Capturing 'interesting' traffic on a ASA

Unanswered Question
Jan 8th, 2010

Hello,

A while back a Cisco engineer configured a capture on our Cisco ASA via the CLI and I can't remember how he did this.  I have a source and destination address I'm interested in and in both directions, he managed to create some sort of access- list and then display the logging in the CLI only for that capture filtering out the rest of the CLI logging.


For example I want to capture traffic between 192.168.1.11 (inside interface) and 212.58.224.138 (outside interface)


Any idea what this config might look like for me to add?


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
resoares Fri, 01/08/2010 - 03:36

Hi Andy,



Use the command capture with the configured ACLs, but keep in your mind that only incoming traffic can be captured. If you want to capture the traffic that comes from inside and outside, you will need to create to capture as well.




Br,

Kureli Sankar Fri, 01/08/2010 - 05:22

7.2.4 or above you can do captures with just one line with the match keyword.


cap capin int inside match ip host 192.168.1.11 host 212.58.224.138


sh cap capin - to display packets

clear cap capin - to collect fresh packets

no cap capin - to remove


This will collect bi-directional traffic between the two hosts.


If you don't run a code where the "match" word is present then, you can follow this document


https://supportforums.cisco.com/docs/DOC-1222


-KS

Andy White Fri, 01/08/2010 - 06:56

I am on 8.0.4.48


So would something like this work (looking as the CLI ? command)


access-list mycap extended permit ip host 192.168.1.11 host 212.58.224.138
access-list mycap extended permit ip host 212.58.224.138 host 192.168.1.11
capture mycap type raw-data access-list mycap interface inside


sh cap mycap


Thanks

resoares Fri, 01/08/2010 - 07:07

Try this one:



access-list mycap extended permit ip host 192.168.1.11 host 212.58.224.138

access-list mycap1 extended permit ip host 212.58.224.138 host 192.168.1.11

capture mycap type raw-data access-list mycap interface inside


capture mycap1 type raw-data access-list mycap1 interface outside




Br,

Andy White Fri, 01/08/2010 - 07:55

so will this only capture from 212.58.224.138 to host 192.168.1.11 (mycap1)?  Then do I swap to:


capture mycap type raw-data access-list mycap interface outside to see traffice from the other direction?

Kureli Sankar Fri, 01/08/2010 - 08:31

Did you refer the link that I enclosed?


If you can use the "match" key word then you hit the jackpot.


You can see bi-directional traffic with just two capture lines.


cap capin int inside match ip host 192.168.1.11 any


cap capout int outside match ip any host 212.58.224.138


If you cannot use the match keyword then you need


2 acls for inside capture.


2 acls for the outside capture.


access-l test-in permi ip host 192.168.1.11 any

access-l test-in permit ip any host 192.168.1.11


cap capin access-l test-in int inside packet-l 1518


access-l test-out permit ip host 212.58.224.138 any

access-l test-out permit ip any host 212.58.224.138


cap capout access-l test-out int outside packet-len 1518


-KS

Actions

This Discussion