[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How can I tweak packet captures on my ASA5510??

Posted on 2009-02-10
10
Medium Priority
?
884 Views
Last Modified: 2012-05-06
Hello all,
I have recently installed an ASA 5510 (outside interface on a 10mb leased line) which will host a number of services. At the moment, it is only handling web requests from inside our company.

I have been monitoring the traffic flow on this 10mb line to ascertain how much bandwidth our internet traffic uses and noticed every hour, on the hour there is a sudden rush of inbound and outbound traffic (this happens 24 hours a day at 50 minutes past each hour). Interface monitoring shows the source of the traffic is our Inside network.

To find out what is sending/receiving this data, I set a packet capture up this morning at 7:30 am. This was done by creating the access list (theory: it should capture everything as everything will match that list):
#access-list INSIDE_ACCESS_IN permit ip any any
#access-group INSIDE_ACCESS_IN in interface inside
#capture inside_interface access-list INSIDE_ACCESS_IN interface Inside

At 8am I perofrmed the...
#show capture inside_interface
...command. A sample of the the output is below:
   
2: 18:15:23.719811 70.42.153.135.80 > 192.168.0.71.4705: P 2675336381:2675336825(444) ack 4112385865 win 64583
3: 18:15:23.719979 70.42.153.135.80 > 192.168.0.71.4705: P 2675336825:2675337006(181) ack 4112385865 win 64583
4: 18:15:33.995218 70.42.153.135.80 > 192.168.0.71.4705: . ack 4112386817 win 65535
5: 18:15:33.998483 70.42.153.135.80 > 192.168.0.71.4705: P 2675337006:2675337450(444) ack 4112386817 win 65535
6: 18:15:33.998666 70.42.153.135.80 > 192.168.0.71.4705: P 2675337450:2675337631(181) ack 4112386817 win 65535
7: 18:15:43.253664 192.168.3.217 > 64.233.183.147: icmp: echo request

All of the capture seemed to span from 18:15 to 18:49. I am bamboozled by this as I only created the access list at 7:30 this morning and applied it at this time. The capture was set to start a couple of minutes later. The time on the ASA is set to the correct time.

So... a couple of questions:
>Am I reading the capture right? This does say "this packet was captured at 18:15"?
>If I am reading the capture right, why does the capture show packets from 18:15 when the capture was only set at 07:30? Does it log everything and show you packets that matched the access lists when you tell it to do so at a later date?
>How can I get a capture to run from 22:00 tonight until 07:00 tomorrow and grab all these mystery flows of data that happen on the hour (I would rather do this on the ASA as opposed to other methods if possible).
>A slightly different line of question: I have set the time on the ASA through the ASDM GUI. I don't really trust the GUI as much as the cmd line. How can I set the time from the cmd line. Searched Cisco.com and couldn't find out (hence I used the ASDM).

Any comments gratefully accepted
Danny  
0
Comment
Question by:dannyrushton
  • 4
  • 3
  • 3
10 Comments
 
LVL 6

Accepted Solution

by:
ricks_v earned 450 total points
ID: 23606940
the best logging will be using a syslog server (using any pc behind asa running tftp).

More details on :
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a2e04.shtml
0
 
LVL 6

Expert Comment

by:ricks_v
ID: 23606948
sorry not running tftp but snmp..
0
 
LVL 1

Expert Comment

by:troeland
ID: 23610371
Check into a program called WireShark.  You can configure the ASA to use it as a capture program.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 1

Author Comment

by:dannyrushton
ID: 23610598
I've got Wireshark installed on my desktop - do i set the capture through Wireshark? I assume I'd have to advise the ASA of my IP address (it's a static) as a syslog dumping point?
Danny
0
 
LVL 1

Assisted Solution

by:troeland
troeland earned 300 total points
ID: 23610714
Try going through the Tools>Packet Tracer set-up in ASDM.
0
 
LVL 1

Expert Comment

by:troeland
ID: 23610732
Oh, also check the Wizards>Packet Capture wizard.  I think that is more along the lines of what you want to do.

TJR
0
 
LVL 1

Author Comment

by:dannyrushton
ID: 23610797
Nice one for the reply TJR,
Slight problem encountered - I'm running ASDM 5.0 and it doesn't seem to have either the packet tracer set-up or the Wizards>Packet Capture wizard options available :o(
Danny
0
 
LVL 1

Expert Comment

by:troeland
ID: 23610955
Yikes!  Sorry.  It looks like if you can upgrade to ASDM 5.2 you gain the options listed before.


TJR
0
 
LVL 6

Expert Comment

by:ricks_v
ID: 23618445
wouldnt recommend wireshark,
its good for LAN monitoring but not WAN.
Sure you can use filter  and plus configure your switch port to span port (enable promiscuous mode) otherwise it will only show traffic coming in and out of your pc.

My suggestion is still to either run syslog server or run asdm logging overnight.
0
 
LVL 1

Author Closing Comment

by:dannyrushton
ID: 31544966
Thanks both - found a workaround for it in the end. Have split points accordingly. Will look into permanent syslog setup when all services on the ASA
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Considering cloud tradeoffs and determining the right mix for your organization.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month18 days, 5 hours left to enroll

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question