Tuesday, May 21, 2013

How to Capture ARP Requests on a Cisco ASA

Many times I have had to prove that the firewall was not receiving any ARP replies from the workstation / router / switch / or server here is how I did it:

Log into the CLI and create a capture looking for only ARP request:

capture [CAP_NAME] interface [INT_NAME] ethernet-type arp

ASA# capure arpcap interface servers ethernet-type arp
ASA# show capture arpcap

//This is an example of a devices that is not responding to ARP:
   1: 20:26:41.822046 arp who-has tell
   2: 20:26:43.622508 arp who-has tell
   3: 20:26:44.622462 arp who-has tell
//We can see the firewall ( is requesting an ARP for but there is no reply

//This is an example of a devices that is responding to ARP requests:

   1: 20:30:59.077226 arp who-has tell
   2: 20:30:59.077562 arp reply is-at 0:45:00:07:a7:00

//We can see the firewall ( is requesting an ARP for and gets a reply that it has mac address 0:45:00:07:a7:00

You of course and also do a show arp to see the current arp table but the capture will prove the device is not arping or it will help you find if two or multiple devices are arping for the same IP address.

No comments:

Post a Comment