Cisco ASA Series Cli Configuration Manual page 2093
Software version 9.0 for the services module
Hide thumbs
Also See for ASA Series:
- Configuration manual (429 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 1
Troubleshooting
Command
]
cluster exec
capture capture_name
[
[type {asp-drop all
drop-code
|
tls-proxy
raw-data | lacp |
isakmp [ikev1 | ikev2] | decrypted
| webvpn user webvpn-user [url
}] [
]
url]
capture
[
access-list access_list_name
[
] [
buffer buf_size
ethernet-type
] [
type
interface interface_name
[
] [
reinject-hide
packet-length
] [
] [
bytes
circular-buffer
] [
] [
trace_count
real-time
[
{
-
match prot
host source
-
|
}{
source
ip mask
any
host
-
|
destination
ip
destination-ip mask
|
} [
]
any
operator port
Example:
hostname# capture captest
interface inside
Purpose
Enables packet capture capabilities for packet sniffing and network fault isolation.
] |
The access-list access_list_name keyword argument pair captures traffic that
matches an access list. In multiple context mode, this is only available within a
context. The any keyword specifies any IP address instead of a single IP address
and mask. The all keyword captures all the packets that the ASA drops. The
]
asp-drop [drop-code] keyword argument pair captures packets dropped by the
accelerated security path. The drop-code specifies the type of traffic that is dropped
]
by the accelerated security path. See the show asp drop frame command for a list
trace
of drop codes. If you do not enter the drop-code argument, then all dropped packets
]
trace
are captured. You can enter this keyword with the packet-length, circular-buffer,
|
ip
and buffer keywords, but not with the interface or ethernet-type keyword. In a
cluster, dropped forwarded data packets from one unit to another are also captured.
In multiple context mode, when this option is issued in system context, all dropped
data packets are captured; when this option is issued in a user context, only dropped
data packets that enter from interfaces belonging to the user context are captured.
The buffer buf_size keyword argument pair defines the buffer size used to store the
packet in bytes. When the byte buffer is full, packet capture stops. When used in a
cluster, this is the per-unit size, not the sum of all units. The capture_name
argument specifies the name of the packet capture. Use the same name on multiple
capture statements to capture multiple types of traffic. When you view the capture
configuration using the show capture command, all options are combined on one
line. The circular-buffer keyword overwrites the buffer, starting from the
beginning, when the buffer is full. The cluster exec keyword is used only in a
clustering deployment as a wrapper CLI prefix, can be used with the capture and
show capture commands, and enables you to issue the capture command in one
unit and run the command in all the other units at the same time. The decrypted
keyword enables decrypted TCP data to be encapsulated with L2-L4 headers, then
captured by the capture engine. The ethernet-type type keyword argument pair
selects an Ethernet type to capture. Supported Ethernet types include 8021Q, ARP,
IP, IP6, IPX, LACP, PPPOED, PPPOES, RARP, and VLAN. An exception occurs
with the 802.1Q or VLAN type. The 802.1Q tag is automatically skipped and the
inner Ethernet type is used for matching. The host ip keyword argument pair
specifies the single IP address of the host to which the packet is being sent. The
interface interface_name keyword argument pair sets the name of the interface on
which to use packet capture. You must configure an interface for any packets to be
captured. You can configure multiple interfaces using multiple capture commands
with the same name. To capture packets on the dataplane of an ASA, you can use
the interface keyword with "asa_dataplane" as the interface name.You can specify
"cluster" as the interface name to capture the traffic on the cluster control link
interface. The interface names "cluster" and "asa-dataplane" are fixed and not
configurable. If the type lacp capture is configured, the interface name is the
physical name. The isakmp keyword captures ISAKMP traffic. This is not available
in multiple context mode. The ISAKMP subsystem does not have access to the
upper layer protocols. The capture is a pseudo capture, with the physical, IP, and
UDP layers combined together to satisfy a PCAP parser. The peer addresses are
obtained from the SA exchange and are stored in the IP layer. Use the ikev1 or ikev2
keywords to capture only IKEv1 or IKEv2 protocol information. The lacp keyword
captures LACP traffic. If configured, the interface name is the physical interface
name. The trace, match, and access-list keywords cannot be used together with the
lacp keyword.
Cisco ASA Series CLI Configuration Guide
Capturing Packets
1-3
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
