Tuesday, June 5, 2012

How to Download Packet Captures as a PCAP File to Use in Wireshark on a Cisco ASA

If you need to download your packet captures on a Cisco ASA/PIX so you can import them into Wireshark it is a very simple process.

I assume the following is true:
1. You have http (ASDM) access to the firewall
2. You already have a capture with captured packets: (See here how to create a capture)
If you want to just see the capture in the browser first to make sure there are packets you can do the following:

Command Format:
https://FW_IP/admin/capture/CAP_NAME
Example: 
https://10.55.55.55/admin/capture/jcap

Once you know you have data in your capture you can download the pcap by doing the following:

Command Format:
https://FW_IP/admin/capture/CAP_NAME/pcap
Example:
https://10.55.55.55/admin/capture/jcap/pcap














Posted by



at





3 comments:
  





















































How to Capture traffic on a Cisco ASA with No Config Changes










Problem: You need to capture traffic between 1.1.1.1 and 2.2.2.2





In previous version of ASA/PIX code (7.2 and below) you had to go into config mode add a bi-directional access-list and then apply the packet capture. As of 7.2.1  you no longer have to do that and it makes creating captures a lot quicker and no configuration changes are made to the firewall since no access-list are created.






Command Format:

capture [CAP_NAME] interface [INT_NAME] match ip host x.x.x.x host x.x.x.x

Example: 



capture jcap interface inside match ip host 1.1.1.1 host 2.2.2.2





And while this rule looks like it would only capture traffic if sources from 1.1.1.1 it is actually automatically bidirectional so will capture traffic if it sources from either address.





To see and manage your captures issue the following command:



show capture - This will list all fo the captures running on the ASA/PIX

show capture [CAP_NAME] - this will show the actually packets captured in the captures



clear capture [CAP_NAME] - this will clear the captures for one capture



no cap [CAP_NAME] - this will completely remove and stop the capture



There are many more options such as ports and protocols you can find those in the reference guide here:



http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c1.html#wp2129312



##############################



Here are some more captures I regularly use:



Change the capture to gather whole subnets:

Example: 



capture jcap interface inside match ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0 



If you need to see all the the traffic to and from one address you could make a capture like this:

Example: 



capture jcap interface inside match ip host 1.1.1.1 any



Capture ARP request and replies with the following:

Example: 



capture arpcap interface inside ethernet-type arp




















































Posted by



at





2 comments:
  





















































How to failover the standby ASA from the primary ASA










If for some reason you cant access the standby firewall but need you reload it and only have access to the primary firewall you can easily reboot the standby firewall by issuing the following command via cli:



failover reload-standby















Posted by



at





1 comment:
  







































        

      









Subscribe to:
Posts (Atom)