Packet capture from Cisco ASA
August 18th, 2014
One of my favorite troubleshooting tools on the Cisco ASA firewall is doing a packet capture. An incoming packet will hit the capture before any ACL or NAT or other processing. An outgoing packet will hit a capture last before being put on the wire.
To start the capture, use this command
|
1 |
capture <Capture Name> interface <Interface> match ip host <Source IP> host <Destination IP> eq <Port> |
Example
|
1 |
capture CAP1 int INSIDE match ip host 1.1.1.1 host 2.2.2.2 |
To view the capture from CLI
|
1 |
show capture CAP1 |
To download the pcap file
|
1 |
copy /pcap capture:CAP1 ftp://user:pass@1.2.3.4/CAP1.pcap |
Or from your browser
|
1 |
https://1.1.1.1/admin/capture/CAP1/pcap |
To clear the capture
|
1 |
clear capture CAP1 |
And finally, to remove the capture
|
1 |
no capture CAP1 |
Happy sniffing!
Categories: Networking