06-10-2009 12:42 AM - edited 03-08-2019 05:58 PM
This article is to explain how to take captures using the "capture" feature the exists in Cisco's security products (ASA/PIX, FWSM, IOS). We will assume that there is a client and a web server that experience problems in their communication through a Cisco Firewall. Such scenarios often require packet captures to identify the problem. Assuming that the traffic is traversing interfaces named inside and outside on the firewall we will set up captures to capture the traffic between the client and the server.
Find out what the IP address is of the client host and if possible, what port that host will connect to on the server (for our example, http is tcp port 80). For this example we are going to use 10.0.0.1 as the client IP, 192.168.0.1 as the server.
To define the the interesting traffic in order to catch it, use an ACL.
ASA(config)# access-list cap-list permit tcp host 10.0.0.1 host 192.168.0.1 eq 80
ASA(config)# access-list cap-list permit tcp host 192.168.0.1 eq 80 host 10.0.0.1
Make sure you identify traffic in both directions (to and from the server). While an access-list is not needed, it does help keep the captures clean and concise.
ASA# capture <name> interface (interfce) access-list (access list) buffer (bytes to capture) packet 1522
For example:
ASA# capture in-cap interface inside access-list cap-list buffer 1000000 packet 1522
ASA# capture out-cap interface outside access-list cap-list buffer 1000000 packet 1522
Please note that if there is NATting/PATting taking place you might need to create two different access lists with different Ip addresses and/or ports to capture the NATted/PATted traffic.
In ASA 8.0 and late you can do the above capture using the match option that captures BI-directionally.
ASA# capture in-cap interface inside match tcp host 10.0.0.1 host 192.168.0.1 eq 80
For our example, browse to the server.
Note: You must have HTTP access to the ASA from your host/subnet before you will be able to access the capture via a web browser as indicated below. If you do not have HTTP access then your web browser will timeout and Packet Tracer will show an acl-drop on the ASA when troubleshooting.
An example command to enable HTTP management traffic is as follows:
ASA(config)# http 10.0.0.0 255.0.0.0 inside
where 10.0.0.0 is the allowed subnet and 255.0.0.0 is the mask.
To view the captures, browse to
https://ip_of_firewall/capture/in-cap/pcap
https://ip_of_firewall/capture/out-cap/pcap
By default the browser will save the file as 'pcap' which is largely useless. Alternatively you can specify the name it should save it as by appending the desired name to the end of the URL:
https://ip_of_firewall/capture/in-cap/pcap/inside.pcap
https://ip_of_firewall/capture/out-cap/pcap/outside.pcap
and save the captures in 2 seperate files.
If the an FWSM is in multiple context mode and the capture is taken in a context (i.e. examplectx), depending on the FWSM version you might not be able to retrieve them using https://<context ip>/capture/<context>/<capture_name>/pcap. Alternatively, you can go under the system context and upload them to a tftp server (lets say its ip is 10.0.0.2).
FWSM# copy /pcap capture:examplectx/in-cap tftp:
Source capture name [examplectx/in-cap]?
Address or name of remote host []? 10.0.0.2
Destination filename [in-cap]?
!!!!!!!!!!!!!!!!!!
If the capture is configured with a circular buffer and you want to make a copy of the capture at a particular point without disabling the capture, you can run the command below.
copy /pcap capture:in-cap disk0:in-cap.pcap
To analyze the captures you can use software like Wireshark or Ethereal.
Alternatively, you can view the captures from CLI using the "sh capture". For example, following in the 3-way TCP handshake of browsing to the server of our example.
ASA# sh capture in-cap
719 packets captured
1: 18:23:39.364650 802.1Q vlan#100 P0 10.0.0.1.1435 > 192.168.0.1.80: S 1914936295:1914936295(0)
win 65535 <mss 1460,nop,nop,sackOK>
2: 18:23:39.428231 802.1Q vlan#100 P0 192.168.0.1.80 > 10.0.0.1.1435: S 4004665739:4004665739(0)
ack 1914936296 win 8192 <mss 1380>
3: 18:23:39.428353 802.1Q vlan#100 P0 10.0.0.1.1435 > 192.168.0.1.80: . ack 4004665740 win 65535
For more detailed information you can use the "detail" or "dump" option of the command.
Use the commands
ASA# no capture in-cap
ASA# no capture out-cap
to remove the captures.
Utilizing the New Packet Capture Feature.
Switch# monitor session 2 source vlan 2 , 3 both
This will replicate these two VLANs (vlan 2 and 3 are the outside and inside firewall interfaces in this example) to a third interface/vlan as provided below.
2. Push this data to an external capture device (connection on the switch port FastEthernet 3/1 in this example) running capture software such as Ethereal/Wireshark.
Switch# monitor session 2 destination interface fastEthernet Fa 3/13. Captures then can be saved and analyzed with the capture software.
Hi,
Doesn't know My question might be out of discussion, but I need to ask this.
Can we nat any public IP to private IP and route it.
I have a firewall which have MPLS Interface, Outside Interface and Internet Interface.
now for example I have a mail server in internet(112.1.1.5), I need to nat it to any internal IP and route it to MPLS users.
My internal network can have access to internet but my mpls users will not have access to internet.
We have both smtp and pop3 so what ever the request goes to and comes from ip 112.1.1.5 should look like an internal ip for MPLS users.
We user ASA 5510 firewall
Thanks In Advance.
Hi Mihammad,
The question is posted in wrong place. Post firewall related questions here:
https://supportforums.cisco.com/community/netpro/security/firewall
We can NAT the outside mail server to an inside IP so that MPLS users can see it. Post this query on above link if you still need help.
-
Sourav
Hi All
I have a question in regards to capture:
1. whats the maximum size of capture that can be done on the ASA.
Reason being, I have started work with a company which has may any any rules to destinations in the DMZ and external. I want to tie it down to specific ports only so I want to run a capture on the inside interface to collect the port data that the sources are trying to hit.
2. Does the pcap file use internal ASA memory. If left to run for long will it affect ASA operation.
3. Is there a way to setup ASA so that the pcap file gets saved on a external storage.
Your input will be highly appreciated.
Regards
Initiaz
Hello, TurnersID.
1. whats the maximum size of capture that can be done on the ASA.
You can get available amount if enter command (note "test" is a capture name)
capture test buffer ?
Result of the command: "capture test buffer ?"
exec mode commands/options:
<1534-33554432> Size of capture buffer in bytes
Also I think you can find useful this document
2. Does the pcap file use internal ASA memory.
As far I know answer is yes. Capture is stored in RAM.
If left to run for long will it affect ASA operation.
I've had cases when I run capture for few days without any significant impact to Cisco ASA performance. But I want to admit that I use narrowed ACL for traffic selection and monitor CPU and RAM utilization all time during capture.
3. Is there a way to setup ASA so that the pcap file gets saved on a external storage.
Yes. You can use command
copy /pcap capture:
But if you want to automate this proccess I suppose you can do it with help of EEM script.
In my opinion for your purposes preferable method will be to enable logging for permit any any ACE and monitoring syslog. After that add all needed ACE above permit any any and check hit counters. And finally remove permit any any ACE from ACL.
Another option is SPAN from port which ASA connected to port with PC+Wireshark
Unless Chrome is freaking out for some reason, the first code section formatting got screwed up. Here's what I see:
To define the the interesting traffic in order to catch it, use an ACL.
</code></p><p><code>
</code></p><p><code>
</code></p><p><code>
</code></p><pre>ASA(config)# access-list cap-list permit tcp host 10.0.0.1 host 192.168.0.1 eq 80 <br/>ASA(config)# access-list cap-list permit tcp host 192.168.0.1 eq 80 host 10.0.0.1</pre><p></p><p>Make sure you identify traffic in both directions (to and from the server). While an access-list is not needed, it does help keep the captures clean and concise.</p><p></p><h2><span class="mw-headline">Start the captures</span></h2><p></p><p><code>
</code></p><p><code>
</code></p><p><code>
</code></p><p><code>
</code></p><pre> ASA# capture <name> interface (interfce) access-list (access list) buffer (bytes to capture) packet 1522 </pre><p></p><p>For example:</p><p><code>
</code></p><p><code>
</code></p><p><code>
</code></p><p><code>
</code></p><pre> <br/>ASA# capture in-cap interface inside access-list cap-list buffer 1000000 packet 1522 <br/>ASA# capture out-cap interface outside access-list cap-list buffer 1000000 packet 1522</pre><p></p><p>Please note that if there is NATting/PATting taking place you might need to create two different access lists with different Ip addresses and/or ports to capture the NATted/PATted traffic.</p><p></p><p>In ASA 8.0 and late you can do the above capture using the <span style="font-family: courier new,courier;">match</span> option that captures BI-directionally.</p><p></p><pre>ASA# capture in-cap interface inside match tcp host 10.0.0.1 host 192.168.0.1 eq 80<br/><br/><br/></pre><h2><span class="mw-headline">Generate traffic</span></h2><p></p><p>For our example, browse to the server.</p><p></p><h2><span class="mw-headline">Gather captures</span></h2><p></p><p><span style="text-decoration: underline;">Note</span>: You must have HTTP access to the ASA from your host/subnet before you will be able to access the capture via a web browser as indicated below. If you do not have HTTP access then your web browser will timeout and Packet Tracer will show an acl-drop on the ASA when troubleshooting.</p><p></p><p>An example command to enable HTTP management traffic is as follows:</p><p><span style="font-family: courier new,courier;"> ASA(config)# http 10.0.0.0 255.0.0.0 inside </span></p><p> where 10.0.0.0 is the allowed subnet and 255.0.0.0 is the mask.</p><p></p><p>To view the captures, browse to</p><p></p><p><a class="jive-link-external-small" href="https://ip_of_firewall/capture/in-cap/pcap" rel="nofollow">https://ip_of_firewall/capture/in-cap/pcap</a><span> </span><br/><a class="jive-link-external-small" href="https://ip_of_firewall/capture/out-cap/pcap" rel="nofollow">https://ip_of_firewall/capture/out-cap/pcap</a><span> </span></p><p></p><p>By default the browser will save the file as 'pcap' which is largely useless. Alternatively you can specify the name it should save it as by appending the desired name to the end of the URL:</p><p></p><p><a href="https://ip_of_firewall/capture/in-cap/pcap" rel="nofollow">https://ip_of_firewall/capture/in-cap/pcap/inside.pcap</a></p><p><a href="https://ip_of_firewall/capture/out-cap/pcap" rel="nofollow">https://ip_of_firewall/capture/out-cap/pcap/outside.pcap</a></p><p></p><p>and save the captures in 2 seperate files.</p><p></p><p>If the an FWSM is in multiple context mode and the capture is taken in a context (i.e. examplectx), depending on the FWSM version you might not be able to retrieve them using <a class="external free" rel="nofollow" title="https://">https://<context ip>/capture/<context>/<capture_name>/pcap</a>. Alternatively, you can go under the system context and upload them to a tftp server (lets say its ip is 10.0.0.2).</p><p></p><p><code>
</code></p><p><code>
</code></p><p><code>
</code></p><p><code>
</code></p><pre>FWSM# copy /pcap capture:examplectx/in-cap tftp:<br/>Source capture name [examplectx/in-cap]?<br/><br/>Address or name of remote host []? 10.0.0.2<br/><br/>Destination filename [in-cap]?<br/>!!!!!!!!!!!!!!!!!!</pre><p></p><p>If the capture is configured with a circular buffer and you want to make a copy of the capture at a particular point without disabling the capture, you can run the command below.</p><p></p><pre>copy /pcap capture:in-cap disk0:in-cap.pcap<br/></pre><h2><span class="mw-headline">View captures</span></h2><p></p><p>To analyze the captures you can use software like Wireshark or Ethereal.</p><p>Alternatively, you can view the captures from CLI using the "sh capture". For example, following in the 3-way TCP handshake of browsing to the server of our example.</p><p><code>
</code></p><p><code>
</code></p><p><code>
</code></p><p><code>
</code></p><pre>ASA# sh capture in-cap<br/><br/>719 packets captured<br/> 1: 18:23:39.364650 802.1Q vlan#100 P0 10.0.0.1.1435 > 192.168.0.1.80: S 1914936295:1914936295(0) <br/>win 65535 <mss 1460,nop,nop,sackOK><br/> 2: 18:23:39.428231 802.1Q vlan#100 P0 192.168.0.1.80 > 10.0.0.1.1435: S 4004665739:4004665739(0) <br/>ack 1914936296 win 8192 <mss 1380><br/> 3: 18:23:39.428353 802.1Q vlan#100 P0 10.0.0.1.1435 > 192.168.0.1.80: . ack 4004665740 win 65535</pre><p></p><p>For more detailed information you can use the "detail" or "dump" option of the command.</p><p></p><h2><span class="mw-headline">Remove captures</span></h2><p></p><p>Use the commands</p><p><code>
</code></p><p><code>
</code></p><p><code>
</code></p><p><code>
</code></p><pre> <br/>ASA# no capture in-cap<br/>ASA# no capture out-cap</pre><p></p><p>to remove the captures.</p><p></p><h1><span class="mw-headline">IOS</span></h1><p></p><p><span><span class="external text active_link"><a href='/document/29616/utilizing-new-packet-capture-feature'>Utilizing the New Packet Capture Feature</a>.</span></span></p><p></p><h1><span class="mw-headline">Predicaments</span></h1><p></p><ul><li>The reader should note that captures taken on an FWSM that is running software version prior to 3.1.7 in the 3.1 train and 3.2.5 in the 3.2 train are not always trustworthy. The reason is that due to a few bugs in the early FWSM software versions captures might capture only egress packets thus missing information that is useful for the capture analysis. As an alternative for FWSMs that run early software versions span session on the FWSM's vlans can be used. In more detail, <br/>1. Configure a SPAN monitor port for the ingress and egress VLANs of the FWSM.<code>
Switch# monitor session 2 source vlan 2 , 3 both
Confirm. I see source code in the first code section instead of formatted text in Google Chrome 45.0.2454.85 m.
Hey Thanks friend.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: