The Cisco ASA capture is one of those tools which I initially hated compared to the old debug packet command. However, as with most things you get to grips with the features and it delivers more than you first expected. Once you’ve reached enlightenment its then a slippy slope of despair as it fails, fails and temporarily works. After a few failed attempts and further discussions with peers and colleagues who had little success, I sat down with a work mate and went through each phase of the configuration and worked out a method to achieve a winning result.
In summary, the key components include the access-list. The issues we saw required that we specify by network and then apply deny statements to limit to individual hosts. If this method was not used then the capture would be empty ? go figure…
access-list CAPTURE-ACL extended permit ip host 18.104.22.168 any
access-list CAPTURE-ACL extended permit ip host 22.214.171.124 any
access-list CAPTURE-ACL extended permit ip any host 126.96.36.199 any
access-list CAPTURE-ACL extended permit ip any host 188.8.131.52 any
access-list CAPTURE-ACL extended deny icmp any any
access-list CAPTURE-ACL extended deny ip 184.108.40.206 255.0.0.0 any
access-list CAPTURE-ACL extended deny ip any 220.127.116.11 255.0.0.0 any
access-list CAPTURE-ACL extended deny ip 18.104.22.168 255.0.0.0 any
access-list CAPTURE-ACL extended deny ip any 22.214.171.124 255.0.0.0 any
The next stage is to create the capture and in this example we use a circular buffer and a 32MB option before rolling back over the pre-captured content (neat trick to follow).
capture WIRE-TRACE access-list CAPTURE-ACL buffer 32000000 interface INSIDE circular-buffer
To view the capture in the console you can issue the “show capture CAPTURE-NAME command.
If you wish to view the content in a web browser as if you were accessing the ASDM then this is available via https://ip address/capture/capture name/
and finally to download the file in .pcap format to open in Wireshark or you favourite packet analyser then use the following url to download the file https://ip address/capture/capture name/pcap
and finally the neat bit..
After remembering reading somewhere about outputting the content from a CLI to a TFTP. We were digging round on the Interweb-Library (Google) and came across a script run from a linux host as a crontab process which used wget to grab the pcap file as a scheduled task and if your through throughput is not to great ensures that you grab the pcap before it rolls over and overwrites the earlier captured content.
Create a file on your linux host using touch or your preferred method and adding the following to the script.
As an example for the crontab:
* 5 * * * /FIREWALL/grab-capture.sh