How-to Use the Cisco ASA Built-in Packet Capture Tool

During troubleshooting it is often necessary to see what traffic is being passed between two networks or two hosts. The ASA software now features a built-in packet capture tool.

Below are the steps you need to take:

For the sake of this tutorial, let’s assume that we are troubleshooting traffic between a host with the address of 192.168.1.1 and a host with the address of 10.10.10.1.

Step 1. Define the traffic that you are interested in seeing via an ACL named “cap”: [more]

ASA(config)#access-list cap extended permit ip host 192.168.1.1 host 10.10.10.1
ASA(config)#access-list cap extended permit ip host 10.10.10.1 host 192.168.1.1
ASA(config)#access-list cap extended permit icmp host 192.168.1.1 host 10.10.10.1
ASA(config)#access-list cap extended permit icmp host 10.10.10.1 host 192.168.1.1

Step 2. Create and start the packet capture process named “capin”:

ASA(config)#capture capin access-list cap

Step 3. Generate some traffic between the two hosts.

Since our ACL in this case is set to detect all IP and ICMP traffic between the host we can just start a simple ping betweent the hosts.

From the host 192.168.1.1:
ping 10.10.10.1
From the host 10.10.10.1
ping 192.168.1.1

Step 4. Analyze the packet capture.

ASA#show capture capin
*This will output all of the traffic that it captured.

Step 5. Turn off the packet capture and remove the ACL:

ASA(config)#no capture capin
ASA(config)#clear configure access-list cap

Miscellaneous notes/commands:

You can clear the capture log by using this command:
ASA#clear capture capin

You can also use the pipe functionality when viewing the capture output:
ASA#show capture capin | inc 192.168.1.1

This can also be done via the ASDM, but what fun is that?

Networking Cisco ASA