Info about Global Capture command

CCL Network Services Group · ‎12-06-2016

Is there any Cisco ASA command (real time or not) , that capture global , on all interfaces and that matches some conditions i.e. from a specific source to specific destination and dest. port ?

GRANT3779 · ‎12-07-2016

What I do myself, to get captures for certain traffic is the following

* Create an ACL matching the traffic I am interested in

Reference the ACL within the capture command

*Capture *CapName* access-list *My_ACL* interface *Interface* buffer *size* circular-buffer

e.g

UK-ABZ-ASA-01/routed# capture CAP_TEST access-list ACL_TEST interface inside buffer 1534 circular-buffer

If I need to add another interface I run the same commands above replacing interface name with the next interface.
Once you do this and use the "show capture" command you will see it has pulled them together into the one capture statement. I prefer to use different capture names for each interface though.

When you run the command above the capture starts straight away and there is not a way to stop and start it as such. To stop the capture you need to remove it from the config.

no cap "Cap Name*

I then go ahead and copy the pcap from ASA to view it in detail.

copy /pcap capture:CapName tftp:

You can view the capture direct from the CLI as well as it runs. My preference is always to export and view.

CCL Network Services Group · ‎12-08-2016

Thanks Grant, i kinda have been using it like that, but was just thinking that , i might be missing the new updates and Cisco may have introduced something like we do on Checkpoint

fw ctl zdebug drop | grep 10.0.0.1