capture [name] interface [intf] match ip any any
Captures packets on a specified interface matching any IP traffic for troubleshooting and analysis.
Overview
The 'capture' command on Cisco ASA Firewall is a powerful diagnostic tool used to intercept and display packets traversing a specific interface. It is analogous to tcpdump on Linux or Wireshark captures, but integrated into the ASA CLI. The command allows network engineers to troubleshoot connectivity issues, verify firewall rule effectiveness, and analyze traffic patterns without requiring external sniffers. By default, captures are stored in a circular buffer in memory; the size can be configured with the 'buffer' parameter. Captures can be filtered using access-lists or match statements to focus on specific traffic, reducing noise and resource usage. This command is essential for diagnosing problems like asymmetric routing, VPN encryption failures, or application timeouts. On ASA, captures can also be used to capture traffic for security analysis, such as identifying malware communication. It is important to note that captures impact performance, so they should be used sparingly and stopped when no longer needed. The captured data can be exported in PCAP format for detailed analysis in tools like Wireshark, making it a bridge between CLI troubleshooting and deep packet inspection.
capture [name] interface [intf] match ip any anyWhen to Use This Command
- Troubleshooting connectivity issues between two subnets by capturing traffic on the inside interface.
- Verifying that VPN traffic is being encrypted and decrypted correctly by capturing on the outside interface.
- Diagnosing asymmetric routing by capturing on multiple interfaces simultaneously.
- Analyzing application-specific traffic patterns by filtering with match criteria.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| name | word | A user-defined name for the capture session. This name is used to reference the capture in subsequent commands like 'show capture <name>' or 'no capture <name>'. |
| intf | interface name | The ASA interface on which to capture packets. Common names include 'inside', 'outside', 'dmz', or subinterfaces like 'inside.100'. |
| match ip any any | match ip any any | Specifies the traffic filter. 'ip any any' captures all IP packets. Other options include 'match tcp host 10.0.0.1 any eq 80' to filter specific protocols and hosts. |
Command Examples
Basic capture on inside interface
capture CAPINSIDE interface inside match ip any anyStarts a capture named CAPINSIDE on the inside interface, matching all IP traffic. No output is shown until the capture is viewed.
Viewing capture buffer
show capture CAPINSIDE1: 00:01:23.456789 10.0.0.1.12345 > 192.168.1.1.80: S 123456789:123456789(0) win 65535 <mss 1460> 2: 00:01:23.456890 192.168.1.1.80 > 10.0.0.1.12345: S 987654321:987654321(0) ack 123456790 win 65535 <mss 1460>
Displays captured packets with timestamp, source/destination IP and port, TCP flags, sequence numbers, and window size. Each line is a packet.
Understanding the Output
The output of 'show capture <name>' displays each captured packet in a single line. The first field is the packet number, followed by a timestamp in hours:minutes:seconds.microseconds format. Next is the source IP and port, then the destination IP and port, separated by '>'. For TCP packets, flags (S for SYN, . for ACK, etc.), sequence numbers, acknowledgement numbers, window size, and options like MSS are shown. For UDP, only IP and port are displayed. Healthy output shows expected traffic flows; problem indicators include missing packets, unexpected sources/destinations, or retransmissions (indicated by duplicate sequence numbers).
Configuration Scenarios
Capturing traffic between two hosts
A user reports inability to reach a web server at 192.168.1.1 from host 10.0.0.1. You need to verify if packets are reaching the ASA inside interface.
Topology
[10.0.0.1] --- [ASA inside] --- [ASA outside] --- [192.168.1.1]Steps
- 1.Start a capture on the inside interface matching traffic between the two hosts.
- 2.Reproduce the issue from the host.
- 3.View the capture to see if packets are arriving.
! Start capture capture TEST inside match ip host 10.0.0.1 host 192.168.1.1
Verify: show capture TEST
Watch out: Ensure the capture is started before reproducing the issue, otherwise you may miss the packets.
Troubleshooting with This Command
When troubleshooting connectivity issues, the 'capture' command is invaluable. Start by identifying the interfaces involved (e.g., inside, outside) and the traffic you need to see. Use specific match filters to avoid capturing irrelevant traffic. For example, to check if traffic from a specific host is reaching the ASA, use 'capture <name> interface inside match ip host <source> any'. View the capture with 'show capture <name>'. If you see packets, the issue is likely beyond the ASA (e.g., routing, server). If no packets appear, check interface status, ACLs, or NAT rules. For asymmetric routing, capture on both interfaces simultaneously. For VPN issues, capture on the outside interface to see encrypted packets and on the inside to see decrypted packets. Compare the two to ensure encryption/decryption is occurring. Remember to stop captures with 'no capture <name>' to free resources. If the capture buffer fills quickly, increase buffer size with 'capture <name> buffer <size>'. For deep analysis, export the capture to a PCAP file using 'copy /pcap capture:<name> ftp://...' and analyze in Wireshark.
CCNA Exam Tips
Remember that captures consume CPU and memory; always stop captures when done with 'no capture <name>'.
Use 'match' filters to narrow down captures to specific protocols or hosts to avoid overwhelming output.
Know that captures can be exported via FTP or TFTP using 'copy /pcap capture:<name> ftp://...' for analysis in Wireshark.
Common Mistakes
Forgetting to stop the capture, which can lead to high CPU usage and memory exhaustion.
Not using a match filter, resulting in capturing all traffic and filling the buffer quickly.
Confusing interface names (e.g., inside vs outside) leading to capture on the wrong interface.
Platform Notes
On Cisco ASA, the 'capture' command differs from IOS in that it is session-based and can be stopped and restarted. ASA captures are stored in memory and can be exported in PCAP format. Unlike IOS, ASA does not support 'monitor capture' or 'ethernet' capture types. The ASA also supports 'capture' for capturing traffic on multiple interfaces simultaneously by using different capture names. On other platforms like Palo Alto, the equivalent is 'tcpdump' or 'packet capture' via the web interface. On Juniper SRX, 'monitor traffic' is used. ASA captures are limited to the control plane; for data plane captures, use 'capture' with 'real-time' option. Version differences: ASA 9.x introduced the ability to capture on bridge groups and VLANs. Always check the specific ASA version for syntax variations.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions