Monday, September 30, 2013

Download a Packet Capture from an ASA

Firstly run your capture:
1) create an access list that will match the packets you are interested in seeing e.g:
    #access-list TESTCAP extended permit tcp 10.10.10.0 255.255.255.0 host 10.10.10.254 eq ldap

2) Create the capture on your ASA:
   #capture TESTCAP access-list TESTCAP interface INSIDE

Let that run then once you have collected enough data (use sh capture TESTCAP to view the capture ) transfer the capture file (pcap) to your local machine to view in a packet analyser programme such as WireShark:
1) Download and install a TFTP server programe (I used Solarwinds TFTP server) and then start the server.
2) From the firewall concerned run change to the System Context then run the following :
    #changeto context system
    #copy /pcap capture:[ContextName]/TESTCAP tftp:
    You will be asked for the destination IP - this will be your laptop IP that is running TFTP
    Note - [ContextName] should be the name of the context that the capture is running on.
3) Check the TFTP-root folder on your local machine to verify the transfer was successful.
4) Open WireShark then open the pcap file from there.

No comments:

Post a Comment