{"id":31,"date":"2005-07-26T18:44:54","date_gmt":"2005-07-26T17:44:54","guid":{"rendered":"http:\/\/security-planet.de\/?p=17"},"modified":"2005-07-26T18:44:54","modified_gmt":"2005-07-26T17:44:54","slug":"cisco-pix-capturing-traffic","status":"publish","type":"post","link":"https:\/\/cyber-fi.net\/index.php\/2005\/07\/26\/cisco-pix-capturing-traffic\/","title":{"rendered":"Cisco PIX\/ASA – Capturing Traffic"},"content":{"rendered":"

This document shows how to capture traffic directly at the Cisco PIX\/ASA Firewall. Thats a very powerful tool for troubleshooting.<\/p>\n\n\n
\nThe Topology used in this test:<\/strong>
\n\"Capturing<\/td>\n<\/tr>\n<\/table>\n

All traffic for the bastionhost (172.16.1.2) has to be captured for further analysis, the IP of the insidehost (10.0.1.12) is source-NATed to 172.16.1.20 when connecting to the DMZ.<\/p>\n

This setup is based on the following PixOS-Release:<\/strong><\/p>\n

\npix1# show version\n\nCisco PIX Firewall Version 6.3(3)\n...\nHardware:   PIX-515, 64 MB RAM, CPU Pentium 200 MHz\nLicensed Features:\nFailover:                    Enabled\nVPN-DES:                     Enabled\nVPN-3DES-AES:                Enabled\nMaximum Physical Interfaces: 6\nMaximum Interfaces:          10\nCut-through Proxy:           Enabled\nGuards:                      Enabled\nURL-filtering:               Enabled\nInside Hosts:                Unlimited\nThroughput:                  Unlimited\nIKE peers:                   Unlimited\n<\/code><\/pre>\n
The capture-command:<\/strong><\/p>\n
\npix1(config)# capture\nNot enough arguments.\nUsage: capture  [access-list ] [buffer ]\n               [ethernet-type ] [interface ]\n               [packet-length ]\n               [circular-buffer]\n       clear capture \n       no capture  [access-list []] [circular-buffer]\n               [interface ]\n       show capture [ [access-list ] [count ]\n                     [detail] [dump]]\n<\/code><\/pre>\n
Configuring the capture-function:<\/strong><\/p>\n
    \n
  1. Write an access-list that describes the interesting traffic (optional)<\/li>\n
  2. Bind a capture-statement to an interface<\/li>\n
  3. Wait for traffic<\/li>\n
  4. Display or download the capture<\/li>\n<\/ol>\n
    Example:<\/strong><\/p>\n
    \npix1(config)# access-list capture-bastion permit ip any host bastionhost\npix1(config)# access-list capture-bastion permit ip host bastionhost any\npix1(config)# capture cap1 access-list capture-bastion interface dmz\npix1(config)#\npix1(config)# show capture\ncapture cap1 access-list capture-bastion interface dmz\npix1(config)#\npix1(config)# show capture cap1\n0 packet captured\n0 packet shown\npix1(config)#\n<\/code><\/pre>\n
    (now we ping the bastionhost and access the web-server)<\/p>\n
    The resulting capture on the PIX:<\/strong><\/p>\n
    \npix1(config)# show capture cap1 detail\n9 packets captured\n19:28:27.554536 000d.56a9.3bbe 000c.297c.dffa 0x0800 74: 172.16.1.20 > bastionhost:\n\ticmp: echo request (ttl 128, id 46758)\n19:28:27.555131 000c.297c.dffa 0002.b326.0704 0x0800 74: bastionhost > 172.16.1.20:\n\ticmp: echo reply (ttl 255, id 210)\n19:28:38.482488 000d.56a9.3bbe 000c.297c.dffa 0x0800 62: 172.16.1.20.3874 > bastionhost.80:\n\tS [tcp sum ok] 306572975:306572975(0) win 65520  (DF)\n\t(ttl 128, id 46777)\n19:28:38.483159 000c.297c.dffa 0002.b326.0704 0x0800 62: bastionhost.80 > 172.16.1.20.3874:\n\tS [tcp sum ok] 2581607285:2581607285(0) ack 306572976 win 15120\n\t (DF) (ttl 64, id 211)\n19:28:38.483419 000d.56a9.3bbe 000c.297c.dffa 0x0800 54: 172.16.1.20.3874 > bastionhost.80:\n\t. [tcp sum ok] 306572976:306572976(0) ack 2581607286 win 65520 (DF) (ttl 128, id 46778)\n19:28:38.484731 000d.56a9.3bbe 000c.297c.dffa 0x0800 402: 172.16.1.20.3874 > bastionhost.80:\n\tP 306572976:306573324(348) ack \t2581607286 win 65520 (DF) (ttl 128, id 46779)\n19:28:38.485158 000c.297c.dffa 0002.b326.0704 0x0800 60: bastionhost.80 > 172.16.1.20.3874:\n\t. [tcp sum ok] 2581607286:2581607286(0) ack 306573324 win 15120 (DF) (ttl 64, id 212)\n19:28:38.488179 000c.297c.dffa 0002.b326.0704 0x0800 584: bastionhost.80 > 172.16.1.20.3874:\n\tP 2581607286:2581607816(530) ack 306573324 win 16380 (DF) (ttl 64, id 213)\n19:28:38.614714 000d.56a9.3bbe 000c.297c.dffa 0x0800 54: 172.16.1.20.3874 > bastionhost.80:\n\t. [tcp sum ok] 306573324:306573324(0) ack 2581607816 win 64990 (DF) (ttl 128, id 46783)\n9 packets shown\n<\/code><\/pre>\n
    \npix1(config)# show capture cap1 dump\n13 packets captured\n19:28:27.554536 172.16.1.20 > bastionhost: icmp: echo request\n0x0000   4500 003c b6a6 0000 8001 29e4 ac10 0114        E..<......).....\n0x0010   ac10 0102 0800 315c 0300 1900 6162 6364        ......1....abcd\n0x0020   6566 6768 696a 6b6c 6d6e 6f70 7172 7374        efghijklmnopqrst\n0x0030   7576 7761 6263                                 uvwabc\n19:28:27.555131 bastionhost > 172.16.1.20: icmp: echo reply\n0x0000   4500 003c 00d2 0000 ff01 60b8 ac10 0102        E..<......`.....\n0x0010   ac10 0114 0000 395c 0300 1900 6162 6364        ......9....abcd\n0x0020   6566 6768 696a 6b6c 6d6e 6f70 7172 7374        efghijklmnopqrst\n0x0030   7576 7761 6263                                 uvwabc\n19:28:38.482488 172.16.1.20.3874 > bastionhost.80: S 306572975:306572975(0)\n    win 65520 \n0x0000   4500 0030 b6b9 4000 8006 e9d7 ac10 0114        E..0..@.........\n0x0010   ac10 0102 0f22 0050 1245 eeaf 0000 0000        .....\".P.E......\n0x0020   7002 fff0 1959 0000 0204 04ec 0101 0402        p....Y..........\n19:28:38.483159 bastionhost.80 > 172.16.1.20.3874: S 2581607285:2581607285(0)\n    ack 306572976 win 15120 \n0x0000   4500 0030 00d3 4000 4006 dfbe ac10 0102        E..0..@.@.......\n0x0010   ac10 0114 0050 0f22 99e0 3375 1245 eeb0        .....P.\"..3u.E..\n0x0020   7012 3b10 10d3 0000 0204 04ec 0101 0402        p.;.............\n<\/code><\/pre>\n
    Now we want to see more payload:<\/strong><\/p>\n
    \npix1(config)# clear capture cap1\npix1(config)# show capture cap1\n0 packet captured\n0 packet shown\npix1(config)#\npix1(config)# capture cap1 packet-length 1500\npix1(config)#\npix1(config)# show capture\ncapture cap1 access-list capture-bastion packet-length 1500 interface dmz\npix1(config)#\n<\/code><\/pre>\n
    (we access the web-server again)<\/p>\n
    \npix1(config)# show capture cap1 dump\n...\n19:40:04.374980 172.16.1.20.3876 > bastionhost.80: P 2217891186:2217891534(348)\n    ack 3327525020 win 65520\n0x0000   4500 0184 b868 4000 8006 e6d4 ac10 0114        E....h@.........\n0x0010   ac10 0102 0f24 0050 8432 5572 c656 009c        .....$.P.2Ur.V..\n0x0020   5018 fff0 4f1b 0000 4745 5420 2f66 6176        P...O...GET \/fav\n0x0030   6963 6f6e 2e69 636f 2048 5454 502f 312e        icon.ico HTTP\/1.\n0x0040   310d 0a48 6f73 743a 2031 3732 2e31 362e        1..Host: 172.16.\n0x0050   312e 320d 0a55 7365 722d 4167 656e 743a        1.2..User-Agent:\n0x0060   204d 6f7a 696c 6c61 2f35 2e30 2028 5769         Mozilla\/5.0 (Wi\n0x0070   6e64 6f77 733b 2055 3b20 5769 6e64 6f77        ndows; U; Window\n0x0080   7320 4e54 2035 2e31 3b20 656e 2d55 533b        s NT 5.1; en-US;\n0x0090   2072 763a 312e 372e 3529 2047 6563 6b6f         rv:1.7.5) Gecko\n0x00a0   2f32 3030 3431 3130 3720 4669 7265 666f        \/20041107 Firefo\n0x00b0   782f 312e 300d 0a41 6363 6570 743a 2069        x\/1.0..Accept: i\n0x00c0   6d61 6765 2f70 6e67 2c2a 2f2a 3b71 3d30        mage\/png,*\/*;q=0\n0x00d0   2e35 0d0a 4163 6365 7074 2d4c 616e 6775        .5..Accept-Langu\n0x00e0   6167 653a 2064 652d 6465 2c64 653b 713d        age: de-de,de;q=\n0x00f0   302e 382c 656e 2d75 733b 713d 302e 352c        0.8,en-us;q=0.5,\n0x0100   656e 3b71 3d30 2e33 0d0a 4163 6365 7074        en;q=0.3..Accept\n0x0110   2d45 6e63 6f64 696e 673a 2067 7a69 702c        -Encoding: gzip,\n0x0120   6465 666c 6174 650d 0a41 6363 6570 742d        deflate..Accept-\n0x0130   4368 6172 7365 743a 2049 534f 2d38 3835        Charset: ISO-885\n0x0140   392d 312c 7574 662d 383b 713d 302e 372c        9-1,utf-8;q=0.7,\n0x0150   2a3b 713d 302e 370d 0a4b 6565 702d 416c        *;q=0.7..Keep-Al\n0x0160   6976 653a 2033 3030 0d0a 436f 6e6e 6563        ive: 300..Connec\n0x0170   7469 6f6e 3a20 6b65 6570 2d61 6c69 7665        tion: keep-alive\n0x0180   0d0a 0d0a                                      ....\n<\/code><\/pre>\n
    We can transfer the capture to our workstation:<\/strong><\/p>\n
    \npix1(config)# copy capture:cap1 tftp:\/\/10.0.1.12\/bastion.txt\ncopying Capture to tftp:\/\/10.0.1.12\/bastion.txt:\npix1(config)#\n<\/code><\/pre>\n
    \nC:TFTP-Root>dir\n Volume in drive C has no label.\n Volume Serial Number is 5001-0224\n\n Directory of C:TFTP-Root\n\n16.11.2004  18:50          .\n16.11.2004  18:50          ..\n16.11.2004  18:49             2.754 bastion.txt\n               1 File(s)          2.754 bytes\n               2 Dir(s)   1.801.687.040 bytes free\n\nC:TFTP-Root>\n<\/code><\/pre>\n
    The capture on the workstation (viewed with notepad):<\/strong>
    \n\"Capturing<\/p>\n
    We can also export the capture in pcap-format (tcpdump):<\/strong><\/p>\n
    \npix1(config)# copy capture:cap1 tftp:\/\/10.0.1.12\/bastion.cap pcap\ncopying Capture to tftp:\/\/10.0.1.12\/bastion.cap:\npix1(config)#\n<\/code><\/pre>\n
    \nC:TFTP-Root>dir\n Volume in drive C has no label.\n Volume Serial Number is 5001-0224\n\n Directory of C:TFTP-Root\n\n16.11.2004  18:55             .\n16.11.2004  18:55             ..\n16.11.2004  18:55             5.747 bastion.cap\n16.11.2004  18:49             2.754 bastion.txt\n               2 File(s)          8.501 bytes\n               2 Dir(s)   1.801.527.296 bytes free\n\nC:TFTP-Root>\n<\/code><\/pre>\n
    The capture on the workstation (viewd with Ethereal):<\/strong>
    \n\"Capturing<\/p>\n
    The capture can also be downloaded with a browser<\/strong>
    \nIf we want to view or download the capture with a browser we have to activate the https-server (thats automatically done if you have activated the PDM\/ASDM). This Example shows the PIXv6 syntax:<\/p>\n
    \npix1(config)# http server enable\npix1(config)#\npix1(config)# http 10.0.1.12 255.255.255.255 inside\npix1(config)#\npix1(config)# domain-name security-planet.de\npix1(config)#\npix1(config)# ca generate rsa key 1024\nFor  >= 1024, key generation could\n  take up to several minutes. Please wait.\nKeypair generation process begin.\n.Success.\n\npix1(config)#\n<\/code><\/pre>\n
    We can view the capture in the browser:<\/strong>
    \n\"Capturing<\/p>\n
    Or we can download the capture as pcap:<\/strong>
    \n\"Capturing<\/p>\n
    Finally we delete the capture on the PIX:<\/strong><\/p>\n
    \npix1(config)# no capture cap1\npix1(config)#\npix1(config)# show capture cap1\nERROR: capture  does not exist\npix1(config)# show capture\npix1(config)#\n<\/code><\/pre>\n
    http:\/\/rcm-de.amazon.de\/e\/cm?t=lan2wan-21&o=3&p=8&l=as1&asins=1587054574&fc1=000000&IS2=1&lt1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
    This document shows how to capture traffic directly at the Cisco PIX\/ASA Firewall. Thats a very powerful tool for troubleshooting.<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"twitterCardType":"","cardImageID":0,"cardImage":"","cardTitle":"","cardDesc":"","cardImageAlt":"","cardPlayer":"","cardPlayerWidth":0,"cardPlayerHeight":0,"cardPlayerStream":"","cardPlayerCodec":"","footnotes":""},"categories":[5,7],"tags":[112,358,472],"class_list":["post-31","post","type-post","status-publish","format-standard","hentry","category-cisco","category-cisco-security","tag-capture","tag-konfiguration","tag-pix-asa"],"_links":{"self":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts\/31","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/comments?post=31"}],"version-history":[{"count":0,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts\/31\/revisions"}],"wp:attachment":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/media?parent=31"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/categories?post=31"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/tags?post=31"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}