Take packet captures on ASA

If we need to take packet capture during some troubleshooting on ASA we can take captures on ASA as follows. We can take capture on interface where the traffic will hit and on interface where traffic will go i.e ingress and egress interface.

In below example I am doing capture for TCP traffic from any source to any destination.

Capture name-of-capture interface interface-nameif match tcp any any
Capture name-of-capture buffer 33445532

Verification command:
show capture

To take capture out of box in web browser open following URL. Here replace x.x.x.x with IP address of ASA:
https:// x.x.x.x/admin/capture/name-of-capture /pcap

You have to enable https on the ASA to get captures out use following commands:

http server enable
http 0.0.0.0 0.0.0.0 inside

To view pcap on cli: To view/export the pcaps the capture should be on.

show capture name-of-capture

5 packets captured

   1: 10:37:12.417382       802.1Q vlan#648 P0 10.148.39.76 > 10.145.35.1: icmp: echo request
   2: 10:37:13.027342       802.1Q vlan#648 P0 10.148.39.76 > 10.145.35.1: icmp: echo request
   3: 10:37:13.417397       802.1Q vlan#648 P0 10.148.39.76 > 10.145.35.1: icmp: echo request
   4: 10:37:14.026518       802.1Q vlan#648 P0 10.148.39.76 > 10.145.35.1: icmp: echo request
   5: 10:37:14.417397       802.1Q vlan#648 P0 10.148.39.76 > 10.145.35.1: icmp: echo request
5 packets shown

To stop capture:
no Capture name-of-capture

To clear capture buffer:
clear capture name-of-capture

Advertisements
This entry was posted in ASA and tagged , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s