Cisco uses a different way to run and save packet captures on its ASA firewall than a popular Linux tcpdump/Wireshark tools. Below is a quick guide to capture and then copy out a pcap file from the firewall for offline analysis.

Setting up your Packet Capture

The basic syntax is:

#capture <Name for capture> type raw-data match ip  <source IP/Network> <Network Mask> <destination IP/Network> <Network MAsk>

#capture <Name for capture> packet-length 1522 buffer 524288

#capture <Name for capture> interface <Name of interface to capture on>

Working with your packet capture

View captured packets

#show capture <Name of capture> detail

To stop your capture

 Make sure to include the full command, if you omit the “interface <Name of interface to capture on>” then you will lose your captured packets

#no capture <capture name> interface <Name of interface to capture on>

 

Copy your capture to flash, TFTP or FTP server

If you omit the  “/pcap” then the file will be copied as a ASCII file

 

#copy /pcap capture:<capture name> [tftp:,flash:...etc]

 

Copy using SCP

Ensure Secure Copy is enabled on the ASA

# conf t

# (config) ssh scopy enable

 

Copy the capture to flash and copy to any device

# copy /pcap capture: flash:<capture name>.pcap

Follow the prompts to specify the name of the capture and the filename to save as.  Now you can use any SCP software to copy the file or if on a Linux machine

# scp <username>@<fw-ip>:<capture name>.pcap

Copy using HTTP

Ensure you have HTTP enabled

#http 0.0.0.0 0.0.0.0 inside

#http server enable

If you wish to restrict access then enter the host/network and net mask that you wish to grant access to in place of the 0.0.0.0 0.0.0.0
View packet capture inside the browser

https://<user name>:<password>@<fw-ip>/capture/<capture-name>

Copy Pcap file using http

https://<user name>:<password>@<fw-ip>/capture/<capture-name>/pcap

Clean up your capture

WILL DELETE ALL CAPTURED DATA

#no capture <capture name>