Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco PIX - Capture Question

Hello,

I've been able to find information on setting up a CAPTURE for incoming traffic. However, I am having a hard time setting up a CAPTURE for traffic heading out of my network to the Internet.

Can someone please assist in how I can set this up?

Thank you in advance.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Cisco PIX - Capture Question

Hi Nicholas,

You can do this if you configure the capture on your inside interface. The commands would look something like this:

! Create an ACL to limit the capture to SMTP traffic from your internal host

access-list capin-acl permit tcp host 172.16.x.x any eq 25

access-list capin-acl permit tcp any eq 25 host 172.16.x.x

!

! Configure the capture

!

capture capin access-list capin-acl interface inside packet-length 1518 buffer

This assumes the interface that your host sits on is named "inside". If not, just change "inside" to your interface name. The buffer is optional, but will let you capture more data than the default buffer will hold.

You can then look at the capture with the 'show capture capin' command or download it by browsing to https:///capture/capin/pcap.

Finally, here is the command reference for the 'capture' command:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c1.html#wp2108895

Hope that helps.

-Mike

4 REPLIES
Bronze

Re: Cisco PIX - Capture Question

Hi there Nicholas,

The capture command captures ALL traffic coming in or going out of the interface.

eg

capture blah interface outside

will create a capture file called blah that captures all traffic coming in or leaving the 'outside' interface.

Brad

New Member

Re: Cisco PIX - Capture Question

Thanks for the reply Brad..just one follow up question.

I am trying to identify if a system on my LAN is communitucating with port 25 on any server outside of my network. In the capture, I see the address I use for PAT as the source. I need to be able to see their internal address 172.16.x.x. Is this something that can be done with CAPTURE? If so, can you please provide some guidance?

Thanks again.

Re: Cisco PIX - Capture Question

Hi Nicholas,

You can do this if you configure the capture on your inside interface. The commands would look something like this:

! Create an ACL to limit the capture to SMTP traffic from your internal host

access-list capin-acl permit tcp host 172.16.x.x any eq 25

access-list capin-acl permit tcp any eq 25 host 172.16.x.x

!

! Configure the capture

!

capture capin access-list capin-acl interface inside packet-length 1518 buffer

This assumes the interface that your host sits on is named "inside". If not, just change "inside" to your interface name. The buffer is optional, but will let you capture more data than the default buffer will hold.

You can then look at the capture with the 'show capture capin' command or download it by browsing to https:///capture/capin/pcap.

Finally, here is the command reference for the 'capture' command:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c1.html#wp2108895

Hope that helps.

-Mike

New Member

Re: Cisco PIX - Capture Question

Thanks very much! That did the trick.

168
Views
8
Helpful
4
Replies
CreatePlease to create content