Guest

Cisco Email Security Appliance

ESA Packet Capture Procedures

Document ID: 117797

Updated: Jun 11, 2014

Contributed by Jackie Fleming and Robert Sherwin, Cisco TAC Engineers.

   Print

Introduction

This document describes how to perform packet captures on the Cisco Email Security Appliance (ESA).

Prerequisites

Requirements

Cisco recommends that you have knowledge of the Cisco ESA.

Components Used

The information in this document is based on the Cisco ESA that runs any version of AsyncOS.

Background Information

When you contact IronPort Customer Support with an issue, you might be asked to provide insight into the outbound and inbound network activity of the ESA. The appliance provides the ability to intercept and display TCP, IP, and other packets that are transmitted or received over the network to which the appliance is attached. You might want to run a packet capture in order to debug the network setup and in order to verify the network traffic that reaches or leaves the appliance.

Note: This document references software that is not maintained or supported by IronPort. The information is provided as a courtesy for your convenience. For further assistance, please contact the software vendor.

It is important to note that the previously used tcpdump CLI command is replaced with the new packetcapture command in AsyncOS Versions 7.0 and later. This command offers functionality similar to the tcpdump command, and it is also available for use on the GUI.

If you run AsyncOS Version 6.x or earlier, refer to the instructions on how to use the tcpdump command in the Packet Captures on AsyncOS Versions 6.x and Earlier section of this document. Also, the filter options that are described in the Packet Capture Filters section are valid for the new packetcapture command as well.

Packet Captures on AsyncOS Versions 7.x and Later

This section describes the packet capture process on AsyncOS Versions 7.x and later.

Start or Stop a Packet Capture

In order to start a packet capture with the GUI, navigate to the Support and Help menu, select Packet Capture, and then click Start Capture. In order to stop the packet capture process, click Stop Capture.

Note: A capture that begins in the GUI is preserved between sessions.

In order to start a packet capture with the CLI, enter the packetcapture > start command. In order to stop the packet capture process, enter the packetcapture > stop command, and the ESA stops the packet capture when the session ends.

Packet Capture Functionality

Here is a list of helpful information that you can use in order to manipulate the packet captures:

  • The ESA saves the captured packet activity to a file and stores the file locally. You can configure the maximum packet capture file size, the length of time for which the packet capture runs, and on which network interface the capture runs. You can also use a filter in order to limit the packet capture to traffic through a specific port or traffic from a specific client or server IP address.

  • Navigate to Support and Help > Packet Capture from the GUI in order to view a complete list of the packet capture files that are stored on the hard drive. When a packet capture runs, the Packet Capture page displays the status of the capture in progress with the current statistics, such as file size and the time elapsed.

  • Click the Download File button in order to download a packet capture file. You can forward it in an email to IronPort Customer Support in order to debug and troubleshoot any issues.

  • In order to delete a packet capture file, select one or more files and click Delete Selected Files.

  • In order to edit the packet capture settings with the GUI, select Packet Capture from the Support and Help menu and click Edit Settings.

  • In order to edit the packet capture settings with the CLI, enter the packetcapture > setup command.

Note: The GUI only displays packet captures that begin in the GUI, not those that begin with the CLI. Similarly, the CLI only displays the status of a current packet capture that began in the CLI. Only one capture can run at a time.

Tip: For additional information about packet capture options and filter settings, refer to the Packet Capture Filters section of this document. In order to access the AsyncOS Online Help from the the GUI, navigate to Help and Support >Online Help > Index > P > Packet Capture.

Packet Captures on AsyncOS Versions 6.x and Earlier

This section describes the packet capture process on AsyncOS Versions 6.x and earlier.

Start or Stop a Packet Capture

You can use tcpdump command in order to capture TCP/IP and other packets that are transmitted or received over a network to which the ESA is attached.

Complete these steps in order to start or stop a packet capture:

  1. Enter the the diagnostic > network > tcpdump command into the CLI of the ESA. Here is an example output:

    example.com> diagnostic

    Choose the operation you want to perform:
    - RAID - Disk Verify Utility.
    - DISK_USAGE - Check Disk Usage.
    - NETWORK - Network Utilities.
    - REPORTING - Reporting Utilities.
    - TRACKING - Tracking Utilities.
    []> network

    Choose the operation you want to perform:
    - FLUSH - Flush all network related caches.
    - ARPSHOW - Show system ARP cache.
    - SMTPPING - Test a remote SMTP server.
    - TCPDUMP - Dump ethernet packets.
    []> tcpdump

    - START - Start packet capture
    - STOP - Stop packet capture

    - STATUS - Status capture
    - FILTER - Set packet capture filter
    - INTERFACE - Set packet capture interface
    - CLEAR - Remove previous packet captures
    []>
  2. Set the interface (Data 1, Data 2, or Management) and the filter.

    Note: The filter uses the same format as the Unix tcpdump command.

  3. Select START in order to begin the capture and STOP in order to end it.

    Note: Do not exit the tcpdump menu while the capture is in progress. You must use a second CLI window in order to run any other commands. Once the capture process is complete, you must use secure copy (SCP) or File Transfer Protocol (FTP) from your local desktop in order to download the files from the directory named Diagnostic (refer to the Packet Capture Filters section for details). The files use Packet Capture (PCAP) format and can be reviewed with a program such as Ethereal or Wireshark.

Packet Capture Filters

The Diagnostic > NET CLI command uses standard tcpdump filter syntax. This section provides information in regards to tcpdump capture filters and provides some examples.

These are the standard filters that are used:

  • ip - Filters for all IP protocol traffic
  • tcp - Filters for all TCP protocol traffic
  • ip host - Filters for a specific IP address source or destination

Here are some examples of the filters in use:

  • ip host 10.1.1.1 - This filter captures any traffic that includes 10.1.1.1 as a source or destination.
  • ip host 10.1.1.1 or ip host 10.1.1.2 - This filter captures traffic that contains either 10.1.1.1 or 10.1.1.2 as a source or destination.

For retrieval of the captured file, navigate to var > log > diagnostic or data > pub > diagnostic in order to reach the Diagnostic directory.

Note: When this command is used, it can cause your ESA disk space to fill up, and can also cause performance degradation. Cisco recommends that you only use this command with the assistance of an Cisco IronPort Customer Support Engineer.

Updated: Jun 11, 2014
Document ID: 117797