Within the Cisco ASA you can capture packets within the CLI or ASDM. Here I will be demonstrating the CLI Method. You can find the ASDM method under – wizards – packet capture
The other day I had a botnet on a internal client that would start communicating at strange hours, so it was hard to get info without a syslog server. I created a ACL within the ASA with the destination IP and then started a capture to get all traffic going to that destination. Below are the steps
1. Create ACL to grab traffic you want to capture
access-list Botnet ext per ip any host x.x.x.x
2. Start the capture to grab the ACL traffic
capture Botnet-traffic interface inside access-list Botnet
3. Check the traffic capture:
show capture Botnet-traffic
All commands show below:
config t
access-list Botnet ext per ip any host x.x.x.x
capture Botnet-traffic interface inside access-list Botnet
show capture Botnet-traffic
Recent Comments