This document shows how to capture traffic directly at the Cisco PIX/ASA Firewall. Thats a very powerful tool for troubleshooting.
The Topology used in this test: |
All traffic for the bastionhost (172.16.1.2) has to be captured for further analysis, the IP of the insidehost (10.0.1.12) is source-NATed to 172.16.1.20 when connecting to the DMZ.
This setup is based on the following PixOS-Release:
pix1# show version
Cisco PIX Firewall Version 6.3(3)
...
Hardware: PIX-515, 64 MB RAM, CPU Pentium 200 MHz
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 6
Maximum Interfaces: 10
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
The capture-command:
pix1(config)# capture
Not enough arguments.
Usage: capture [access-list ] [buffer ]
[ethernet-type ] [interface ]
[packet-length ]
[circular-buffer]
clear capture
no capture [access-list []] [circular-buffer]
[interface ]
show capture [ [access-list ] [count ]
[detail] [dump]]
Configuring the capture-function:
- Write an access-list that describes the interesting traffic (optional)
- Bind a capture-statement to an interface
- Wait for traffic
- Display or download the capture
Example:
pix1(config)# access-list capture-bastion permit ip any host bastionhost
pix1(config)# access-list capture-bastion permit ip host bastionhost any
pix1(config)# capture cap1 access-list capture-bastion interface dmz
pix1(config)#
pix1(config)# show capture
capture cap1 access-list capture-bastion interface dmz
pix1(config)#
pix1(config)# show capture cap1
0 packet captured
0 packet shown
pix1(config)#
(now we ping the bastionhost and access the web-server)
The resulting capture on the PIX:
pix1(config)# show capture cap1 detail
9 packets captured
19:28:27.554536 000d.56a9.3bbe 000c.297c.dffa 0x0800 74: 172.16.1.20 > bastionhost:
icmp: echo request (ttl 128, id 46758)
19:28:27.555131 000c.297c.dffa 0002.b326.0704 0x0800 74: bastionhost > 172.16.1.20:
icmp: echo reply (ttl 255, id 210)
19:28:38.482488 000d.56a9.3bbe 000c.297c.dffa 0x0800 62: 172.16.1.20.3874 > bastionhost.80:
S [tcp sum ok] 306572975:306572975(0) win 65520 (DF)
(ttl 128, id 46777)
19:28:38.483159 000c.297c.dffa 0002.b326.0704 0x0800 62: bastionhost.80 > 172.16.1.20.3874:
S [tcp sum ok] 2581607285:2581607285(0) ack 306572976 win 15120
(DF) (ttl 64, id 211)
19:28:38.483419 000d.56a9.3bbe 000c.297c.dffa 0x0800 54: 172.16.1.20.3874 > bastionhost.80:
. [tcp sum ok] 306572976:306572976(0) ack 2581607286 win 65520 (DF) (ttl 128, id 46778)
19:28:38.484731 000d.56a9.3bbe 000c.297c.dffa 0x0800 402: 172.16.1.20.3874 > bastionhost.80:
P 306572976:306573324(348) ack 2581607286 win 65520 (DF) (ttl 128, id 46779)
19:28:38.485158 000c.297c.dffa 0002.b326.0704 0x0800 60: bastionhost.80 > 172.16.1.20.3874:
. [tcp sum ok] 2581607286:2581607286(0) ack 306573324 win 15120 (DF) (ttl 64, id 212)
19:28:38.488179 000c.297c.dffa 0002.b326.0704 0x0800 584: bastionhost.80 > 172.16.1.20.3874:
P 2581607286:2581607816(530) ack 306573324 win 16380 (DF) (ttl 64, id 213)
19:28:38.614714 000d.56a9.3bbe 000c.297c.dffa 0x0800 54: 172.16.1.20.3874 > bastionhost.80:
. [tcp sum ok] 306573324:306573324(0) ack 2581607816 win 64990 (DF) (ttl 128, id 46783)
9 packets shown
pix1(config)# show capture cap1 dump
13 packets captured
19:28:27.554536 172.16.1.20 > bastionhost: icmp: echo request
0x0000 4500 003c b6a6 0000 8001 29e4 ac10 0114 E..<......).....
0x0010 ac10 0102 0800 315c 0300 1900 6162 6364 ......1....abcd
0x0020 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst
0x0030 7576 7761 6263 uvwabc
19:28:27.555131 bastionhost > 172.16.1.20: icmp: echo reply
0x0000 4500 003c 00d2 0000 ff01 60b8 ac10 0102 E..<......`.....
0x0010 ac10 0114 0000 395c 0300 1900 6162 6364 ......9....abcd
0x0020 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst
0x0030 7576 7761 6263 uvwabc
19:28:38.482488 172.16.1.20.3874 > bastionhost.80: S 306572975:306572975(0)
win 65520
0x0000 4500 0030 b6b9 4000 8006 e9d7 ac10 0114 E..0..@.........
0x0010 ac10 0102 0f22 0050 1245 eeaf 0000 0000 .....".P.E......
0x0020 7002 fff0 1959 0000 0204 04ec 0101 0402 p....Y..........
19:28:38.483159 bastionhost.80 > 172.16.1.20.3874: S 2581607285:2581607285(0)
ack 306572976 win 15120
0x0000 4500 0030 00d3 4000 4006 dfbe ac10 0102 E..0..@.@.......
0x0010 ac10 0114 0050 0f22 99e0 3375 1245 eeb0 .....P."..3u.E..
0x0020 7012 3b10 10d3 0000 0204 04ec 0101 0402 p.;.............
Now we want to see more payload:
pix1(config)# clear capture cap1
pix1(config)# show capture cap1
0 packet captured
0 packet shown
pix1(config)#
pix1(config)# capture cap1 packet-length 1500
pix1(config)#
pix1(config)# show capture
capture cap1 access-list capture-bastion packet-length 1500 interface dmz
pix1(config)#
(we access the web-server again)
pix1(config)# show capture cap1 dump
...
19:40:04.374980 172.16.1.20.3876 > bastionhost.80: P 2217891186:2217891534(348)
ack 3327525020 win 65520
0x0000 4500 0184 b868 4000 8006 e6d4 ac10 0114 E....h@.........
0x0010 ac10 0102 0f24 0050 8432 5572 c656 009c .....$.P.2Ur.V..
0x0020 5018 fff0 4f1b 0000 4745 5420 2f66 6176 P...O...GET /fav
0x0030 6963 6f6e 2e69 636f 2048 5454 502f 312e icon.ico HTTP/1.
0x0040 310d 0a48 6f73 743a 2031 3732 2e31 362e 1..Host: 172.16.
0x0050 312e 320d 0a55 7365 722d 4167 656e 743a 1.2..User-Agent:
0x0060 204d 6f7a 696c 6c61 2f35 2e30 2028 5769 Mozilla/5.0 (Wi
0x0070 6e64 6f77 733b 2055 3b20 5769 6e64 6f77 ndows; U; Window
0x0080 7320 4e54 2035 2e31 3b20 656e 2d55 533b s NT 5.1; en-US;
0x0090 2072 763a 312e 372e 3529 2047 6563 6b6f rv:1.7.5) Gecko
0x00a0 2f32 3030 3431 3130 3720 4669 7265 666f /20041107 Firefo
0x00b0 782f 312e 300d 0a41 6363 6570 743a 2069 x/1.0..Accept: i
0x00c0 6d61 6765 2f70 6e67 2c2a 2f2a 3b71 3d30 mage/png,*/*;q=0
0x00d0 2e35 0d0a 4163 6365 7074 2d4c 616e 6775 .5..Accept-Langu
0x00e0 6167 653a 2064 652d 6465 2c64 653b 713d age: de-de,de;q=
0x00f0 302e 382c 656e 2d75 733b 713d 302e 352c 0.8,en-us;q=0.5,
0x0100 656e 3b71 3d30 2e33 0d0a 4163 6365 7074 en;q=0.3..Accept
0x0110 2d45 6e63 6f64 696e 673a 2067 7a69 702c -Encoding: gzip,
0x0120 6465 666c 6174 650d 0a41 6363 6570 742d deflate..Accept-
0x0130 4368 6172 7365 743a 2049 534f 2d38 3835 Charset: ISO-885
0x0140 392d 312c 7574 662d 383b 713d 302e 372c 9-1,utf-8;q=0.7,
0x0150 2a3b 713d 302e 370d 0a4b 6565 702d 416c *;q=0.7..Keep-Al
0x0160 6976 653a 2033 3030 0d0a 436f 6e6e 6563 ive: 300..Connec
0x0170 7469 6f6e 3a20 6b65 6570 2d61 6c69 7665 tion: keep-alive
0x0180 0d0a 0d0a ....
We can transfer the capture to our workstation:
pix1(config)# copy capture:cap1 tftp://10.0.1.12/bastion.txt
copying Capture to tftp://10.0.1.12/bastion.txt:
pix1(config)#
C:TFTP-Root>dir
Volume in drive C has no label.
Volume Serial Number is 5001-0224
Directory of C:TFTP-Root
16.11.2004 18:50 .
16.11.2004 18:50 ..
16.11.2004 18:49 2.754 bastion.txt
1 File(s) 2.754 bytes
2 Dir(s) 1.801.687.040 bytes free
C:TFTP-Root>
The capture on the workstation (viewed with notepad):
We can also export the capture in pcap-format (tcpdump):
pix1(config)# copy capture:cap1 tftp://10.0.1.12/bastion.cap pcap
copying Capture to tftp://10.0.1.12/bastion.cap:
pix1(config)#
C:TFTP-Root>dir
Volume in drive C has no label.
Volume Serial Number is 5001-0224
Directory of C:TFTP-Root
16.11.2004 18:55 .
16.11.2004 18:55 ..
16.11.2004 18:55 5.747 bastion.cap
16.11.2004 18:49 2.754 bastion.txt
2 File(s) 8.501 bytes
2 Dir(s) 1.801.527.296 bytes free
C:TFTP-Root>
The capture on the workstation (viewd with Ethereal):
The capture can also be downloaded with a browser
If we want to view or download the capture with a browser we have to activate the https-server (thats automatically done if you have activated the PDM/ASDM). This Example shows the PIXv6 syntax:
pix1(config)# http server enable
pix1(config)#
pix1(config)# http 10.0.1.12 255.255.255.255 inside
pix1(config)#
pix1(config)# domain-name security-planet.de
pix1(config)#
pix1(config)# ca generate rsa key 1024
For >= 1024, key generation could
take up to several minutes. Please wait.
Keypair generation process begin.
.Success.
pix1(config)#
We can view the capture in the browser:
Or we can download the capture as pcap:
Finally we delete the capture on the PIX:
pix1(config)# no capture cap1
pix1(config)#
pix1(config)# show capture cap1
ERROR: capture does not exist
pix1(config)# show capture
pix1(config)#
Hallo Herr Iwen,
vielen Dank für Ihren Beitrag zu unseren Produkten.
Übrigens: Die Cisco Expo 2009 wird dises Jahr in Hannover stattfinden. Informationen sowie die Möglichkeit zur Registrierung erhalten Sie jetzt auf http://www.cisco-expo.de.
Mit freundlichem Gruß
Cisco
I didn’t know that the capturing traffic in this way is possible. I want to ask you if this thing is legal because in my country the low punish you if you do things like this one. I think this must be used just for research, not for other purposes.
However, the tutorial seems to be simple if is explained in a good way. Thank you !
I was recommended to this website by beloved author Sir Richard Deal. To know how to capture a packet on PIX or ASA Security Applicance.
The most intresting thing i found on this website page was… viewing the packet capture content through the http browser. Very nice.
Reg
Meraj
Hyderbad