Thursday, November 25, 2010

Full packet capture on Cisco Firewall

Via opensourceforensics.org

 Create and fire up the packet capture
# capture MYCAP interface IFNAME packet-length 1500 buffer SIZE

The above command will capture everything; if you want to filter your capture, add an access list, like so:
#capture MYCAP interface IFNAME packet-length 1500 access-list 777 buffer SIZE

Remember to define access-list 777 first. Of course, you can substitute 777 with any other number.

Stop the capture
# no capture MYCAP interface IFNAME

Retrieve the captured data
Point your browser to the firewall SSL URL like so:
https://FW-IP-address/capture/MYCAP/pcap
Download the pcap file, and open it with wireshark or a similar tool.
Note: you can also use tftp to get the pcap.

Clean-up
# no capture MYCAP

No comments:

Post a Comment