Saturday, December 26, 2009

ASA/PIX packet capture feature.

If you ever worked with Cisco TAC on an ASA/PIX case chances are you've needed to capture packets.
Command reference:

ASP capture.
Here's a few interesting options you typically use to diagnose problems. You will see whole combos of them when working with TAC.
A firewall by definition is a device which is supposed to drop packets - chances are that it's dropping way too many of them. If you want to check out what your ASA is dropping, there's a perfect tool for you - type asp-drop capture.
capture CAPASP type asp-drop all
This will show you all the packets dropped by Accelerated Security Path - ASA/PIX's equivalent of CEF, so to speak ;-)
Depending on the version you might also see the exact asp drop type that caused a given packet to drop (as seen in output of "show asp drop")

Interface capture
Chances are that you will need to see packets on the "inside" and "outside" interface. Nothing easier, you can attach separate capture on separate interfaces with separate options. However it's best practice to:1) Create an access-list matching interesting traffic.
2) Remember about packet size.
3) Remember about size of capture (all of it is stored in RAM).
4) If the capture is going to be there for a while - consider using circular buffer (wrap around buffer)

A well thought capture:
capture CAPIN interface inside access-list CAPACL packet-len 1500 circular-buffer buffer 10000000
We'll be using ~10MB buffer (RAM) to capture traffic on interface inside which is matching access-list ACL and be sure to capture 1500 first bytes of packet (otherwise 64 bytes used). If the buffer space is finished wrap the buffer around.

The elusive "trace detail" option.
It's a nice one, but was known to cause problems. Are you familiar with packet-tracer? Imagine having same information attached to you capture.
capture TRACE trace details {more options here}
After capturing the data you're interested in.
show capture TRACE trace (/decode).
Chances are you're going to get too much information for your own good here, and hey maybe even crash the box.

Last but not least
Exporting captures:
(from system context if multicontext):
copy /pcap capture:{context_name}/{capture_name} ....

Why the "pcap"? You need it if you want to look deep inside a packet.
Well if you don't use it chances are the most advanced problems will not get solved.

And REMEMBER if you're creating a packet capture, for a problem that also needs some debugs taken, make sure that the debugs are taken at the same time the captures are? If you don't you're making everyone's life hard.

No comments: