cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
439
Views
8
Helpful
4
Replies

Cisco PIX - Capture Question

TheJax2009
Level 1
Level 1

Hello,

I've been able to find information on setting up a CAPTURE for incoming traffic. However, I am having a hard time setting up a CAPTURE for traffic heading out of my network to the Internet.

Can someone please assist in how I can set this up?

Thank you in advance.

1 Accepted Solution

Accepted Solutions

Hi Nicholas,

You can do this if you configure the capture on your inside interface. The commands would look something like this:

! Create an ACL to limit the capture to SMTP traffic from your internal host

access-list capin-acl permit tcp host 172.16.x.x any eq 25

access-list capin-acl permit tcp any eq 25 host 172.16.x.x

!

! Configure the capture

!

capture capin access-list capin-acl interface inside packet-length 1518 buffer

This assumes the interface that your host sits on is named "inside". If not, just change "inside" to your interface name. The buffer is optional, but will let you capture more data than the default buffer will hold.

You can then look at the capture with the 'show capture capin' command or download it by browsing to https:///capture/capin/pcap.

Finally, here is the command reference for the 'capture' command:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c1.html#wp2108895

Hope that helps.

-Mike

View solution in original post

4 Replies 4

bmcginn
Level 3
Level 3

Hi there Nicholas,

The capture command captures ALL traffic coming in or going out of the interface.

eg

capture blah interface outside

will create a capture file called blah that captures all traffic coming in or leaving the 'outside' interface.

Brad

Thanks for the reply Brad..just one follow up question.

I am trying to identify if a system on my LAN is communitucating with port 25 on any server outside of my network. In the capture, I see the address I use for PAT as the source. I need to be able to see their internal address 172.16.x.x. Is this something that can be done with CAPTURE? If so, can you please provide some guidance?

Thanks again.

Hi Nicholas,

You can do this if you configure the capture on your inside interface. The commands would look something like this:

! Create an ACL to limit the capture to SMTP traffic from your internal host

access-list capin-acl permit tcp host 172.16.x.x any eq 25

access-list capin-acl permit tcp any eq 25 host 172.16.x.x

!

! Configure the capture

!

capture capin access-list capin-acl interface inside packet-length 1518 buffer

This assumes the interface that your host sits on is named "inside". If not, just change "inside" to your interface name. The buffer is optional, but will let you capture more data than the default buffer will hold.

You can then look at the capture with the 'show capture capin' command or download it by browsing to https:///capture/capin/pcap.

Finally, here is the command reference for the 'capture' command:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c1.html#wp2108895

Hope that helps.

-Mike

Thanks very much! That did the trick.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: