Packet capture on a Cisco ASA using the Command Line Interface (CLI) can be done through several methods. Here’s an overview of the most common methods, alongside 10 examples:
1. Creating an access-list to define the traffic:
access-list CAPTURE permit ip host 192.168.1.1 host 192.168.1.2
2. Defining the capture:
capture MYCAPTURE access-list CAPTURE interface outside
3. Viewing the capture:
show capture MYCAPTURE
4. Capturing packets based on interface and access-list:
capture MYCAPTURE2 access-list CAPTURE interface inside
5. Capturing packets based on multiple interfaces:
capture MYCAPTURE3 access-list CAPTURE interface inside capture MYCAPTURE3 access-list CAPTURE interface outside
6. Capturing specific packet types, for example ICMP:
access-list CAPTURE permit icmp host 192.168.1.1 host 192.168.1.2 capture MYCAPTURE4 access-list CAPTURE interface outside
7. Capturing packets for a specific port, for example, TCP 80 (HTTP):
access-list CAPTURE permit tcp host 192.168.1.1 eq 80 host 192.168.1.2 capture MYCAPTURE5 access-list CAPTURE interface outside
8. Capturing packets with detail (verbose mode):
capture MYCAPTURE6 type raw-data access-list CAPTURE interface outside buffer 1048576
9. Applying the capture to the ASA’s ingress and egress points:
capture MYCAPTURE7 type raw-data access-list CAPTURE interface inside circular-buffer capture MYCAPTURE7 type raw-data access-list CAPTURE interface outside circular-buffer
10. Removing a capture:
no capture MYCAPTURE
Remember to replace “MYCAPTURE”, “MYCAPTURE2”, etc., with your desired capture name and “192.168.1.1”, “192.168.1.2”, etc., with the actual IP addresses you are interested in.
Also, you can download the capture to view it in a packet analyzer like Wireshark. Use the following command and then download it from a web browser:
https:///admin/capture/MYCAPTURE/pcap
Terminal Pager 0
The command terminal pager 0 is used to disable the default paging behavior in the Cisco IOS terminal.
When using commands that generate a lot of output (like `show tech-support` or `show log`, or in this case, viewing large packet captures), the terminal typically shows a certain number of lines (usually 24) and then pauses, waiting for you to press Enter or Space to see the next set of lines.
If you issue the command `terminal pager 0`, you disable this behavior, and the terminal will display the full output of a command without pausing.
In the context of packet captures on both ASA and Nexus devices, using `terminal pager 0` could be useful if you want to view the entire capture output at once. However, be aware that this can generate a significant amount of output and might make it harder to see specific packets you’re interested in if the capture is very large.
You can re-enable the default paging behavior with the command `terminal pager ` where “ is the number of lines to display before pausing. If you just use `terminal pager`, the default is usually set to 24.
Flags
Here are some common flags you might see:
S = SYN: The synchronization flag is used when a connection is being established.
F = FIN: The finish flag is used to gracefully close a TCP connection.
R = RST: The reset flag is used to forcibly close a TCP connection.
P = PUSH: The push flag is used to ask the receiving end to pass this data to the application as soon as possible, rather than buffering it.
A = ACK: The acknowledgment flag is used to acknowledge receipt of packets.
U = URG: The urgent flag is used when certain data within a packet must be processed immediately.
E = ECE: The explicit congestion notification echo flag is used to signal network congestion.
C = CWR: The congestion window reduced flag is used to acknowledge the receipt of an ECE flag.