This is a short post about a step-by-step procedure to configure packet capturing on Cisco ASA or IOS XE using the CLI.
Cisco ASA embedded packet capturing:
access-list acl_capin extended permit ip host 217.100.100.254 host 10.0.255.254 access-list acl_capin extended permit ip host 10.0.255.254 host 217.100.100.254 capture capin interface inside access-list acl_capin or capture capin interface inside match ip host 10.0.255.254 host 217.100.100.254 [possible in asa 8.x and later]
Show captured packets:
asa-1(config)# show capture capin 10 packets captured 1: 15:11:12.760092 10.0.255.254 > 217.100.100.254: icmp: echo request 2: 15:11:12.761755 217.100.100.254 > 10.0.255.254: icmp: echo reply 3: 15:11:12.764196 10.0.255.254 > 217.100.100.254: icmp: echo request 4: 15:11:12.765615 217.100.100.254 > 10.0.255.254: icmp: echo reply 5: 15:11:12.768072 10.0.255.254 > 217.100.100.254: icmp: echo request 6: 15:11:12.769354 217.100.100.254 > 10.0.255.254: icmp: echo reply 7: 15:11:12.771612 10.0.255.254 > 217.100.100.254: icmp: echo request 8: 15:11:12.773077 217.100.100.254 > 10.0.255.254: icmp: echo reply 9: 15:11:12.775548 10.0.255.254 > 217.100.100.254: icmp: echo request 10: 15:11:12.777150 217.100.100.254 > 10.0.255.254: icmp: echo reply 10 packets shown asa-1(config)# asa-1(config)# show capture capinside detail 20 packets captured 1: 15:11:12.760092 a000.0000.0001 a000.0000.0021 0x0800 Length: 114 10.0.255.254 > 217.100.100.254: icmp: echo request (ttl 255, id 5) 2: 15:11:12.761755 a000.0000.0021 a000.0000.0001 0x0800 Length: 114 217.100.100.254 > 10.0.255.254: icmp: echo reply (ttl 255, id 5) 3: 15:11:12.764196 a000.0000.0001 a000.0000.0021 0x0800 Length: 114 10.0.255.254 > 217.100.100.254: icmp: echo request (ttl 255, id 6) 4: 15:11:12.765615 a000.0000.0021 a000.0000.0001 0x0800 Length: 114 217.100.100.254 > 10.0.255.254: icmp: echo reply (ttl 255, id 6) 5: 15:11:12.768072 a000.0000.0001 a000.0000.0021 0x0800 Length: 114 10.0.255.254 > 217.100.100.254: icmp: echo request (ttl 255, id 7) 6: 15:11:12.769354 a000.0000.0021 a000.0000.0001 0x0800 Length: 114 217.100.100.254 > 10.0.255.254: icmp: echo reply (ttl 255, id 7) 7: 15:11:12.771612 a000.0000.0001 a000.0000.0021 0x0800 Length: 114 10.0.255.254 > 217.100.100.254: icmp: echo request (ttl 255, id 8) 8: 15:11:12.773077 a000.0000.0021 a000.0000.0001 0x0800 Length: 114 217.100.100.254 > 10.0.255.254: icmp: echo reply (ttl 255, id 8) 9: 15:11:12.775548 a000.0000.0001 a000.0000.0021 0x0800 Length: 114 10.0.255.254 > 217.100.100.254: icmp: echo request (ttl 255, id 9) 10: 15:11:12.777150 a000.0000.0021 a000.0000.0001 0x0800 Length: 114 217.100.100.254 > 10.0.255.254: icmp: echo reply (ttl 255, id 9) 20 packets shown asa-1(config)# Browser capture: https://10.255.1.203/admin/capture/capin Download pcap: https://10.255.1.203/capture/capin/pcap
Disable capture and remove access-list:
no capture capin no capture capout clear configure access-list acl_capin clear configure access-list acl_capout
Cisco ASR embedded packet capturing:
ip access-list extended acl_cap permit ip any any permit icmp any any exit monitor capture mycap access-list acl_cap monitor capture mycap limit duration 1000 monitor capture mycap interface GigabitEthernet3 both monitor capture mycap buffer circular size 10 monitor capture mycap start monitor capture mycap export tftp://10.255.1.87/mycap.pcap
Show captured packets:
rtr-2#show monitor capture mycap buffer dump 0 0000: A0000000 0004A000 00000001 08004500 ..............E. 0010: 00640041 0000FF01 A9530A00 FF010A00 .d.A.....S...... 0020: FF020800 0B62000D 00000000 0000001E .....b.......... 0030: 72BDABCD ABCDABCD ABCDABCD ABCDABCD r............... 0040: ABCDABCD ABCDABCD ABCDABCD ABCDABCD ................ 0050: ABCDABCD ABCDABCD ABCDABCD ABCDABCD ................ 0060: ABCDABCD ABCDABCD ABCDABCD ABCDABCD ................ 0070: ABCD .. 1 0000: A0000000 0001A000 00000004 08004500 ..............E. 0010: 00640041 0000FF01 A9530A00 FF020A00 .d.A.....S...... 0020: FF010000 1362000D 00000000 0000001E .....b.......... 0030: 72BDABCD ABCDABCD ABCDABCD ABCDABCD r............... 0040: ABCDABCD ABCDABCD ABCDABCD ABCDABCD ................ 0050: ABCDABCD ABCDABCD ABCDABCD ABCDABCD ................ 0060: ABCDABCD ABCDABCD ABCDABCD ABCDABCD ................ 0070: ABCD .. ... rtr-2#show monitor capture mycap buffer buffer size (KB) : 10240 buffer used (KB) : 128 packets in buf : 14 packets dropped : 0 packets per sec : 1 ...
Disable capture and remove access-list:
monitor capture mycap stop no monitor capture mycap no ip access-list extended acl_cap