Packet capturing can be summarized in the following steps:
1. First off you create an ACL for filtering out which traffic to capture.
2. Then you start the capture on selected interfaces.
3. Display and/or save the capture.
4. Stop the capture and clear the buffer.
Things to know before starting packet capturing
The capture-buffer is 512KB per default.
When the capture-buffer is full, it won’t be overwritten.
Capturing traffic includes the packet payload.
Configuration and commands
!— Create an ACL to filter which traffic to capture
access-list packetcapACL permit ip any any
!— Start the capture on the interfaces you want to capture traffic.
capture captureinside access-list packetcapACL interface inside
capture captureoutside access-list packetcapACL interface outside
!— Display current capturefilters in place
capture captureinside type raw-data access-list packetcapACL interface inside [Buffer Full – 524272 bytes]
capture captureoutside type raw-data access-list packetcapACL interface outside [Buffer Full – 524272 bytes]
!— Display content of captures
show capture captureinside
Output will be similar to
356: 13:13:32.941006 10.182.5.55.49987 > 10.65.21.20.443: P 747921171:747921261(90) ack 1852773245 win 255
357: 13:13:32.941143 10.182.5.55.64348 > 10.65.21.21.443: P 190021832:190021906(74) ack 2598777466 win 254
358: 13:13:32.941204 10.182.5.55.64348 > 10.65.21.21.443: P 190021906:190021996(90) ack 2598777466 win 254
359: 13:13:32.941281 10.182.5.55.49987 > 10.65.21.20.443: P 747921261:747921351(90) ack 1852773245 win 255
360: 13:13:32.941311 10.65.21.21.443 > 10.182.5.55.64348: . ack 190021996 win 129
361: 13:13:32.941388 10.65.21.20.443 > 10.182.5.55.49987: . ack 747921351 win 129
362: 13:13:32.948162 10.65.21.20.443 > 10.182.5.55.49987: P 1852773245:1852774279(1034) ack 747921351 win 129
… and so on
View or download the captures using https-access
Access the FW at https://<IP of ASA>/admin/captureinside to see headeronly-information
Access the FW at https://<IP of ASA>/admin/captureinside/pcap to download the packet capture with payload. The file can be opened in a packet analyzer, such as Wireshark.
!— Stop and verify the capture buffer is empty
no capture captureinside
no capture captureoutside
As you understand, the default settings gives us limited capture-time and subsequently limited data to analyze, so certain parameters can be used to gather more data.
When starting a capture, you can increase the buffer from the default 512KB to for instance 10MB
capture captureinside buffer 10000000 access-list packetcapACL interface inside
We can also choose to overwrite the buffer once it is full
capture captureinside buffer 10000000 access-list packetcapACL interface inside circular-buffer
The best way to increase the amount of capture-data, if the payload is of no interest to you, is to capture the headers only
capture captureinside buffer 10000000 access-list packetcapACL interface inside headers-only