Packet capturing on Cisco ASA

Packet capturing can be summarized in the following steps:

1. First off you create an ACL for filtering out which traffic to capture.
2. Then you start the capture on selected interfaces.
3. Display and/or save the capture.
4. Stop the capture and clear the buffer.

Things to know before starting packet capturing
The capture-buffer is 512KB per default.
When the capture-buffer is full, it won’t be overwritten.
Capturing traffic includes the packet payload.

Configuration and commands

!— Create an ACL to filter which traffic to capture
access-list packetcapACL permit ip any any

!— Start the capture on the interfaces you want to capture traffic.
capture captureinside access-list packetcapACL interface inside
capture captureoutside access-list packetcapACL interface outside

!— Display current capturefilters in place
show capture
Output:
capture captureinside type raw-data access-list packetcapACL interface inside [Buffer Full – 524272 bytes]
capture captureoutside type raw-data access-list packetcapACL interface outside [Buffer Full – 524272 bytes]

!— Display content of captures
show capture captureinside
Output will be similar to
356: 13:13:32.941006 10.182.5.55.49987 > 10.65.21.20.443: P 747921171:747921261(90) ack 1852773245 win 255
357: 13:13:32.941143 10.182.5.55.64348 > 10.65.21.21.443: P 190021832:190021906(74) ack 2598777466 win 254
358: 13:13:32.941204 10.182.5.55.64348 > 10.65.21.21.443: P 190021906:190021996(90) ack 2598777466 win 254
359: 13:13:32.941281 10.182.5.55.49987 > 10.65.21.20.443: P 747921261:747921351(90) ack 1852773245 win 255
360: 13:13:32.941311 10.65.21.21.443 > 10.182.5.55.64348: . ack 190021996 win 129
361: 13:13:32.941388 10.65.21.20.443 > 10.182.5.55.49987: . ack 747921351 win 129
362: 13:13:32.948162 10.65.21.20.443 > 10.182.5.55.49987: P 1852773245:1852774279(1034) ack 747921351 win 129
… and so on

View or download the captures using https-access
Access the FW at https://<IP of ASA>/admin/captureinside to see headeronly-information
Access the FW at https://<IP of ASA>/admin/captureinside/pcap to download the packet capture with payload. The file can be opened in a packet analyzer, such as Wireshark.

!— Stop and verify the capture buffer is empty
no capture captureinside
no capture captureoutside
show capture

Capture parameters
As you understand, the default settings gives us limited capture-time and subsequently limited data to analyze, so certain parameters can be used to gather more data.
When starting a capture, you can increase the buffer from the default 512KB to for instance 10MB
capture captureinside buffer 10000000 access-list packetcapACL interface inside

We can also choose to overwrite the buffer once it is full
capture captureinside buffer 10000000 access-list packetcapACL interface inside circular-buffer

The best way to increase the amount of capture-data, if the payload is of no interest to you, is to capture the headers only
capture captureinside buffer 10000000 access-list packetcapACL interface inside headers-only

0.00 avg. rating (0% score) - 0 votes

2 Responses to Packet capturing on Cisco ASA

  1. Hello,

    Doing a packet capture can increase CPU to work to in high porcentage?
    if i increase buffer CPU will increase more?

    is there a way to store the current capture to a file into the flash.

    If I am placing a capture on inside and another at outside with maximum buffer thay shall be 5M each one?

    Regards

    • Hi!
      Thanks for your questions, I’ll give answering them a go.

      Will a packet capture increase CPU?
      – Yes. But not by much. The CPU (4 core 3Ghz) on my ASA5515(v9.1(2)) went up by 3% during my tests.

      Where is the buffer stored?
      – It is stored in volatile RAM.

      Notice the increased RAM usage after issuing the capture-command

      ASA5515# show memory
      Free memory: 3454736880 bytes (80%)
      Used memory: 840230416 bytes (20%)
      ————- ——————
      Total memory: 4294967296 bytes (100%)
      ASA5515#
      ASA5515# capture test-capture interface outside headers-only buffer 33554432
      ASA5515# show capture
      capture test-capture type raw-data buffer 33554432 interface outside headers-only [Capturing – 439192 bytes]
      ASA5515# show memory
      Free memory: 3421182336 bytes (80%)
      Used memory: 873784960 bytes (20%)
      ————- ——————
      Total memory: 4294967296 bytes (100%)
      ASA5515#

      Used memory: 840230416 bytes (20%)
      + CMND cap..buffer 33554432
      =~Used memory: 873784960 bytes (20%)

      Will increasing the buffer increase the load on the CPU?
      – Only in the context of the CPU needs to handle a bit more traffic.

      Can you store the capture file on flash?
      – Yes – sortof. You can simply redirect the output from your “show capture xxxxx”-command
      e.g.
      show capture myTestCapture | redirect flash:/myTestCapture
      show capture myTestCapture | redirect ftp://myFTPuser:myFTPpassword@10.10.10.10/myTestCapture

      What should the maximum buffer size be?
      This depends on a few things
      1) Available RAM (show memory)
      2) How much data you need to capture.

      Hope this clarifies things a bit. =)

      –Gos

Leave a Reply

Your email address will not be published. Required fields are marked *