Cisco ASA Packet Capture


1. Configure the capture

capture CAP interface Outside match ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

2. Start the capture

Continue to the next step! The capture is already running. There is no concept of starting or stopping a capture on the ASA.

3. Stop the capture

Continue to the next step! There is no concept of starting or stopping a capture on the ASA.

4. Verify the capture is collecting packets

show capture

Should see packets captured in the output:

capture CAP type raw-data interface Outside [Capturing - 116466 bytes]
  match ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

5. Collect the dump and decode it in the next step.

show capture CAP

Can be used to see a basic decode of the captured packets:

ASA# show capture CAP

10 packets captured

   1: 04:02:37.128792       802.1Q vlan#400 P0 192.168.1.10.22 > 192.168.2.20.49216: P 1147377325:1147377393(68) ack 55550215 win 32768 
   2: 04:02:37.199208       802.1Q vlan#400 P0 192.168.2.20.49216 > 192.168.1.10.22: . ack 1147377273 win 65535 
   3: 04:02:37.199238       802.1Q vlan#400 P0 192.168.2.20.49216 > 192.168.1.10.22: . ack 1147377325 win 65535 
   4: 04:02:37.200047       802.1Q vlan#400 P0 192.168.2.20.49216 > 192.168.1.10.22: . ack 1147377393 win 65535 
   5: 04:02:37.710366       802.1Q vlan#400 P0 192.168.2.20.49216 > 192.168.1.10.22: P 55550215:55550267(52) ack 1147377393 win 65535 
   6: 04:02:37.710442       802.1Q vlan#400 P0 192.168.1.10.22 > 192.168.2.20.49216: . ack 55550267 win 32768 
   7: 04:02:37.710824       802.1Q vlan#400 P0 192.168.1.10.22 > 192.168.2.20.49216: P 1147377393:1147377445(52) ack 55550267 win 32768 
   8: 04:02:37.783864       802.1Q vlan#400 P0 192.168.2.20.49216 > 192.168.1.10.22: . ack 1147377445 win 65535 
   9: 04:02:37.823245       802.1Q vlan#400 P0 192.168.2.20.49216 > 192.168.1.10.22: P 55550267:55550319(52) ack 1147377445 win 65535 
  10: 04:02:37.823306       802.1Q vlan#400 P0 192.168.1.10.22 > 192.168.2.20.49216: . ack 55550319 win 32768 

Or collect the full dump and decode it in the Dump Decoder tab above if more detailed analysis is necessary

terminal pager 0
show capture CAP dump

6. Remove the capture and access list (ACL) if necessary:

no capture CAP

Some Notes:
When looking at captures, you may see S’s and P’s:
S = Syn
P = Push