Re: packet capture on asa

jvardhan29 · ‎12-21-2010

hi

if i want to compare packet cptures on asa with the syslogs , how will i come to know that both are taken simultaneosuly i.e what is the confirmation which will conclude that both are simultaneous .what parameter i need to compare in both . how to compare time on asa capture and asa syslog ?

also if the client time (who is sending the packet) going through asa firewall is different from the firewall time and there comes a situation that i need to have firewall and client captures simultaneously , how will i ensure that i am getting the correct output (from both) such that i dont face issues while i am comparing the client and asa captures.

Jennifer Halim · ‎12-21-2010

You can download the packet capture from the ASA in pcap format, and view the raw packet with ethereal or wireshark. It will provide you with the time for each packet, that you can use to compare with the syslog messages.

If the client who is sending the traffic has a different time to the ASA time, you would need to make sure that the time is synchronized so you can corelate the packets. The best way to make sure that they are all synchronized to the same time is to refer them to NTP server.

Hope that answers your question.

jvardhan29 · ‎12-23-2010

hi

i know the download procedure from the ASA to pcap but i want to compare the time in the packet capture output which i got from wireshark with the syslogs . if u can help me in how to verify the timestamp for simultaneous captures and syslog my problm will be solved . basically its more about how to see the time in packet capture but whenever i see the time i donot see it in HH:MM:SS format .

Jennifer Halim · ‎12-23-2010

It's the setting on the wireshark itself that you would need to change.

Go to Wireshark --> Edit --> Preferences --> User Interface --> Column --> Time --> change the field type to "absolute time"

Hope that helps.