DiagnosticsPrivileged EXEC

show capture [name]

Displays the contents of a packet capture buffer on the Cisco ASA firewall for traffic analysis and troubleshooting.

Overview

The 'show capture' command on Cisco ASA Firewall is an essential diagnostic tool that displays the contents of a packet capture buffer. Packet captures are configured using the 'capture' command, which defines a buffer to store packets matching certain criteria (e.g., interface, access-list, or packet filter). This command allows network engineers to inspect traffic in real-time or retrospectively, making it invaluable for troubleshooting connectivity issues, security policy misconfigurations, and performance problems.

The underlying concept is packet sniffing: the ASA copies packets that match the capture criteria into a memory buffer. The 'show capture' command then reads and formats this buffer for display. It supports various output options: basic summary, detailed headers, raw hex dump, and real-time streaming. The command can also filter displayed packets using the 'match' keyword, which applies a 5-tuple filter (protocol, source IP/port, destination IP/port) to the already captured data.

On Cisco ASA, captures are typically used to verify that traffic is being processed as expected. For example, if an access-list is blocking traffic, a capture on the ingress interface can confirm the packet arrives, and a capture on the egress interface can show if it is forwarded. The 'trace' option (available in some versions) can show the ASA's internal processing path. The command is also used for security incident response to extract malicious traffic for analysis. Platform-specific behavior includes the ability to capture on multiple interfaces simultaneously, and the buffer size can be adjusted to store more packets. The command is available in privileged EXEC mode and requires appropriate permissions.

Syntax·Privileged EXEC
show capture [capture-name] [access-list {acl-name}] [buffer [size]] [detail] [dump] [elapsed] [interface {interface-name}] [match {protocol} {src} {dst}] [packet-number {number}] [real-time] [trace] [type {asp-drop | raw-data | structured-data}] [verbose]

When to Use This Command

  • Verify that traffic matching an access-list is being captured correctly.
  • Inspect packet details to identify why traffic is being dropped or misrouted.
  • Monitor real-time traffic flows during incident response.
  • Extract packet data for forensic analysis using dump output.

Parameters

ParameterSyntaxDescription
capture-namecapture-nameThe name of the capture to display. If omitted, lists all captures. If specified, shows packets in that capture.
access-listaccess-list {acl-name}Displays only packets that match the specified access-list. Useful for filtering output to specific traffic patterns.
detaildetailShows detailed packet information including IP headers, TCP/UDP headers, and options. Provides more fields than the default output.
dumpdumpDisplays the raw hexadecimal and ASCII dump of each packet. Useful for deep packet inspection and forensic analysis.
matchmatch {protocol} {src} {dst}Filters displayed packets based on a 5-tuple match: protocol (e.g., tcp, udp, icmp), source IP/port, and destination IP/port. Reduces output to specific flows.
real-timereal-timeContinuously displays new packets as they are captured. Press Ctrl+C to stop. Useful for live monitoring.
tracetraceShows the ASA's internal processing path for each packet, including ACL hits, NAT translations, and drops. Requires the capture to be configured with 'trace'.

Command Examples

Display all captures

show capture
capture CAPTURE type raw-data buffer 5120000 interface inside [Capturing - 512 packets]

Lists all configured captures. Shows capture name, type, buffer size, interface, and current packet count.

Display specific capture with detail

show capture CAPTURE detail
1: 00:01:23.456789 802.1Q vlan#100 P0 10.0.0.1.12345 > 192.168.1.1.80: S 123456789:123456789(0) win 65535 <mss 1460,nop,wscale 5,nop,nop,timestamp 12345 0>

Shows detailed packet info including timestamp, VLAN, interface, IP addresses, ports, flags, sequence numbers, and TCP options.

Display capture with match filter

show capture CAPTURE match tcp host 10.0.0.1 host 192.168.1.1 eq 80
1: 00:01:23.456789 10.0.0.1.12345 > 192.168.1.1.80: S 123456789:123456789(0) win 65535

Filters output to show only packets matching the specified 5-tuple (protocol, src IP, src port, dst IP, dst port).

Display capture in real-time

show capture CAPTURE real-time
1: 00:01:23.456789 10.0.0.1.12345 > 192.168.1.1.80: S 123456789:123456789(0) win 65535
2: 00:01:23.567890 192.168.1.1.80 > 10.0.0.1.12345: S 987654321:987654321(0) ack 123456790 win 65535

Continuously displays new packets as they are captured. Press Ctrl+C to stop.

Understanding the Output

The output of 'show capture' displays captured packets in a human-readable format. Each line represents one packet. The first field is the packet number. Next is the timestamp in hours:minutes:seconds.microseconds format. For VLAN-tagged packets, the VLAN ID is shown. The interface name (e.g., P0 for inside) may appear. Then the source IP:port and destination IP:port are shown, followed by TCP flags (S for SYN, . for ACK, F for FIN, etc.), sequence numbers, acknowledgment numbers, payload size, window size, and TCP options. For non-TCP packets, the protocol (e.g., UDP, ICMP) and relevant fields are displayed. Healthy output shows expected traffic flows with correct IP addresses and ports. Problem values include unexpected source/destination, unusual flags (e.g., RST for reset), or dropped packets indicated by 'D' or 'drop' in trace captures. High retransmissions or out-of-order packets may indicate network issues. The 'detail' option provides additional info like IP ID, TTL, and checksums. The 'dump' option outputs raw hex data for deep analysis.

Configuration Scenarios

Capturing Traffic to Troubleshoot a Blocked Connection

A user reports that they cannot reach a web server at 192.168.1.1 from host 10.0.0.1. The ASA has an access-list blocking some traffic.

Topology

[10.0.0.1] --- (inside) [ASA] (outside) --- [192.168.1.1]

Steps

  1. 1.Create a capture on the inside interface to see incoming traffic: capture CAPTURE interface inside match tcp host 10.0.0.1 host 192.168.1.1 eq 80
  2. 2.Create a capture on the outside interface to see outgoing traffic: capture CAPTURE_OUT interface outside match tcp host 10.0.0.1 host 192.168.1.1 eq 80
  3. 3.Reproduce the issue (e.g., have the user attempt to access the web server).
  4. 4.View the inside capture: show capture CAPTURE
  5. 5.View the outside capture: show capture CAPTURE_OUT
Configuration
! Configure captures
capture CAPTURE interface inside match tcp host 10.0.0.1 host 192.168.1.1 eq 80
capture CAPTURE_OUT interface outside match tcp host 10.0.0.1 host 192.168.1.1 eq 80

Verify: Check if packets appear in the inside capture. If yes, the traffic reaches the ASA. Then check the outside capture: if packets appear, the traffic is being forwarded. If not, an ACL or NAT is blocking it.

Watch out: Ensure the capture buffer is large enough to store all packets; otherwise, older packets may be overwritten.

Troubleshooting with This Command

The 'show capture' command is a primary tool for troubleshooting traffic flow through the ASA. Start by identifying the interfaces involved and creating captures on each. For example, if traffic is not reaching a destination, capture on the ingress interface to confirm the packet arrives. If it does, capture on the egress interface to see if it is forwarded. If the packet appears on ingress but not egress, an ACL, NAT, or routing issue is likely. Use the 'match' option to focus on specific flows, reducing noise.

When troubleshooting drops, use the 'trace' option (if available) to see the ASA's internal processing. The output will show each step (e.g., input ACL, NAT, routing, output ACL) and indicate where the packet is dropped. For example, 'drop-reason: (acl-drop) Flow is denied by configured rule' indicates an ACL block. The 'detail' option provides TCP flags and sequence numbers, useful for analyzing TCP handshake issues (e.g., missing SYN-ACK).

For performance issues, check for packet loss or retransmissions. High numbers of retransmissions may indicate congestion or asymmetric routing. The 'real-time' option is useful for live monitoring during an incident. Remember to stop captures after troubleshooting to free memory. Use 'no capture <name>' to remove the capture. The command can also be used with 'show asp drop' to correlate drops with ASP drop reasons.

CCNA Exam Tips

1.

Remember that 'show capture' without arguments lists all captures; use 'show capture name' to view packets.

2.

Know that 'real-time' option is useful for live troubleshooting but can impact performance.

3.

Understand that 'match' filter can narrow down output to specific flows, reducing noise.

Common Mistakes

Forgetting to stop a capture with 'no capture name' after troubleshooting, which can fill the buffer and impact performance.

Using 'show capture' without specifying a capture name when multiple captures exist, resulting in no output.

Not using 'detail' when needing full packet headers, leading to incomplete analysis.

Platform Notes

On Cisco ASA, the 'show capture' command is similar to 'show packet capture' on Cisco IOS routers, but ASA captures are configured differently. In IOS, captures are often done with 'monitor capture' or 'packet capture'. On ASA, the 'capture' command is simpler and more integrated with the firewall's ACL and NAT features. ASA captures can be configured to capture traffic before or after NAT (using 'capture' with 'real' or 'mapped' keywords). The 'trace' option is unique to ASA and provides detailed processing path information.

Versions: In ASA 8.4 and later, the 'capture' command supports more options like 'trace' and 'real-time'. Earlier versions may have limited functionality. The 'show capture' output format is consistent across versions, but some fields (e.g., VLAN) may appear only in newer code. For equivalent functionality on other platforms, use 'tcpdump' on Linux or 'Wireshark' for offline analysis. On Cisco IOS-XE, use 'monitor capture' commands. The ASA's capture buffer is stored in memory; ensure sufficient free memory (use 'show memory' to check).

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions