This article is to explain how to take captures using the "capture" feature the exists in Cisco's security products (ASA/PIX, FWSM, IOS). We will assume that there is a client and a web server that experience problems in their communication through a Cisco Firewall. Such scenarios often require packet captures to identify the problem. Assuming that the traffic is traversing interfaces named inside and outside on the firewall we will set up captures to capture the traffic between the client and the server.
ASA/PIX - FWSM
Define Interesting traffic
Find out what the IP address is of the client host and if possible, what port that host will connect to on the server (for our example, http is tcp port 80). For this example we are going to use 10.0.0.1 as the client IP, 192.168.0.1 as the server.
To define the the interesting traffic in order to catch it, use an ACL.
Note: You must have HTTP access to the ASA from your host/subnet before you will be able to access the capture via a web browser as indicated below. If you do not have HTTP access then your web browser will timeout and Packet Tracer will show an acl-drop on the ASA when troubleshooting.
An example command to enable HTTP management traffic is as follows:
ASA(config)# http 10.0.0.0 255.0.0.0 inside
where 10.0.0.0 is the allowed subnet and 255.0.0.0 is the mask.
If the an FWSM is in multiple context mode and the capture is taken in a context (i.e. examplectx), depending on the FWSM version you might not be able to retrieve them using https://<context ip>/capture/<context>/<capture_name>/pcap. Alternatively, you can go under the system context and upload them to a tftp server (lets say its ip is 10.0.0.2).
FWSM# copy /pcap capture:examplectx/in-cap tftp: Source capture name [examplectx/in-cap]?
Address or name of remote host ? 10.0.0.2
Destination filename [in-cap]? !!!!!!!!!!!!!!!!!!
If the capture is configured with a circular buffer and you want to make a copy of the capture at a particular point without disabling the capture, you can run the command below.
copy /pcap capture:in-cap disk0:in-cap.pcap
To analyze the captures you can use software like Wireshark or Ethereal.
Alternatively, you can view the captures from CLI using the "sh capture". For example, following in the 3-way TCP handshake of browsing to the server of our example.
The reader should note that captures taken on an FWSM that is running software version prior to 3.1.7 in the 3.1 train and 3.2.5 in the 3.2 train are not always trustworthy. The reason is that due to a few bugs in the early FWSM software versions captures might capture only egress packets thus missing information that is useful for the capture analysis. As an alternative for FWSMs that run early software versions span session on the FWSM's vlans can be used. In more detail, 1. Configure a SPAN monitor port for the ingress and egress VLANs of the FWSM.
Switch# monitor session 2 source vlan 2 , 3 both
This will replicate these two VLANs (vlan 2 and 3 are the outside and inside firewall interfaces in this example) to a third interface/vlan as provided below. 2. Push this data to an external capture device (connection on the switch port FastEthernet 3/1 in this example) running capture software such as Ethereal/Wireshark.
Switch# monitor session 2 destination interface fastEthernet Fa 3/1
3. Captures then can be saved and analyzed with the capture software.
Because of CSCsg93070, when getting captures on an FWSM context, sometimes you cannot retrieve them using the https:// link. The Gather captures section explains how you can do it using a tftp server.