Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1144
Views
0
Helpful
2
Replies

How to display date for each packet in a Cisco ASA packet capture

Joe Silver
Level 1
Level 1

‎11-05-2014 01:00 PM - edited ‎03-11-2019 10:02 PM

Hello,

 

Quick question...On a Cisco ASA (v8.2) how does one show the date of each packet in a packet capture?

 

When performing a packet capture from CLI you can do a "show capture testcapture" command and you can see that the time is at the beginning of each packet but how does one view the date as well as the time for each packet?  I know you can export the packet capture and it will show the date & time in wireshark but sometimes for just quick and dirty capture I'd like to view the capture from the CLI on the ASA itself without doing an export. 

 

Sample capture below.  Time is displayed but not the date of the packet capture.  Issuing command "sh cap test detail" doesn't show the date either.  I checked on an ASA running v9 and it also doesn't show the date in the packet capture.

ASA5505# sh cap test

   1: 08:51:56.112085 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x:  udp 404
   2: 08:52:18.111871 802.1Q vlan#12 P0 10.150.40.240.29082 > x.x.x.x.53:  udp 37
   3: 08:52:18.165366 802.1Q vlan#12 P0 y.y.y.y.53 > 10.150.40.240.29082:  udp 53
   4: 08:52:32.129235 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x4.500:  udp 404
   5: 08:52:37.111627 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x.500:  udp 404
   6: 08:52:49.111490 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x.500:  udp 404

Thanks for any help.

Joe

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎11-05-2014 11:09 PM

Hi,

 

I would suggest copying the capture from the ASA to some local host and opening the capture file with Wireshark to view the information

 

For example

 

copy /pcap capture:test tftp://x.x.x.x/test.pcap

 

This should copy the current data in the capture to the mentioned location with the mentioned filename.

 

I personally view the captures on the ASA CLI only if I am just confirming that some traffic comes to the firewall or when I am checking what happens to a TCP connection that can not be formed. Its a lot easier to go through bigger captures by copying them from the ASA and viewing them with an actual software meant for that purpose.

 

Hope this helps :)

 

- Jouni

 

0 Helpful

Joe Silver
Level 1
Level 1
In response to Jouni Forss

‎11-06-2014 11:36 AM

Thanks Jouni.  I was simply looking to do basic troubleshooting by looking at the date and not worrying about exporting the capture off-device for analysis. 

 

Maybe I'll submit this as a feature request.

 

Joe

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card