cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1862
Views
5
Helpful
8
Replies

Capturing 'interesting' traffic on a ASA

Andy White
Level 3
Level 3

Hello,

A while back a Cisco engineer configured a capture on our Cisco ASA via the CLI and I can't remember how he did this.  I have a source and destination address I'm interested in and in both directions, he managed to create some sort of access- list and then display the logging in the CLI only for that capture filtering out the rest of the CLI logging.

For example I want to capture traffic between 192.168.1.11 (inside interface) and 212.58.224.138 (outside interface)

Any idea what this config might look like for me to add?

Thanks

8 Replies 8

resoares
Cisco Employee
Cisco Employee

Hi Andy,

Use the command capture with the configured ACLs, but keep in your mind that only incoming traffic can be captured. If you want to capture the traffic that comes from inside and outside, you will need to create to capture as well.

Br,

I mean, two captures :-)

7.2.4 or above you can do captures with just one line with the match keyword.

cap capin int inside match ip host 192.168.1.11 host 212.58.224.138

sh cap capin - to display packets

clear cap capin - to collect fresh packets

no cap capin - to remove

This will collect bi-directional traffic between the two hosts.

If you don't run a code where the "match" word is present then, you can follow this document

https://supportforums.cisco.com/docs/DOC-1222

-KS

I am on 8.0.4.48

So would something like this work (looking as the CLI ? command)

access-list mycap extended permit ip host 192.168.1.11 host 212.58.224.138
access-list mycap extended permit ip host 212.58.224.138 host 192.168.1.11
capture mycap type raw-data access-list mycap interface inside

sh cap mycap

Thanks

Try this one:

access-list mycap extended permit ip host 192.168.1.11 host 212.58.224.138

access-list mycap1 extended permit ip host 212.58.224.138 host 192.168.1.11

capture mycap type raw-data access-list mycap interface inside

capture mycap1 type raw-data access-list mycap1 interface outside

Br,

so will this only capture from 212.58.224.138 to host 192.168.1.11 (mycap1)?  Then do I swap to:

capture mycap type raw-data access-list mycap interface outside to see traffice from the other direction?

Did you refer the link that I enclosed?

If you can use the "match" key word then you hit the jackpot.

You can see bi-directional traffic with just two capture lines.

cap capin int inside match ip host 192.168.1.11 any

cap capout int outside match ip any host 212.58.224.138

If you cannot use the match keyword then you need

2 acls for inside capture.

2 acls for the outside capture.

access-l test-in permi ip host 192.168.1.11 any

access-l test-in permit ip any host 192.168.1.11

cap capin access-l test-in int inside packet-l 1518

access-l test-out permit ip host 212.58.224.138 any

access-l test-out permit ip any host 212.58.224.138

cap capout access-l test-out int outside packet-len 1518

-KS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: