Cisco ASA packet capture command example

Cisco ASA Capture Command Example

1 背景

在平时排障时，可以在ASA防火墙上抓包，
通过抓包可以确认数据是否到达防火墙，
如果到达了防火墙是否被正确放行，
如果被防火墙拦截，那么拦截的原因是什么，都可以通过抓包看到

2 抓包配置方法

2.1 语法：

capture <抓包文件名字> interface <接口名称> buffer <buffersize> match <protocol> host <souceIP> host <DestinationIP> eq <DestinationPort>

2.2 抓包示例

以下为抓包的实际举例：
2.2.1 示例1
抓outside接口的流量，匹配
源IP 223.104.2.37访问
目的IP： 203.1130.41.39的tcp 443端口流量

ASA# capture outside interface outside buffer 3000000 match tcp host 223.104.2.37 host 203.130.41.39 eq 56816 

查看已经配置的抓包
语法：show capture
ASA# show capture
capture outside type raw-data buffer 3000000 interface outside [Capturing - 0 bytes]
match tcp host 223.104.2.37 host 203.130.41.39 eq 56816
2.2.2 示例2
capture inside interface inside buffer 3000000 match tcp host 223.104.2.37 host 203.130.41.39 eq 56816

capture outside interface outside buffer 3000000 match tcp host 223.104.2.37 host 203.130.41.39 eq 56601

capture inside interface inside buffer 3000000 match tcp host 223.104.2.37 host 203.130.41.39 eq 56601

在实际抓包时，我们是需要确认流量是否被防火墙drop，所以可以加上asp-drop, 即看到报文是否有被防火墙drop

capture asp-drop type asp-drop buffer 33554422 match tcp host 1.1.1.1 host 2.2.2.2 eq 443
2.3 清空抓包记录
一般用于重新抓包前的清空，
这个命令是将抓到的内容清空，不会删除抓包配置
ASA# Clear capture /all
2.4 停止抓包
语法：
Capture <名称> stop
这个只是将抓包停止 ，不会删除掉已经抓到的内容。
Capture inside stop
Capture outside stop
2.5 开始抓包
用于上面已经stop的抓包，再次启用，不会删除掉已经抓到的内容。
Capture inside start
Capture outside start
2.6 删除抓包
删除就彻底没了。
no capture outside
no capture inside
2.7 查看抓包文件内容
Show capture <文件名>
如
Show capture inside
2.8 抓包结果拷贝到flash
copy /pcap capture:outside flash:outside.pcap
copy /pcap capture:inside flash:inside.pcap
2.9 打开抓包文件

https://10.159.202.3:8888/admin/capture/outside/pcap
https://10.159.202.3:8888/admin/capture/inside/pcap

#####更新如下：

防火墙抓包命令

capture outside interface outside buffer 3000000 match tcp host 112.224.71.143 host 58.56.128.98 eq 8888
capture inside interface dmz buffer 3000000 match tcp host 112.224.71.143 host 58.56.128.98 eq 8888

show capture

copy /pcap capture:outside flash:outside.pcap
copy /pcap capture:inside flash:dmz.pcap

no capture outside
no capture dmz

https://10.135.103.14/admin/capture/outside/pcap
https://10.135.103.14/admin/capture/dmz/pcap

112.224.71.143 58.56.128.98:8888

---

防火墙抓包命令

capture outside816 interface outside buffer 3000000 match tcp host 223.104.2.37 host 203.130.41.39 eq 56816
capture inside816 interface inside buffer 3000000 match tcp host 223.104.2.37 host 203.130.41.39 eq 56816

capture outside601 interface outside buffer 3000000 match tcp host 223.104.2.37 host 203.130.41.39 eq 56601
capture inside601 interface inside buffer 3000000 match tcp host 223.104.2.37 host 203.130.41.39 eq 56601

copy /pcap capture:outside flash:outside.pcap
copy /pcap capture:inside flash:inside.pcap

no capture outside
no capture inside

https://10.159.202.3:8888/admin/capture/outside/pcap
https://10.159.202.3:8888/admin/capture/inside/pcap

FAQ

抓包最多可以抓多少

最多为33M bytes， （33554422字节）

抓包有对防火墙有什么影响 ？

对CPU有消耗，所以在配置抓包时，尽量匹配明细，并且在抓包结束后，删除抓包