Saturday, August 31, 2013

ASA capturing packets

Part of our firewall engineer diagnostic duties are; " to trouble-shoot". This requires any one of the following activities;

  • execute show commands
  • debug  
  • monitor logs ( syslog , show log , grep............)
  • or on ocassion, we do a  packet capture


In my day to day duties, I'm typically doing any or all the four above, & when trouble-shooting issues.

On the ASA with the newer code, it's very simple to conduct a packet diagnostics. I will walk you thru a typical packet capture episode


1: Build a access-list to match on just traffic of interest  
( very important if you have a busy link, don't try to capture all traffic, you might missed the traffic of interest and  waste memory space & time....... use a ACL )

!!!   BE SPECIFIC AS POSSIBLE in your ACL  !!!


e.g
access-list myacl standard permit 10.10.10.10 255.255.255.255

Will capture traffic for that host only.


2: you need to specify a capture name

3:monitor active  captures with the "show cap" cmd


4: delete any access-list and capture at the conclusion of the t-shoot event.



here's a few screen shots of a capture on within  a asa.

( validating my ACL and then applying the capture )



 ( showing active or non-active captures )



( removing captures )



( capture based on ethernet frame type no ip )



( copying a capture to disk0 for later downloading )




So now you have the option to copy the saved capture, &  to a device of your pick'ins for off appliance analysis or deliver to let's cisco TAC.



Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(  @   @ )=
          o
       /     \

No comments:

Post a Comment