Introduction

Cisco ASA packet capture and PIX firewall have a very nice feature set to capture traversing via the Firewall. This is quite a useful utility in operation and troubleshooting.

To capture traffic on a Cisco ASA or PIX Firewall the capture command can be used.

BELOW IS STEP BY STEP PROCEDURE TO ENABLE PACKET CAPTURE FOR RESPECTIVE TRAFFIC TYPE –

We want to capture traffic from/to host 192.168.0.1 located behind the DMZ interface.

Using access list is recommended as it is used to filter interesting traffic (Specific traffic capture we want to analyze) :

ASA(config)# access-list CAPTURE permit ip host 192.168.0.1 any
ASA(config)# access-list CAPTURE permit ip any host 192.168.0.1
ASA(config)# capture cap1 access-list CAPTURE interface dmz

ASA(config)# show capture
capture cap1 access-list CAPTURE interface dmz

Below are the Commands to show capturing results –

show capture cap1
show capture cap1 detail
show capture cap1 dump

Command to clear captured traffic:

clear capture cap1

Command to save results to [p2p type=”slug” value=”ftp-vs-tftp”]tftp[/p2p] server:

copy capture:cap1 tftp://10.0.0.1/dmzhost.txt

To save results in pcap format

copy capture:cap1 tftp://10.0.0.1/dmzhost.txt pcap

Command to disable capturing:

ASA(config)# no capture cap1