This how-to describes the usage of the "capture" feature in Cisco's security products (ASA/PIX, FWSM, IOS). Many scenarios require to monitor the packets across the firewalls. Like we have a host-server communication and somehow the traffic doesn't flow as we want or we have packet-lost. For troubleshooting these issues we have the "capture" command which helps to check what comes in and out.
When we take a capture sometimes we need to know where it is in the packet processing. There are some features which must be before taking the packet.
If you apply the capture on an interface without any option or restriction, most probably you won't get a precise data what you look for. Therefore the best approach is to specify the interesting traffic by an ACL. There is no limitation how to deal with the ACLs, you can create for IP to IP or just restrict by protocol.
For this example we are going to use 10.10.10.1 as the client IP, 192.168.0.1 as the server and we want to monitor the HTTP traffic on port 80.
To define the interesting traffic in order to catch it, use this ACL:
ASA(config)# access-list cap-acl permit tcp host 10.10.10.1 host 192.168.0.1 eq 80
ASA(config)# access-list cap-acl permit tcp host 192.168.0.1 eq 80 host 10.10.10.1
As you can see we created two ACL lines, because we need to capture both directions. It is your decision how precise are you in the ACLs, but be careful what you define, may be the traffic is different than you expect.
You can find the full reference about the command "capture" below. There are many options for this command and beside to specify:
ASA# capture inside_capture interface inside access-list cap-acl
The pattern is something like this:
ASA# capture <name> interface <interface name> access-list <access-list name>
You can increase the default buffer by the "buffer" parameter. However you can use the circular-buffer too for continuous capturing.
capture capout access-list cap interface outside buffer 1000000 circular-buffer
Many users have some NAT rules on the firewall which rewrites the packet's IP addresses. You have to take into consideration on which interface which IP addresses you have to use. You cannot use the same capture ACLs on the Inside and Outside interfaces while you do natting, because on Outside interface the IP addresses will be changed.
For example we have the host 188.8.131.52 on the Inside, but it can be seen on the outside as 184.108.40.206. Destination is 220.127.116.11. In this case you need two captures with two different ACL sets, one for the Inside, one for the Outside:
Our NAT rules:
static(inside,outside) 18.104.22.168 22.214.171.124
ASA(config)# access-list cap-inside permit ip host 126.96.36.199 host 188.8.131.52
ASA(config)# access-list cap-inside permit ip host 184.108.40.206 host 220.127.116.11
ASA(config)# access-list cap-outside permit ip host 18.104.22.168 host 22.214.171.124
ASA(config)# access-list cap-outside permit ip host 126.96.36.199 host 188.8.131.52
If we need the captures for later deep analysis there is a way to grab all the results from the firewall. This lets you open them in Wireshark or other packet analyser softwares. The most common format is PCAP (Packet Capture), which save the traces in a standard format, so any third-party software can read it. By this format you will have all the details about a packet and it is necessary for deep troubleshooting.
There are two ways to download the captures. For example our firewall management interface is 10.0.0.254 and we have done the capture with name "inside_capture".
1. Via HTTPS
One is to open your favourite browser and follow this pattern: https://<ip address of firewall>/capture/<context>/<capture_name>/pcap
Please note we use secure HTTP (HTTPS) instead of HTTP.
2. Via "copy" command
You can go under the system context and upload them to a tftp server by the "copy" command.
Pattern: "copy /pcap capture:([CONTEXT]/)[NAME] tftp:"
FWSM# copy /pcap capture:inside_capture tftp:
Source capture name [inside_capture]?
Address or name of remote host ? 10.0.0.254
Destination filename [inside_capture]?
If the capture is configured with a circular buffer and you want to make a copy of the capture at a particular point without disabling the capture, you can run the command below.
FWSM# copy /pcap capture:inside-capture disk0:inside-capture.pcap
If you don't need to analyse the captures or view the packet inside, alternatively, you can view them from CLI using the "sh capture" command. For example, following in the 3-way TCP handshake of browsing to the server of our example.
ASA# sh capture inside_capture
3 packets captured
1: 18:23:39.364650 802.1Q vlan#100 P0 10.0.0.1.1435 > 192.168.0.1.80: S 1914936295:1914936295(0)
win 65535 <mss 1460,nop,nop,sackOK>
2: 18:23:39.428231 802.1Q vlan#100 P0 192.168.0.1.80 > 10.0.0.1.1435: S 4004665739:4004665739(0)
ack 1914936296 win 8192 <mss 1380>
3: 18:23:39.428353 802.1Q vlan#100 P0 10.0.0.1.1435 > 192.168.0.1.80: . ack 4004665740 win 65535
For more detailed information you can use the "detail" or "dump" option of the command.
Use the "NO" command to remove the captures.
ASA# no capture [NAME OF THE CAPTURE]
Without the "packet-length" parameter you cannot see the full packets in the capture files. You need to extend your command with this option.
ASA# capture inside_capture interface inside access-list cap-acl packet-length 1500
PIX/ASA 7.x, and higher will also let you setup a capture for only dropped packets. This is done with the 'type asp-drop <drop-code>' option. For example:
capture dropped type asp-drop all
This would give you a capture that includes all packets dropped by the firewall. Here is the command reference as well:
Captures taken on an FWSM are not always trustworthy. The reason is that due to a few bugs in the FWSM software versions captures might capture only egress packets thus missing information that is useful for the capture analysis. As an alternative for FWSMs that run span monitoring session on the FWSM's vlans can be used. In more detail,
1. Configure a SPAN monitor port for the ingress and egress VLANs of the FWSM.
Switch# monitor session 2 source vlan 600 , 601 both
This will replicate these two VLANs (vlan 600 and 601 are the outside and inside firewall interfaces in this example) to a third interface/vlan as provided below.
2. Push this data to an external capture device (connection on the switch port FastEthernet 3/1 in this example) running capture software such as Ethereal/Wireshark.
Switch# monitor session 2 destination interface FastEthernet Fa 3/1
3. Captures then can be saved and analysed with the capture software.
In this example we want to check that the HTTP traffic passing trough or not on the firewall.
for the inside interface:
access-list cap-inside permit tcp host 192.0.2.100 host 198.18.0.2 eq 80
access-list cap-inside permit tcp host 198.18.0.2 eq 80 host 192.0.2.100
for the outside interface
access-list cap-outside permit tcp host 198.18.0.1 host 198.18.0.2 eq 80
access-list cap-outside permit tcp host 198.18.0.2 eq 80 host 198.18.0.1
2. Start capturing on the interfaces, we need full packets and increased buffer
capture capin access-list cap-inside interface Inside packet-length 1500 buffer 8000000
capture capout access-list cap-outside interface Outside packet-length 1500 buffer 8000000
3. If you want to check the status of the capture, type "show capture"
ASA# show capture
capture capin type raw-data buffer 8000000 [Capturing - 7653 bytes]
capture capout type raw-data buffer 8000000 [Capturing - 7653 bytes]
In this example as you can see we receive and forward traffic on the Inside and Outside interfaces. If you see 0 bytes captured on the Outside interface, it means that either you made a mistake defining the interesting traffic in the ACL or the ASA drops the packets.
4. To view in text format on the ASA itself, type "show capture capin"
ASA# show capture capin
24 packets captured
1: 00:53:02.060223 802.1Q vlan#39 P0 192.0.2.100.10522 > 198.18.0.2.80: S 2749700501:2749700501(0) win 5560 <mss 1380,sackOK,timestamp 27240468 0,nop,wscale 7>
2: 00:53:02.101587 802.1Q vlan#39 P0 198.18.0.2.80> 192.0.2.100.10522: S 2333916621:2333916621(0) ack 2749700502 win 5792 <mss 1380,sackOK,timestamp 924355820 27240468,nop,wscale 7>
3: 00:53:02.102320 802.1Q vlan#39 P0 192.0.2.100.10522 > 198.18.0.2.80: . ack 2333916622 win 44 <nop,nop,timestamp 27240472 924355820>
5. You can download the captures by cli command. We are running TFTP server on the client host.
ASA# copy /pcap capture:cap tftp:
Source capture name [cap]?
Address or name of remote host ? 192.0.2.100
Destination filename [cap]? cap.pcap