Cisco ASA Packet capture

Within the Cisco ASA you can capture packets within the CLI or ASDM. Here I will be demonstrating the CLI Method. You can find the ASDM method under – wizards – packet capture

The other day I had a botnet on a internal client that would start communicating at strange hours, so it was hard to get info without a syslog server. I created a ACL within the ASA with the destination IP and then started a capture to get all traffic going to that destination. Below are the steps

1. Create ACL to grab traffic you want to capture

access-list Botnet ext per ip any host x.x.x.x

2. Start the capture to grab the ACL traffic

capture Botnet-traffic interface inside access-list Botnet

3. Check the traffic capture:

show capture Botnet-traffic

All commands show below:

config t

access-list Botnet ext per ip any host x.x.x.x
capture Botnet-traffic interface inside access-list Botnet

show capture Botnet-traffic

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: