Packet Capture
The Packet Capture tool is a valuable asset for use in debugging connectivity and configuration issues and for understanding traffic flows through your Firepower 4100/9300 chassis. You can use the Packet Capture tool to log traffic that is going through specific interfaces on your Firepower 4100/9300 chassis.
You can create multiple packet capture sessions, and each session can capture traffic on multiple interfaces. For each interface included in a packet capture session, a separate packet capture (PCAP) file will be created.
Backplane Port Mappings
The Firepower 4100/9300 chassis uses the following mappings for internal backplane ports:
Security Module |
Port Mapping |
Description |
---|---|---|
Security Module 1/Security Engine |
Ethernet1/9 |
Internal-Data0/0 |
Security Module 1/Security Engine |
Ethernet1/10 |
Internal-Data0/1 |
Security Module 2 |
Ethernet1/11 |
Internal-Data0/0 |
Security Module 2 |
Ethernet1/12 |
Internal-Data0/1 |
Security Module 3 |
Ethernet1/13 |
Internal-Data0/0 |
Security Module 3 |
Ethernet1/14 |
Internal-Data0/1 |
Guidelines and Limitations for Packet Capture
The Packet Capture tool has the following limitations:
-
Can capture only up to 100 Mbps.
-
Packet capture sessions can be created even when there is not enough storage space available to run the packet capture session. You should verify that you have enough storage space available before you start a packet capture session.
-
For packet capture sessions on a single-wide 4x100Gbps or 2x100Gbps network module (part numbers FPR-NM-4X100G and FPR-NM-2X100G respectively), if the module
adminstate
is set tooff
, the capture session is automatically disabled with an “Oper State Reason: Unknown Error.” You will have to restart the capture session after the moduleadminstate
is set toon
again.With all other network modules, packet capture sessions continue across module
adminstate
changes. -
Does not support multiple active packet capturing sessions.
-
Captures only at the ingress stage of the internal switch.
-
Filters are not effective on packets that cannot be understood by the internal switch (for example Security Group Tag and Network Service Header packets).
-
You cannot capture packets for an EtherChannel as a whole. However, for an EtherChannel allocated to a logical device, you can capture packets on each member interface of the EtherChannel.
-
You cannot copy or export a PCAP file while the capture session is still active.
-
When you delete a packet capture session, all packet capture files associated with that session are also deleted.
Creating or Editing a Packet Capture Session
Procedure
Step 1 |
Enter packet capture mode: Firepower-chassis # scope packet-capture |
||
Step 2 |
Create a filter; see Configuring Filters for Packet Capture. You can apply filters to any of the interfaces included in a packet capture session. |
||
Step 3 |
To create or edit a packet capture session: Firepower-chassis /packet-capture # enter session session_name |
||
Step 4 |
Specify the buffer size to use for this packet capture session: Firepower-chassis /packet-capture/session* # set session-memory-usage session_size_in_megabytes The specified buffer size must be between 1 and 2048 MB. |
||
Step 5 |
Specify the length of the packet that you want to capture for this packet capture session: Firepower-chassis /packet-capture/session* # set session-pcap-snaplength session_snap_length_in_bytes The specified snap length must be between 64 and 9006 bytes. If you do not configure the session snap length, the default capture length is 1518 bytes. |
||
Step 6 |
Specify the physical source ports that should be included in this packet capture session. You can capture from multiple ports and can capture from both physical ports and application ports during the same packet capture session. A separate packet capture file is created for each port included in the session. You cannot capture packets for an EtherChannel as a whole. However, for an EtherChannel allocated to a logical device, you can capture packets on each member interface of the EtherChannel.
|
||
Step 7 |
Specify the application source ports that should be included in this packet capture session. You can capture from multiple ports and can capture from both physical ports and application ports during the same packet capture session. A separate packet capture file is created for each port included in the session.
|
||
Step 8 |
If you want to start the packet capture session now: Firepower-chassis /packet-capture/session* # enable Newly created packet-capture sessions are disabled by default. Explicit enabling of a session activates the packet capture session when the changes are committed. If another session is already active, enabling a session will generate an error. You must disable the already active packet-capture session before you can enable this session. |
||
Step 9 |
Commit the transaction to the system configuration: Firepower-chassis /packet-capture/session* # commit-buffer If you enabled the packet capture session, the system will begin capturing packets. You will need to stop capturing before you can download the PCAP files from your session. |
Example
Firepower-chassis# scope packet-capture
Firepower-chassis packet-capture # create session asa1inside
Firepower-chassis packet-capture/session # set session-memory-usage 256
Firepower-chassis packet-capture/session* # create phy-port Ethernet3/1
Firepower-chassis packet-capture/session* # create phy-aggr-port Ethernet2/1/1
Firepower-chassis packet-capture/session* # create app-port 1 link1 Ethernet 1/1 asa
Firepower-chassis packet-capture/session* # exit
Firepower-chassis packet-capture* # create filter interface1vlan100
Firepower-chassis packet-capture/filter* # set ivlan 100
Firepower-chassis packet-capture/filter* # set srcIP 6.6.6.6
Firepower-chassis packet-capture/filter* # set srcPort 80
Firepower-chassis packet-capture/filter* # set destIP 10.10.10.10
Firepower-chassis packet-capture/filter* # set destPort 5050
Firepower-chassis packet-capture/filter* # exit
Firepower-chassis packet-capture/session* # scope phy-port Ethernet3/1
Firepower-chassis packet-capture/session/phy-port* # set src-filter interface1vlan100
Firepower-chassis packet-capture/session/phy-port* # exit
Firepower-chassis packet-capture/session* # scope app-port 1 link1 Ethernet1/1 asa
Firepower-chassis packet-capture/session/app-port* # set src-filter interface1vlan100
Firepower-chassis packet-capture/session/app-port* # exit
Firepower-chassis packet-capture/session* # enable
Firepower-chassis packet-capture/session* # commit-buffer
Firepower-chassis packet-capture/session #
Configuring Filters for Packet Capture
You can create filters to limit the traffic that is included in a packet capture session. You can select which interfaces should use a specific filter while creating a packet capture session.
Note |
If you modify or delete a filter that is applied to a packet capture session that is currently running, the changes will not take affect until you disable that session and then reenable it. |
Procedure
Step 1 |
Enter packet capture mode: Firepower-chassis # scope packet-capture |
||||||||||||||||||||||||||
Step 2 |
To create a new packet capture filter: Firepower-chassis /packet-capture # create filter filter_name To edit an existing packet capture filter: Firepower-chassis /packet-capture # enter filter filter_name To delete an existing packet capture filter: Firepower-chassis /packet-capture # delete filter filter_name |
||||||||||||||||||||||||||
Step 3 |
Specify the filter details by setting one or more filter properties: Firepower-chassis /packet-capture/filter* # set <filterprop filterprop_value
|
Example
Firepower-chassis# scope packet-capture
Firepower-chassis packet-capture # create filter interface1vlan100
Firepower-chassis packet-capture/filter* # set ivlan 100
Firepower-chassis packet-capture/filter* # set srcip 6.6.6.6
Firepower-chassis packet-capture/filter* # set srcport 80
Firepower-chassis packet-capture/filter* # set destip 10.10.10.10
Firepower-chassis packet-capture/filter* # set destport 5050
Firepower-chassis packet-capture/filter* # commit-buffer
Starting and Stopping a Packet Capture Session
Procedure
Step 1 |
Enter packet capture mode: Firepower-chassis # scope packet-capture |
||
Step 2 |
Enter the scope for the packet capture session that you want to start or stop: Firepower-chassis /packet-capture # enter session session_name |
||
Step 3 |
To start a packet capture session: Firepower-chassis /packet-capture/session* # enable [append | overwrite]
While the packet capture session is running, the file size for the individual PCAP files will increase as traffic is captured. Once the Buffer Size limit is reached, the system will start dropping packets and you will see the Drop Count field increase. |
||
Step 4 |
To stop a packet capture session: Firepower-chassis /packet-capture/session* # disable |
||
Step 5 |
Commit the transaction to the system configuration: Firepower-chassis /packet-capture/session* # commit-buffer If you enabled the packet capture session, the PCAP files for the interfaces included in the session will start collecting traffic. If the session is configured to overwrite session data, the existing PCAP data will be erased. If not, data will be appended to the existing file (if any). |
Example
Firepower-chassis# scope packet-capture
Firepower-chassis packet-capture # scope session asa1inside
Firepower-chassis packet-capture/session # enable append
Firepower-chassis packet-capture/session* # commit-buffer
Firepower-chassis packet-capture/session #
Downloading a Packet Capture File
You can download the Packet Capture (PCAP) files from a session to your local computer so that they can be analyzed using a network packet analyzer.
PCAP files are stored into the workspace://packet-capture directory and use the following naming conventions:
workspace://packet-capture/session-<id>/<session-name>-<interface-name>.pcap
Procedure
To copy a PCAP file from the Firepower 4100/9300 chassis:
|
Example
Firepower-chassis# connect localmgmt
# copy workspace:/packet-capture/session-1/test-ethernet-1-1-0.pcap scp://user@10.10.10.1:/workspace/
Deleting Packet Capture Sessions
You can delete an individual packet capture session if it is not currently running or you can delete all inactive packet capture sessions.
Procedure
Step 1 |
Enter packet capture mode: Firepower-chassis # scope packet-capture |
Step 2 |
To delete a specific packet capture session: Firepower-chassis /packet-capture # delete session session_name |
Step 3 |
To delete all inactive packet capture sessions: Firepower-chassis /packet-capture # delete-all-sessions |
Step 4 |
Commit the transaction to the system configuration: Firepower-chassis /packet-capture* # commit-buffer |
Example
Firepower-chassis# scope packet-capture
Firepower-chassis packet-capture # delete session asa1inside
Firepower-chassis packet-capture* # commit-buffer
Firepower-chassis packet-capture #