Saturday, August 31, 2013

ASA capturing packets

Part of our firewall engineer diagnostic duties are; " to trouble-shoot". This requires any one of the following activities;

  • execute show commands
  • debug  
  • monitor logs ( syslog , show log , grep............)
  • or on ocassion, we do a  packet capture

In my day to day duties, I'm typically doing any or all the four above, & when trouble-shooting issues.

On the ASA with the newer code, it's very simple to conduct a packet diagnostics. I will walk you thru a typical packet capture episode

1: Build a access-list to match on just traffic of interest  
( very important if you have a busy link, don't try to capture all traffic, you might missed the traffic of interest and  waste memory space & time....... use a ACL )

!!!   BE SPECIFIC AS POSSIBLE in your ACL  !!!

access-list myacl standard permit

Will capture traffic for that host only.

2: you need to specify a capture name

3:monitor active  captures with the "show cap" cmd

4: delete any access-list and capture at the conclusion of the t-shoot event.

here's a few screen shots of a capture on within  a asa.

( validating my ACL and then applying the capture )

 ( showing active or non-active captures )

( removing captures )

( capture based on ethernet frame type no ip )

( copying a capture to disk0 for later downloading )

So now you have the option to copy the saved capture, &  to a device of your pick'ins for off appliance analysis or deliver to let's cisco TAC.

Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(  @   @ )=
       /     \

No comments:

Post a Comment