We help IT Professionals succeed at work.

How can I tweak packet captures on my ASA5510??

dannyrushton
dannyrushton asked
on
Medium Priority
912 Views
Last Modified: 2012-05-06
Hello all,
I have recently installed an ASA 5510 (outside interface on a 10mb leased line) which will host a number of services. At the moment, it is only handling web requests from inside our company.

I have been monitoring the traffic flow on this 10mb line to ascertain how much bandwidth our internet traffic uses and noticed every hour, on the hour there is a sudden rush of inbound and outbound traffic (this happens 24 hours a day at 50 minutes past each hour). Interface monitoring shows the source of the traffic is our Inside network.

To find out what is sending/receiving this data, I set a packet capture up this morning at 7:30 am. This was done by creating the access list (theory: it should capture everything as everything will match that list):
#access-list INSIDE_ACCESS_IN permit ip any any
#access-group INSIDE_ACCESS_IN in interface inside
#capture inside_interface access-list INSIDE_ACCESS_IN interface Inside

At 8am I perofrmed the...
#show capture inside_interface
...command. A sample of the the output is below:
   
2: 18:15:23.719811 70.42.153.135.80 > 192.168.0.71.4705: P 2675336381:2675336825(444) ack 4112385865 win 64583
3: 18:15:23.719979 70.42.153.135.80 > 192.168.0.71.4705: P 2675336825:2675337006(181) ack 4112385865 win 64583
4: 18:15:33.995218 70.42.153.135.80 > 192.168.0.71.4705: . ack 4112386817 win 65535
5: 18:15:33.998483 70.42.153.135.80 > 192.168.0.71.4705: P 2675337006:2675337450(444) ack 4112386817 win 65535
6: 18:15:33.998666 70.42.153.135.80 > 192.168.0.71.4705: P 2675337450:2675337631(181) ack 4112386817 win 65535
7: 18:15:43.253664 192.168.3.217 > 64.233.183.147: icmp: echo request

All of the capture seemed to span from 18:15 to 18:49. I am bamboozled by this as I only created the access list at 7:30 this morning and applied it at this time. The capture was set to start a couple of minutes later. The time on the ASA is set to the correct time.

So... a couple of questions:
>Am I reading the capture right? This does say "this packet was captured at 18:15"?
>If I am reading the capture right, why does the capture show packets from 18:15 when the capture was only set at 07:30? Does it log everything and show you packets that matched the access lists when you tell it to do so at a later date?
>How can I get a capture to run from 22:00 tonight until 07:00 tomorrow and grab all these mystery flows of data that happen on the hour (I would rather do this on the ASA as opposed to other methods if possible).
>A slightly different line of question: I have set the time on the ASA through the ASDM GUI. I don't really trust the GUI as much as the cmd line. How can I set the time from the cmd line. Searched Cisco.com and couldn't find out (hence I used the ASDM).

Any comments gratefully accepted
Danny  
Comment
Watch Question

Commented:
the best logging will be using a syslog server (using any pc behind asa running tftp).

More details on :
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a2e04.shtml

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Commented:
sorry not running tftp but snmp..

Commented:
Check into a program called WireShark.  You can configure the ASA to use it as a capture program.

Author

Commented:
I've got Wireshark installed on my desktop - do i set the capture through Wireshark? I assume I'd have to advise the ASA of my IP address (it's a static) as a syslog dumping point?
Danny
Commented:
Try going through the Tools>Packet Tracer set-up in ASDM.

Commented:
Oh, also check the Wizards>Packet Capture wizard.  I think that is more along the lines of what you want to do.

TJR

Author

Commented:
Nice one for the reply TJR,
Slight problem encountered - I'm running ASDM 5.0 and it doesn't seem to have either the packet tracer set-up or the Wizards>Packet Capture wizard options available :o(
Danny

Commented:
Yikes!  Sorry.  It looks like if you can upgrade to ASDM 5.2 you gain the options listed before.


TJR

Commented:
wouldnt recommend wireshark,
its good for LAN monitoring but not WAN.
Sure you can use filter  and plus configure your switch port to span port (enable promiscuous mode) otherwise it will only show traffic coming in and out of your pc.

My suggestion is still to either run syslog server or run asdm logging overnight.

Author

Commented:
Thanks both - found a workaround for it in the end. Have split points accordingly. Will look into permanent syslog setup when all services on the ASA
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.