Cisco uses a different way to run and save packet captures on its ASA firewall than a popular Linux tcpdump/Wireshark tools. Below is a quick guide to capture and then copy out a pcap file from the firewall for offline analysis.
Setting up your Packet Capture
The basic syntax is:
#capture <Name for capture> type raw-data match ip <source IP/Network> <Network Mask> <destination IP/Network> <Network MAsk>
#capture <Name for capture> packet-length 1522 buffer 524288
#capture <Name for capture> interface <Name of interface to capture on>
Working with your packet capture
View captured packets
#show capture <Name of capture> detail
To stop your capture
Make sure to include the full command, if you omit the “interface <Name of interface to capture on>” then you will lose your captured packets
#no capture <capture name> interface <Name of interface to capture on>
Copy your capture to flash, TFTP or FTP server
If you omit the “/pcap” then the file will be copied as a ASCII file
#copy /pcap capture:<capture name> [tftp:,flash:...etc]
Copy using SCP
Ensure Secure Copy is enabled on the ASA
# conf t
# (config) ssh scopy enable
Copy the capture to flash and copy to any device
# copy /pcap capture: flash:<capture name>.pcap
Follow the prompts to specify the name of the capture and the filename to save as. Now you can use any SCP software to copy the file or if on a Linux machine
# scp <username>@<fw-ip>:<capture name>.pcap
Copy using HTTP
Ensure you have HTTP enabled
#http 0.0.0.0 0.0.0.0 inside
#http server enable
If you wish to restrict access then enter the host/network and net mask that you wish to grant access to in place of the 0.0.0.0 0.0.0.0
View packet capture inside the browser
https://<user name>:<password>@<fw-ip>/capture/<capture-name>
Copy Pcap file using http
https://<user name>:<password>@<fw-ip>/capture/<capture-name>/pcap
Clean up your capture
WILL DELETE ALL CAPTURED DATA
#no capture <capture name>
Leave a Reply