Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Capturing 'interesting' traffic on a ASA

Hello,

A while back a Cisco engineer configured a capture on our Cisco ASA via the CLI and I can't remember how he did this.  I have a source and destination address I'm interested in and in both directions, he managed to create some sort of access- list and then display the logging in the CLI only for that capture filtering out the rest of the CLI logging.

For example I want to capture traffic between 192.168.1.11 (inside interface) and 212.58.224.138 (outside interface)

Any idea what this config might look like for me to add?

Thanks

8 REPLIES
Cisco Employee

Re: Capturing 'interesting' traffic on a ASA

Hi Andy,

Use the command capture with the configured ACLs, but keep in your mind that only incoming traffic can be captured. If you want to capture the traffic that comes from inside and outside, you will need to create to capture as well.

Br,

Cisco Employee

Re: Capturing 'interesting' traffic on a ASA

I mean, two captures :-)

Cisco Employee

Re: Capturing 'interesting' traffic on a ASA

7.2.4 or above you can do captures with just one line with the match keyword.

cap capin int inside match ip host 192.168.1.11 host 212.58.224.138

sh cap capin - to display packets

clear cap capin - to collect fresh packets

no cap capin - to remove

This will collect bi-directional traffic between the two hosts.

If you don't run a code where the "match" word is present then, you can follow this document

https://supportforums.cisco.com/docs/DOC-1222

-KS

New Member

Re: Capturing 'interesting' traffic on a ASA

I am on 8.0.4.48

So would something like this work (looking as the CLI ? command)

access-list mycap extended permit ip host 192.168.1.11 host 212.58.224.138
access-list mycap extended permit ip host 212.58.224.138 host 192.168.1.11
capture mycap type raw-data access-list mycap interface inside

sh cap mycap

Thanks

Cisco Employee

Re: Capturing 'interesting' traffic on a ASA

Try this one:

access-list mycap extended permit ip host 192.168.1.11 host 212.58.224.138

access-list mycap1 extended permit ip host 212.58.224.138 host 192.168.1.11

capture mycap type raw-data access-list mycap interface inside

capture mycap1 type raw-data access-list mycap1 interface outside

Br,

New Member

Re: Capturing 'interesting' traffic on a ASA

so will this only capture from 212.58.224.138 to host 192.168.1.11 (mycap1)?  Then do I swap to:

capture mycap type raw-data access-list mycap interface outside to see traffice from the other direction?

Cisco Employee

Re: Capturing 'interesting' traffic on a ASA

Did you refer the link that I enclosed?

If you can use the "match" key word then you hit the jackpot.

You can see bi-directional traffic with just two capture lines.

cap capin int inside match ip host 192.168.1.11 any

cap capout int outside match ip any host 212.58.224.138

If you cannot use the match keyword then you need

2 acls for inside capture.

2 acls for the outside capture.

access-l test-in permi ip host 192.168.1.11 any

access-l test-in permit ip any host 192.168.1.11

cap capin access-l test-in int inside packet-l 1518

access-l test-out permit ip host 212.58.224.138 any

access-l test-out permit ip any host 212.58.224.138

cap capout access-l test-out int outside packet-len 1518

-KS

New Member

Re: Capturing 'interesting' traffic on a ASA

1109
Views
0
Helpful
8
Replies
CreatePlease to create content