Firstly run your capture:
1) create an access list that will match the packets you are interested in seeing e.g:
#access-list TESTCAP extended permit tcp 10.10.10.0 255.255.255.0 host 10.10.10.254 eq ldap
2) Create the capture on your ASA:
#capture TESTCAP access-list TESTCAP interface INSIDE
Let that run then once you have collected enough data (use sh capture TESTCAP to view the capture ) transfer the capture file (pcap) to your local machine to view in a packet analyser programme such as WireShark:
1) Download and install a TFTP server programe (I used Solarwinds TFTP server) and then start the server.
2) From the firewall concerned run change to the System Context then run the following :
#changeto context system
#copy /pcap capture:[ContextName]/TESTCAP tftp:
You will be asked for the destination IP - this will be your laptop IP that is running TFTP
Note - [ContextName] should be the name of the context that the capture is running on.
3) Check the TFTP-root folder on your local machine to verify the transfer was successful.
4) Open WireShark then open the pcap file from there.
No comments:
Post a Comment