Using the Packet Capture command on a Cisco ASA
Recently, I want to sniff a packet stream which was inline with an ASA firewall. Normally I would think on a external sniffer such as ethereal, put it on a mirror port of the firewall port, an sniff the packets. But I found that I can do the same with the capture command in the ASA. Let’s take a quick look how the capture command works and what it is.
In short, these are the steps that I walked through;
1) Create an ACL that will match interesting traffic
2) Define the capture and bind it to an access-list and interface
3) View the capture on the firewall, or copy it off in .pcap format
Here is my situation;
The ACL that you have to make to match traffic, can be made on a interface basis. When you want to use the capture command in a troubleshooting scenario, the best thing you can do is to build a capture for the inside and outside interface, relative to the packet stream. In my situation, I want to sniff a web session of a workstation with IP address 10.1.1.10 to webserver 62.69.184.129. The traffic is PATed to 192.168.10.2 (fictional).
! inside capture ACL
Access-list 100 permit tcp host 10.1.1.10 host 62.69.184.129 eq 80
Access-list 100 permit tcp host 62.69.184.129 eq 80 host 10.1.1.10
! outside capture ACL
Access-list 101 permit tcp host 62.69.184.129 eq 80 host 192.168.10.2
Access-list 101 permit tcp host 192.168.10.2 host 62.69.184.129 eq 80
Now I create the captures for both the inside and outside interface;
capture in access-list 101 interface inside packet-length 1518
capture out access-list 101 interface outside packet-length 1518
Let the client do the session. Then you can copy the results to a tftp server;
copy /pcap capture:out tftp://10.1.1.10/out.pcap
copy /pcap capture:in tftp://10.1.1.10/in.pcap
Finally, you can read the sniffs with wireshark.