cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14659
Views
25
Helpful
14
Replies

Reading Show capture output

mahesh18
Level 6
Level 6

Hi Everyone,

I config packet capture on my ASA  for learning purpose only.

Here is the output

ciscoasa# sh capture CAP  detail

14 packets captured

   1: 19:00:38.503071 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 70: 802.1Q vlan#1 P0 192.168.52.5.3367 > 195.157.47.7.80: S [tcp sum ok] 3114444719:3114444719(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK> (DF) (ttl 128, id 6299)

   2: 19:00:38.670024 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 58: 802.1Q vlan#1 P0 192.168.52.5.3367 > 195.157.47.7.80: . [tcp sum ok] 3114444720:3114444720(0) ack 3866590340 win 16560 (DF) (ttl 128, id 6300)

   3: 19:00:38.670421 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 344: 802.1Q vlan#1 P0 192.168.52.5.3367 > 195.157.47.7.80: P [tcp sum ok] 3114444720:3114445006(286) ack 3866590340 win 16560 (DF) (ttl 128, id 6301)

   4: 19:00:38.836825 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 58: 802.1Q vlan#1 P0 192.168.52.5.3367 > 195.157.47.7.80: . [tcp sum ok] 3114445006:3114445006(0) ack 3866590786 win 16448 (DF) (ttl 128, id 6302)

   5: 19:00:38.837099 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 58: 802.1Q vlan#1 P0 192.168.52.5.3367 > 195.157.47.7.80: F [tcp sum ok] 3114445006:3114445006(0) ack 3866590786 win 16448 (DF) (ttl 128, id 6303)

   6: 19:00:38.894591 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 70: 802.1Q vlan#1 P0 192.168.52.5.3368 > 195.157.47.7.80: S [tcp sum ok] 2730530586:2730530586(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK> (DF) (ttl 128, id 6304)

   7: 19:00:38.900206 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 70: 802.1Q vlan#1 P0 192.168.52.5.3369 > 195.157.47.7.80: S [tcp sum ok] 248443417:248443417(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK> (DF) (ttl 128, id 6305)

   8: 19:00:39.058834 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 58: 802.1Q vlan#1 P0 192.168.52.5.3368 > 195.157.47.7.80: . [tcp sum ok] 2730530587:2730530587(0) ack 1839683549 win 16560 (DF) (ttl 128, id 6306)

   9: 19:00:39.059216 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 355: 802.1Q vlan#1 P0 192.168.52.5.3368 > 195.157.47.7.80: P [tcp sum ok] 2730530587:2730530884(297) ack 1839683549 win 16560 (DF) (ttl 128, id 6307)

  10: 19:00:39.064846 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 58: 802.1Q vlan#1 P0 192.168.52.5.3369 > 195.157.47.7.80: . [tcp sum ok] 248443418:248443418(0) ack 3562924249 win 16560 (DF) (ttl 128, id 6308)

  11: 19:00:39.227832 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 58: 802.1Q vlan#1 P0 192.168.52.5.3368 > 195.157.47.7.80: . [tcp sum ok] 2730530884:2730530884(0) ack 1839684017 win 16443 (DF) (ttl 128, id 6309)

  12: 19:00:39.228305 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 58: 802.1Q vlan#1 P0 192.168.52.5.3368 > 195.157.47.7.80: F [tcp sum ok] 2730530884:2730530884(0) ack 1839684017 win 16443 (DF) (ttl 128, id 6310)

  13: 19:00:44.672130 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 58: 802.1Q vlan#1 P0 192.168.52.5.3369 > 195.157.47.7.80: F [tcp sum ok] 248443418:248443418(0) ack 3562924249 win 16560 (DF) (ttl 128, id 6314)

  14: 19:00:44.835283 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 58: 802.1Q vlan#1 P0 192.168.52.5.3369 > 195.157.47.7.80: . [tcp sum ok] 248443419:248443419(0) ack 3562924250 win 16560 (DF) (ttl 128, id 6319)

14 packets shown

ciscoasa#

Need to know which lines show

syn sent to remote site

syn,ack coming to host

ack going to remote site

Regards

MAhesh

4 Accepted Solutions

Accepted Solutions

sokakkar
Cisco Employee
Cisco Employee

Mahesh,

Captures you pasted are unidirectional i.e. flow captured is only for 192.168.52.5 > 195.157.47.7:

Following shows syn and then ack (no syn,ack)

1: 19:00:38.503071 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 70: 802.1Q  vlan#1 P0 192.168.52.5.3367 > 195.157.47.7.80: S [tcp sum ok]  3114444719:3114444719(0) win 8192 (DF) (ttl 128, id 6299)

   2: 19:00:38.670024  f0bf.97de.4f48 001d.a24d.ed0e 0x8100 58: 802.1Q vlan#1 P0  192.168.52.5.3367 > 195.157.47.7.80: . [tcp sum ok]  3114444720:3114444720(0) ack 3866590340 win 16560 (DF) (ttl 128, id  6300)

Can you paste the commands you added to take captures?

-

Sourav

View solution in original post

Hi Mahesh,

Add another acl for reverse flow as well:

access-list CAP permit tcp host 195.157.47.7 eq 80 host 192.168.52.6

clear the capture data using 'clear capture cap_name'.

Access the server and check captures.

-

Sourav

View solution in original post

Mahesh,

Here are the syn, syn-ack, ack for this connection:

1: 17:04:58.488698 802.1Q vlan#1 P0 192.168.52.5.1353 >  195.157.47.7.80: S 3950215981:3950215981(0) win 8192

2: 17:04:58.654369 802.1Q  vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1353: S 588135039:588135039(0) ack 3950215982 win 5840

3: 17:04:58.654766 802.1Q vlan#1 P0 192.168.52.5.1353 > 195.157.47.7.80: . ack 588135040 win 16560

S stands for Syn. Frame 2 above is the syn-ack packet coming from server to host.

What do you mean when you say 'i am blocking single website'? How exactly are you trying to block the single website on ASA?

-

Sourav

View solution in original post

Mahesh,

Rule looks fine. You shouldn't see any traffic going out of ASA in captures. Just clear the captures, clear any existing connections for client machine and try again and see if there are any packets seen on outside interface of ASA.

clear capture

clear connection address 192.168.52.5

-

Sourav

View solution in original post

14 Replies 14

James Leinweber
Level 4
Level 4

I believe the flag letters in front of the "[tcp sum ok]" translate as S=SYN, F=FIN, P=PUSH.  The firewall tends to erase URGENT in its default configuration.

-- Jim Leinweber, WI State Lab of Hygiene

What does P=Push mean?

 

sokakkar
Cisco Employee
Cisco Employee

Mahesh,

Captures you pasted are unidirectional i.e. flow captured is only for 192.168.52.5 > 195.157.47.7:

Following shows syn and then ack (no syn,ack)

1: 19:00:38.503071 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 70: 802.1Q  vlan#1 P0 192.168.52.5.3367 > 195.157.47.7.80: S [tcp sum ok]  3114444719:3114444719(0) win 8192 (DF) (ttl 128, id 6299)

   2: 19:00:38.670024  f0bf.97de.4f48 001d.a24d.ed0e 0x8100 58: 802.1Q vlan#1 P0  192.168.52.5.3367 > 195.157.47.7.80: . [tcp sum ok]  3114444720:3114444720(0) ack 3866590340 win 16560 (DF) (ttl 128, id  6300)

Can you paste the commands you added to take captures?

-

Sourav

Hi Sourav,

i config  only 1 command

access-list CAP permit tcp  host 192.168.52.6 host 195.157.47.7 eq 80

Thanks

Mahesh

Hi Mahesh,

Add another acl for reverse flow as well:

access-list CAP permit tcp host 195.157.47.7 eq 80 host 192.168.52.6

clear the capture data using 'clear capture cap_name'.

Access the server and check captures.

-

Sourav

Hi Sourav,

Here is output of sh capture

ciscoasa#  sh capture CAP

26 packets captured

   1: 17:04:58.488698 802.1Q vlan#1 P0 192.168.52.5.1353 > 195.157.47.7.80: S 3950215981:3950215981(0) win 8192

   2: 17:04:58.654369 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1353: S 588135039:588135039(0) ack 3950215982 win 5840

   3: 17:04:58.654766 802.1Q vlan#1 P0 192.168.52.5.1353 > 195.157.47.7.80: . ack 588135040 win 16560

   4: 17:04:58.655056 802.1Q vlan#1 P0 192.168.52.5.1353 > 195.157.47.7.80: P 3950215982:3950216268(286) ack 588135040 win 16560

   5: 17:04:58.820926 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1353: . ack 3950216268 win 54

   6: 17:04:58.821780 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1353: P 588135040:588135485(445) ack 3950216268 win 54

   7: 17:04:58.821826 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1353: F 588135485:588135485(0) ack 3950216268 win 54

   8: 17:04:58.823199 802.1Q vlan#1 P0 192.168.52.5.1353 > 195.157.47.7.80: . ack 588135486 win 16448

   9: 17:04:58.823840 802.1Q vlan#1 P0 192.168.52.5.1353 > 195.157.47.7.80: F 3950216268:3950216268(0) ack 588135486 win 16448

  10: 17:04:58.883667 802.1Q vlan#1 P0 192.168.52.5.1354 > 195.157.47.7.80: S 3383221129:3383221129(0) win 8192

  11: 17:04:58.884063 802.1Q vlan#1 P0 192.168.52.5.1355 > 195.157.47.7.80: S 2736013711:2736013711(0) win 8192

  12: 17:04:58.989618 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1353: . ack 3950216269 win 54

  13: 17:04:59.046826 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1354: S 762110939:762110939(0) ack 3383221130 win 5840

  14: 17:04:59.047208 802.1Q vlan#1 P0 192.168.52.5.1354 > 195.157.47.7.80: . ack 762110940 win 16560

  15: 17:04:59.047467 802.1Q vlan#1 P0 192.168.52.5.1354 > 195.157.47.7.80: P 3383221130:3383221427(297) ack 762110940 win 16560

  16: 17:04:59.050320 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1355: S 443725471:443725471(0) ack 2736013712 win 5840

  17: 17:04:59.050671 802.1Q vlan#1 P0 192.168.52.5.1355 > 195.157.47.7.80: . ack 443725472 win 16560

  18: 17:04:59.212772 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1354: . ack 3383221427 win 54

  19: 17:04:59.213673 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1354: P 762110940:762111407(467) ack 3383221427 win 54

  20: 17:04:59.213703 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1354: F 762111407:762111407(0) ack 3383221427 win 54

  21: 17:04:59.214130 802.1Q vlan#1 P0 192.168.52.5.1354 > 195.157.47.7.80: . ack 762111408 win 16443

  22: 17:04:59.214634 802.1Q vlan#1 P0 192.168.52.5.1354 > 195.157.47.7.80: F 3383221427:3383221427(0) ack 762111408 win 16443

  23: 17:04:59.379252 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1354: . ack 3383221428 win 54

  24: 17:05:04.660366 802.1Q vlan#1 P0 192.168.52.5.1355 > 195.157.47.7.80: F 2736013712:2736013712(0) ack 443725472 win 16560

  25: 17:05:04.825061 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1355: F 443725472:443725472(0) ack 2736013713 win 46

  26: 17:05:04.825473 802.1Q vlan#1 P0 192.168.52.5.1355 > 195.157.47.7.80: . ack 443725473 win 16560

So which is syn,ack coming from remote website to host?

Also i am blocking single website is there any reason that 26 lines output is generated for this?

Thanks

Mahesh

Mahesh,

Here are the syn, syn-ack, ack for this connection:

1: 17:04:58.488698 802.1Q vlan#1 P0 192.168.52.5.1353 >  195.157.47.7.80: S 3950215981:3950215981(0) win 8192

2: 17:04:58.654369 802.1Q  vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1353: S 588135039:588135039(0) ack 3950215982 win 5840

3: 17:04:58.654766 802.1Q vlan#1 P0 192.168.52.5.1353 > 195.157.47.7.80: . ack 588135040 win 16560

S stands for Syn. Frame 2 above is the syn-ack packet coming from server to host.

What do you mean when you say 'i am blocking single website'? How exactly are you trying to block the single website on ASA?

-

Sourav

Hi Sourav,

I was blocking the website by ACL on the ASA.

Thanks

Mahesh

Using IP or FQDN?

Can you post the access-list?

-

Sourav

Hi Sourav,

I am blocking it by IP say

access-list  extended  inside  deny tcp host 192.168.52.5 host 195.157.47.7 eq 80

Thanks

Mahesh

Well, in that case ASA should deny the very first packet sent by client to server i.e. SYN.

Can you post 'show run access-group' and make sure that access-group is indeed applied on inside in outbound directions?

Also, please post output of:

packet-tracer input inside tcp 192.168.52.5 discard 195.157.47.7 80

-

Sourav

Hi Sourav,

Currently access group is applied  on inside  interface  --  direction is in.

Do i need to config ACL in out direction on inside interface?

Will post the  output shortly.

Thanks

Mahesh

Hi Sourav,

Here is current config

access-list inside_access_in extended permit ip any any

access-list CAP extended permit tcp host 192.168.52.5 host 195.157.47.7 eq www log

access-list CAP extended permit tcp host 195.157.47.7 eq www host 192.168.52.5 log

access-group inside_access_in in interface inside

ciscoasa# packet-tracer input inside tcp 192.168.52.5 discard 195.157.47.7 80

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 4

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.52.0    255.255.255.0   inside

Phase: 5

Type: ACCESS-LIST

Subtype: log

Result: DROP

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended deny tcp host 192.168.52.5 host 195.157.47.7 eq www log

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Thanks

MAhesh

Mahesh,

Rule looks fine. You shouldn't see any traffic going out of ASA in captures. Just clear the captures, clear any existing connections for client machine and try again and see if there are any packets seen on outside interface of ASA.

clear capture

clear connection address 192.168.52.5

-

Sourav

Review Cisco Networking for a $25 gift card