Tuesday, June 5, 2012

How to Download Packet Captures as a PCAP File to Use in Wireshark on a Cisco ASA

If you need to download your packet captures on a Cisco ASA/PIX so you can import them into Wireshark it is a very simple process.

I assume the following is true:
1. You have http (ASDM) access to the firewall
2. You already have a capture with captured packets: (See here how to create a capture)
If you want to just see the capture in the browser first to make sure there are packets you can do the following:

Command Format:

Once you know you have data in your capture you can download the pcap by doing the following:

Command Format:

How to Capture traffic on a Cisco ASA with No Config Changes

Problem: You need to capture traffic between and

In previous version of ASA/PIX code (7.2 and below) you had to go into config mode add a bi-directional access-list and then apply the packet capture. As of 7.2.1 you no longer have to do that and it makes creating captures a lot quicker and no configuration changes are made to the firewall since no access-list are created.

Command Format:
capture [CAP_NAME] interface [INT_NAME] match ip host x.x.x.x host x.x.x.x
capture jcap interface inside match ip host host

And while this rule looks like it would only capture traffic if sources from it is actually automatically bidirectional so will capture traffic if it sources from either address.

To see and manage your captures issue the following command:
show capture - This will list all fo the captures running on the ASA/PIX
show capture [CAP_NAME] - this will show the actually packets captured in the captures

clear capture [CAP_NAME] - this will clear the captures for one capture

no cap [CAP_NAME] - this will completely remove and stop the capture

There are many more options such as ports and protocols you can find those in the reference guide here:



Here are some more captures I regularly use:

Change the capture to gather whole subnets:
capture jcap interface inside match ip

If you need to see all the the traffic to and from one address you could make a capture like this:
capture jcap interface inside match ip host any

Capture ARP request and replies with the following:
capture arpcap interface inside ethernet-type arp

How to failover the standby ASA from the primary ASA

If for some reason you cant access the standby firewall but need you reload it and only have access to the primary firewall you can easily reboot the standby firewall by issuing the following command via cli:

failover reload-standby