Re: Packet Capture - Cisco ASA

Magesh Kumar · ‎05-27-2024

Hi team,

I have captured some TCP traffic in Cisco ASA. But from that capture, I'm unable to examine the TCP handshake flow.

Looks like, TCP flags are placed in random order. Is ASA capturing the traffic in sequence order?
What is the flag for SYNC ACK in ASA? I'm unable to fix SYNC ACK in capture.
Also, what is P ACK? It's used to Push data? or Just ACK for data received?

Logs:-

35: 06:20:52.259340 802.1Q vlan#AAA P0 X.X.X.X.35908 > Y.Y.Y.Y.9443: S 3384631045:3384631045(0) win 29200 <mss 1460,nop,nop,sackOK,nop,wscale 7>
38: 06:20:52.289108 802.1Q vlan#AAA P0 X.X.X.X.35908 > Y.Y.Y.Y.9443: . ack 1259971722 win 229
39: 06:20:52.299834 802.1Q vlan#AAA P0 X.X.X.X.35908 > Y.Y.Y.Y.9443: P 3384631046:3384631563(517) ack 1259971722 win 229

44: 06:20:52.329343 802.1Q vlan#AAA P0 Y.Y.Y.Y.9443 > X.X.X.X.35908: . ack 3384631563 win 237
46: 06:20:52.344220 802.1Q vlan#AAA P0 Y.Y.Y.Y.9443 > X.X.X.X.35908: . 1259971722:1259973094(1372) ack 3384631563 win 237
47: 06:20:52.344250 802.1Q vlan#AAA P0 Y.Y.Y.Y.9443 > X.X.X.X.35908: P 1259973094:1259973157(63) ack 3384631563 win 237
48: 06:20:52.344449 802.1Q vlan#AAA P0 X.X.X.X.35908 > Y.Y.Y.Y.9443: . ack 1259973157 win 251
50: 06:20:52.346112 802.1Q vlan#AAA P0 X.X.X.X.35908 > Y.Y.Y.Y.9443: P 3384631563:3384631729(166) ack 1259973157 win 251

58: 06:20:52.380031 802.1Q vlan#AAA P0 Y.Y.Y.Y.9443 > X.X.X.X.35908: P 1259973157:1259973163(6) ack 3384631729 win 245
59: 06:20:52.380031 802.1Q vlan#AAA P0 Y.Y.Y.Y.9443 > X.X.X.X.35908: P 1259973163:1259973248(85) ack 3384631729 win 245
60: 06:20:52.380229 802.1Q vlan#AAA P0 X.X.X.X.35910 > Y.Y.Y.Y.9443: . ack 652854020 win 229
61: 06:20:52.380580 802.1Q vlan#AAA P0 X.X.X.X.35908 > Y.Y.Y.Y.9443: . ack 1259973248 win 251
62: 06:20:52.381251 802.1Q vlan#AAA P0 X.X.X.X.35908 > Y.Y.Y.Y.9443: P 3384631729:3384632070(341) ack 1259973248 win 251
64: 06:20:52.408090 802.1Q vlan#AAA P0 Y.Y.Y.Y.9443 > X.X.X.X.35908: P 1259973248:1259973397(149) ack 3384632070 win 254
65: 06:20:52.408807 802.1Q vlan#AAA P0 X.X.X.X.35908 > Y.Y.Y.Y.9443: P 3384632070:3384632139(69) ack 1259973397 win 272
66: 06:20:52.410531 802.1Q vlan#AAA P0 X.X.X.X.35908 > Y.Y.Y.Y.9443: F 3384632139:3384632139(0) ack 1259973397 win 272
68: 06:20:52.441215 802.1Q vlan#AAA P0 Y.Y.Y.Y.9443 > X.X.X.X.35908: P 1259973397:1259973466(69) ack 3384632140 win 254
69: 06:20:52.441261 802.1Q vlan#AAA P0 Y.Y.Y.Y.9443 > X.X.X.X.35908: F 1259973466:1259973466(0) ack 3384632140 win 254
70: 06:20:52.441505 802.1Q vlan#AAA P0 X.X.X.X.35908 > Y.Y.Y.Y.9443: R 3384632140:3384632140(0) win 0
71: 06:20:52.441551 802.1Q vlan#AAA P0 X.X.X.X.35908 > Y.Y.Y.Y.9443: R 3384632140:3384632140(0) win 0

Regards,
Magesh Kumar G

balaji.bandi · ‎05-27-2024

I would suggest understand the ASA Flags :

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113602-ptn-113602.html

better you can export PCAP to Wireshark you get better view (if you are not familiar with cli)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎05-27-2024

did you use any match in your capture to filter the src/dest IP and scr/dest l4 port ?

MHM

Magesh Kumar · ‎05-27-2024

Yes. I've created capture with source and destination IP's.

Thanks,

Magesh Kumar G

Regards,
Magesh Kumar G

MHM Cisco World · ‎05-29-2024

that how TCP handshake look like
first you see "S" meaning this packet is SYN
then you see "S" and also "ACK" this meaning SYN+ACK
lastly you see only "ACK" which is end of TCP handshake

after that any capture with "P" is meaning PACKET and not relate to TCP handshake

MHM

Magesh Kumar · ‎06-01-2024

Looks like problem with Destination server. After restarted the services in destination server, ASA capture showing TCP handshake sequentially.

Thanks all.

Regards,
Magesh Kumar G

MHM Cisco World · ‎06-01-2024

By the way you need to run packet capture'

Then clear conn this force the server and clinet to start new tcp session

If yoh capture then session already done the you will capture only "P" not the tcp handshake then P

MHM