets
no cap capin - to remove
This will collect bi-directional traffic between the two hosts.
If you don't run a code where the "match" word is present then, you can follow this document
https://supportforums.cisco.com/docs/DOC-1222
-KS
01-08-2010 06:56 AM
I am on 8.0.4.48
So would something like this work (looking as the CLI ? command)
access-list mycap extended permit ip host 192.168.1.11 host 212.58.224.138
access-list mycap extended permit ip host 212.58.224.138 host 192.168.1.11
capture mycap type raw-data access-list mycap interface inside
sh cap mycap
Thanks
01-08-2010 07:07 AM
Try this one:
access-list mycap extended permit ip host 192.168.1.11 host 212.58.224.138
access-list mycap1 extended permit ip host 212.58.224.138 host 192.168.1.11
capture mycap type raw-data access-list mycap interface inside
capture mycap1 type raw-data access-list mycap1 interface outside
Br,
01-08-2010 07:55 AM
so will this only capture from 212.58.224.138 to host 192.168.1.11 (mycap1)? Then do I swap to:
capture mycap type raw-data access-list mycap interface outside to see traffice from the other direction?
01-08-2010 08:31 AM
Did you refer the link that I enclosed?
If you can use the "match" key word then you hit the jackpot.
You can see bi-directional traffic with just two capture lines.
cap capin int inside match ip host 192.168.1.11 any
cap capout int outside match ip any host 212.58.224.138
If you cannot use the match keyword then you need
2 acls for inside capture.
2 acls for the outside capture.
access-l test-in permi ip host 192.168.1.11 any
access-l test-in permit ip any host 192.168.1.11
cap capin access-l test-in int inside packet-l 1518
access-l test-out permit ip host 212.58.224.138 any
access-l test-out permit ip any host 212.58.224.138
cap capout access-l test-out int outside packet-len 1518
-KS
11-19-2011 01:42 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide