Enables packet capture capabilities for packet sniffing and network fault isolation. For the complete syntax description, see the command reference or the CLI help (help capture). Not all options can be specified in one command. See the CLI help for allowed combinations.
Use the same capture_name on multiple capture statements to capture multiple types of traffic.
The type asp-drop keyword captures packets dropped by the accelerated security path. In a cluster, dropped forwarded data packets from one unit to another are also captured. In multiple context mode, when this option is issued in the system, all context dropped data packets are captured.
The buffer keyword defines the buffer size used to store the packet. When the byte buffer is full, packet capture stops. When used in a cluster, this is the per-unit size, not the sum of all units.
The circular-buffer keyword overwrites the buffer, starting from the beginning, when the buffer is full.
The interface keyword sets the name of the interface on which to use packet capture. You must configure an interface for any packets to be captured.
To capture packets on the dataplane, use the asa_dataplane keyword. To filter packets captured on the ASA CX backplane, use the asa_dataplane option and follow these guidelines. In single mode, the backplane control packets bypass the access list and are captured. In multiple context mode, only control packets are captured in the system context. Data packets are captured in the user context. The access-list and match options are only available in the user context.
To capture the traffic on the cluster control link, use the cluster keyword. If you configure type lacp, specify the physical interface ID instead of the nameif name.
The match keyword captures matching the protocol and source and destination IP addresses and optional ports. You can use this keyword up to three times in one command. The operator can be as follows:
- lt—less than
- gt—greater than
- eq—equal to
The type raw-data keywords capture inbound and outbound packets. This setting is the default.
The real-time keyword displays the captured packets continuously in real-time. To terminate real-time packet capture, enter Ctrl + c. To permanently remove the capture, use the no form of this command. This option applies only to raw-data and asp-drop captures. This option is not supported when you use the cluster exec capture command.
The reinject-hide keyword specifies that no reinjected packets will be captured and applies only in a clustering environment.
Note If ACL optimization is configured, you cannot use the access-list command in capture. You can only use the access-group command. An error appears if you try to use the access-list command in this case.