Ben Shuman's Blog

From One Geek To Another

ASA packet captures in pcap format

Nov 182016

Using Capture on the ASA Security Appliances

Step 1: Create an access-list to capture to
access-list mycap extended permit ip host any
access-list mycap extended permit ip any host

Step 2: Type show to see the access-list: show access-list mycap

Step 3: Create the capture by typing capture [name of capture] access-list [name of access-list] interface [interface of traffic to capture]
Example: capture mycap access-list mycap interface outside
Example: capture mycap interface [outside] match ip host [source] host [dest]

Step 4: Type show capture to view current captures.

Step 5: Type show capture mycap to see mycap capture.
Note: Mycap is just a name you gave to the capture file.

Step 6: Once a file is captured you can open a web browser and type: https://[name of asa]/capture/[name of capture]/pcap to download the capture file (pcap) and view it in a packet capture utility like Wireshark.

Optional: Capture without building an ACL.
capture mycap interface outside match ip host [source] host [dest]

There are no published comments.

New comment