ASA and FWSM Capture
Here are some options for doing a capture on the ASA.
asa# access-list CAP1 ext permit ip any any
asa# capture CAPTRAFFIC access-list CAP1 circular-buffer interface outside
These are the options.
asa# capture CAPTRAFFIC ?
access-list Capture packets that match access-list
buffer Configure size of capture buffer, default is 512 KB
circular-buffer Overwrite buffer from beginning when full, default is non-circular
ethernet-type Capture Ethernet packets of a particular type, default is IP interface Capture packets on a specific interface
match Capture packets matching five-tuple
packet-length Configure maximum length to save from each packet, default is 68 bytes
real-time Display captured packets in real-time. Warning: using this option with a slow console connection may result in an excessive amount of non-displayed packets due to performance limitations.
trace Trace the captured packets
type Capture packets based on a particular type
To view capture output:
show capture CAPTRAFFIC
To see the traffic that the ASA is dropping.
asa# capture capasp type asp-drop all
If you want to see the actual capture pcap output
capture capinout type raw-data interface OUTSIDE [Capturing – 2164 bytes]
match udp host 172.16.1.176 any
Then in a web browser you can download the capture from the ASA.
https://172.16.254.1/capture/capinout/pcap
Then you can open it in wireshark and see what the traffic was in detail.