Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Packet Capture Tutorial

Where can I find a good tutorial on the packet capture tool for the PIX/IDS? Basically, I want to capture packets that are being passed/denied by a certan rule, or packets that are being denied by default. I am really only familiar with the PDM/ASDM interface, so I would need some additional help mapping a numbered rule from PDM to a named rule for the cli.

1 REPLY
Cisco Employee

Re: Packet Capture Tutorial

this should be all you need

User Guidelines

To enable packet capturing, attach the capture to an interface with the interface option. Multiple interface statements attach the capture to multiple interfaces.

A packet must pass both the Ethernet and access list filters before the packet is stored in the capture buffer.

Useful Capture command:

No capture command with either the access-list or interface option unless you want to clear the capture itself. No capture without options deletes the capture. If the access-list option is specified, the access list is removed from the capture and the capture is preserved. If the interface option is specified, the capture is detached from the specified interface and the capture is preserved.

Clear capture capture_name - command will clear the capture buffer.

--------------------------------------------------------------------------------

Note The capture command is not saved to the configuration, and the capture command is not replicated to the standby unit during failover.

--------------------------------------------------------------------------------

See the Capture command for additional details on the packet capture command

Capture packets between host A & B traversing across both the inside and outside interfaces

Step #1 - Packet capture traversing the inside interface

access-list capture_in permit host A host B

access-list capture_in permit host B host A

capture inside access-list capture_in buffer 2000000 interface inside packet-length 1500

(This capture command will capture packets 1500 bytes or less in size with a maximum files size of 2 Mb)

Step #2 - Packet capture traversing the outside interface

access-list capture_out permit host A host B

access-list capture_out permit host B host A

capture outside access-list capture_out buffer 2000000 interface outside packet-length 1500

Two Methods for Retrieving the packet capture from the PIX

Option #1 - Retrieve the pcap format file from the Pix by browsing to the PIX.

Step #1 - If http services are not on then issue the "setup" command and run through the prompts.

Step #2 - Next open a browser and then https:///capture/

(example - https://172.16.171.49/capture/inside/pcap)

Option #2 - Send a pcap format file from the PIX to a tftp server.

Step #1 - Start the tftp application and set the TFTP root directory where the file will be sent.

Step #2 - next issue the following command on the PIX "copy capture: tftp:///temp pcap"

(example - copy capture:inside tftp://172.16.89.8/temp pcap)

(example - copy capture:outside tftp://172.16.89.8/temp pcap)

Viewing the capture buffer on the PIX

If the capture_name is specified, then it displays the capture buffer contents for that capture.

Issue "show capture " to see the capture buffer

Reset and Remove the capture command

To clear the capture buffer enter the following clear capture command

clear capture inside

clear capture outside

To remove the capture command

no capture inside

no capture outside

Don't forget to remove the capture access-lists after you are finished capturing

no access-list capture_in

no access-list capture_out

477
Views
3
Helpful
1
Replies
CreatePlease to create content