A few weeks ago t I blogged on the iPhone FaceTime application and how the communication worked. Since I did the data capture on the Cisco ASA via CLI, I thought I would share the basics on how to do that. Capturing data right on you ASA makes it much easier to troubleshoot as well as support new applications where you are unsure of how they are working. Honestly though, we know that good documentation comes with all in-house application development, right?
For this blog, the inside IP that I wanted to capture information for was 192.168.0.128 to any outside IP address.
1. Create the appropriate access-list on your ASA for the interesting traffic. Below I am capturing any traffic to and from my iPhone (IP Address 192.168.0.128)
access-list capture_iphone extended permit ip host 192.168.0.128 any
access-list capture_iphone extended permit ip any host 192.168.0.128
2. From the Enable prompt, you then create the capture. In this case I am creating a capture called iPhone against access-list created in the last step of capture_iphone with a buffer of 1m bytes and a packet length of 2000, on the inside interface and set to overwrite when the buffer is full.
capture iPhone type raw-data access-list capture_iphone buffer 1000000 packet-length 2000 interface inside circular-buffer
3. Once the capture file is running, you can view it by using the command sh capture iPhone , or my preference is to download it from the ASA in PCAP format:
or in this example: https://192.168.0.1/admin/capture/iPhone/pcap
4. After you d/l the capture file, just open it in Wireshark and you are good to go!
There is another way to view the capture and that is from the CLI. Below are the command options and their Cisco explanation.
FryGuyFW-ASA# sh capture iPhone ?
access-list Display packets matching access-list
count Display <number> of packets in capture
decode Display decode information for each packet
detail Display more information for each packet
dump Display hex dump for each packet
packet-number Display packet <number> in capture
trace Display extended trace information for each packet
| Output modifiers