Cisco ASA Capture

The Cisco ASA capture is one of those tools which I initially hated compared to the old debug packet command. However, as with most things you get to grips with the features and it delivers more than you first expected. Once you’ve reached enlightenment its then a slippy slope of despair as it fails, fails and temporarily works. After a few failed attempts and further discussions with peers and colleagues who had little success, I sat down with a work mate and went through each phase of the configuration and worked out a method to achieve a winning result.

In summary, the key components include the access-list. The issues we saw required that we specify by network and then apply deny statements to limit to individual hosts. If this method was not used then the capture would be empty ? go figure…

Access-list example:

access-list CAPTURE-ACL extended permit ip host 1.1.1.1 any
access-list CAPTURE-ACL extended permit ip host 2.2.2.2 any
access-list CAPTURE-ACL extended permit ip any host 1.1.1.1 any
access-list CAPTURE-ACL extended permit ip any host 2.2.2.2 any
access-list CAPTURE-ACL extended deny icmp any any
access-list CAPTURE-ACL extended deny ip 1.0.0.0 255.0.0.0 any
access-list CAPTURE-ACL extended deny ip any 1.0.0.0 255.0.0.0 any
access-list CAPTURE-ACL extended deny ip 2.0.0.0 255.0.0.0 any
access-list CAPTURE-ACL extended deny ip any 2.0.0.0 255.0.0.0 any

The next stage is to create the capture and in this example we use a circular buffer and a 32MB option before rolling back over the pre-captured content (neat trick to follow).

Capture example:

capture WIRE-TRACE access-list CAPTURE-ACL buffer 32000000 interface INSIDE circular-buffer

To view the capture in the console you can issue the “show capture CAPTURE-NAME command.

If you wish to view the content in a web browser as if you were accessing the ASDM then this is available via https://ip address/capture/capture name/

and finally to download the file in .pcap format to open in Wireshark or you favourite packet analyser then use the following url to download the file https://ip address/capture/capture name/pcap

and finally the neat bit..

After remembering reading somewhere about outputting the content from a CLI to a TFTP. We were digging round on the Interweb-Library (Google) and came across a script run from a linux host as a crontab process which used wget to grab the pcap file as a scheduled task and if your through throughput is not to great ensures that you grab the pcap before it rolls over and overwrites the earlier captured content.

Create a file on your linux host using touch or your preferred method and adding the following to the script.

wget -P /FIREWALL ‘https://USER LOGON:PASSWORD LOGON@10.10.10.10/capture/OCC-CAP/pcap’ –no-check-certificate

As an example for the crontab:

* 5 * * * /FIREWALL/grab-capture.sh

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: