Packet capture on Firewalls (ASA/PIX/FWSM)

本文提供了一步一步的指导,详细介绍了如何在Cisco的ASA、PIX和FWSM防火墙上捕获数据包,包括数据包捕获的位置、准备工作、配置、收集捕获、移除捕获、捕获完整大小的数据包、捕获丢失的数据包以及SPAN捕获示例等。同时,还提供了自动化获取数据包捕获的方法。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

Packet capture on Firewalls (ASA/PIX/FWSM)

版本 7   单击查看文档历史记录

 

Introduction

 

This how-to describes the usage of the "capture" feature in Cisco's security products (ASA/PIX, FWSM, IOS). Many scenarios require to monitor the packets across the firewalls. Like we have a host-server communication and somehow the traffic doesn't flow as we want or we have packet-lost. For troubleshooting these issues we have the "capture" command which helps to check what comes in and out.

 

Where the packet is captured

When we take a capture sometimes we need to know where it is in the packet processing. There are some features which must bebefore taking the packet.

  1. Virtual Firewall Classification: In multiple context mode there is the possibility of shared interfaces, where ASA needs to determine which physical interfaces assigned to the logical ones. Without this calssification we cannot forward the packet.
  2. Layer 2/3 validation: Obviousely the captures need decoded packets, which contains the l2-l3 header information. If the packet frame is not formated properly we drop the packet and cannot be seen in the capture.
  3. IP packet security check: It checks attacks for TCP, UDP and ICMP
  4. Fragment packet handling: ASA reassemble the packet at this phase.
  5. MAC ACL: if L2 ACLs configured
  6. ASA take the capture

Preparing

If you apply the capture on an interface without any option or restriction, most probably you won't get a precise data what you look for. Therefore the best approach is to specify the interesting traffic by an ACL. There is no limitation how to deal with the ACLs, you can create for IP to IP or just restrict by protocol.

For this example we are going to use 10.10.10.1 as the client IP, 192.168.0.1 as the server and we want to monitor the HTTP traffic on port 80.

To define the interesting traffic in order to catch it, use this ACL:

ASA(config)# access-list cap-acl permit tcp host 10.10.10.1 host 192.168.0.1 eq 80 
ASA(config)# access-list cap-acl permit tcp host 192.168.0.1 eq 80 host 10.10.10.1

 

As you can see we created two ACL lines, because we need to capture both directions. It is your decision how precise are you in the ACLs, but be careful what you define, may be the traffic is different than you expect.

 

Capture

You can find the full reference about the command "capture" below. There are many options for this command and beside to specify:

 

ASA# capture inside_capture interface inside access-list cap-acl

 

The pattern is something like this:

 

ASA# capture <name> interface <interface name> access-list <access-list name>

 

 

Buffer

You can increase the default buffer by the "buffer" parameter. However you can use the circular-buffer too for continuous capturing.

   
capture capout access-list cap interface outside buffer 1000000 circular-buffer

 

NAT


Many users have some NAT rules on the firewall which rewrites the packet's IP addresses. You have to take into consideration on which interface which IP addresses you have to use. You cannot use the same capture ACLs on the Inside and Outside interfaces while you do natting, because on Outside interface the IP addresses will be changed.

For example we have the host 1.1.1.1 on the Inside, but it can be seen on the outside as 2.2.2.2. Destination is 8.8.8.8. In this case you need two captures with two different ACL sets, one for the Inside, one for the Outside:

 

Our NAT rules:

static(inside,outside) 2.2.2.2 1.1.1.1

 

ASA(config)# access-list cap-inside permit ip host 1.1.1.1 host 8.8.8.8

ASA(config)# access-list cap-inside permit ip host 8.8.8.8 host 1.1.1.1

ASA(config)# access-list cap-outside permit ip host 2.2.2.2 host 8.8.8.8

ASA(config)# access-list cap-outside permit ip host 8.8.8.8 host 2.2.2.2

 

Collect the captures

 

If we need the captures for later deep analysis there is a way to grab all the results from the firewall. This lets you open them in Wireshark or other packet analyser softwares. The most common format is PCAP (Packet Capture), which save the traces in a standard format, so any third-party software can read it. By this format you will have all the details about a packet and it is necessary for deep troubleshooting.

There are two ways to download the captures. For example our firewall management interface is 10.0.0.254 and we have done the capture with name "inside_capture".

 

1. Via HTTPS

One is to open your favourite browser and follow this pattern: https://<ip address of firewall>/capture/<context>/<capture_name>/pcap

 

https://10.0.0.254/capture/inside_capture/pcap

 

Please note we use secure HTTP (HTTPS) instead of HTTP.

 

2. Via "copy" command

 

You can go under the system context and upload them to a tftp server by the "copy" command.

Pattern: "copy /pcap capture:([CONTEXT]/)[NAME] tftp:"

 

FWSM# copy /pcap capture:inside_capture tftp:

 

Source capture name [inside_capture]?

Address or name of remote host []? 10.0.0.254

Destination filename [inside_capture]?

!!!!!!!!!!!!!!!!!!

If  the capture is configured with a circular buffer and you want to make a  copy of the capture at a particular point without disabling the  capture, you can run the command below.

FWSM# copy /pcap capture:inside-capture disk0:inside-capture.pcap

View captures

 

If you don't need to analyse the captures or view the packet inside, alternatively, you can view them from CLI using the "sh capture" command. For example,  following in the 3-way TCP handshake of browsing to the server of our example.

ASA# sh capture inside_capture

3 packets captured
   1: 18:23:39.364650 802.1Q vlan#100 P0 10.0.0.1.1435 > 192.168.0.1.80: S 1914936295:1914936295(0) 
win 65535 <mss 1460,nop,nop,sackOK>
   2: 18:23:39.428231 802.1Q vlan#100 P0 192.168.0.1.80 > 10.0.0.1.1435: S 4004665739:4004665739(0) 
ack 1914936296 win 8192 <mss 1380>
   3: 18:23:39.428353 802.1Q vlan#100 P0 10.0.0.1.1435 > 192.168.0.1.80: . ack 4004665740 win 65535

 

For more detailed information you can use the "detail" or "dump" option of the command.

 

Remove captures

 

Use the "NO" command to remove the captures.

ASA# no capture [NAME OF THE CAPTURE] 

 

Capture full size packets

Without the "packet-length" parameter you cannot see the full packets in the capture files. You need to extend your command with this option.

ASA# capture inside_capture interface inside access-list cap-acl packet-length 1500  

 

Capture dropped packets

 

PIX/ASA 7.x, and higher will also let you setup a capture for only dropped packets. This is done with the 'type asp-drop <drop-code>' option. For example:

capture dropped type asp-drop all

 

This would give you a capture that includes all packets dropped by the firewall. Here is the command reference as well:

 

SPAN capture

Captures taken on an FWSM are not always trustworthy. The reason is that due to a few bugs in the FWSM software versions captures might capture only egress packets thus missing information that is useful for the capture analysis. As an alternative for FWSMs that run span monitoring session on the FWSM's vlans can be used. In more detail,

 

1. Configure a SPAN monitor port for the ingress and egress VLANs of the FWSM.

Switch# monitor session 2 source vlan 600 , 601 both

This will replicate these two VLANs (vlan 600 and 601 are the outside and inside firewall interfaces in this example) to a third interface/vlan as provided below.


2. Push this data to an external capture device (connection on the switch port FastEthernet 3/1 in this example) running capture software such as Ethereal/Wireshark.

Switch# monitor session 2 destination interface FastEthernet Fa 3/1

3. Captures then can be saved and analysed with the capture software.

 

Example

asa_diagram.jpg

In this example we want to check that the HTTP traffic passing trough or not on the firewall.

  1. Lets setup the ACLs first:

     for the inside interface:

          access-list cap-inside permit tcp host 192.0.2.100 host 198.18.0.2 eq 80

          access-list cap-inside permit tcp host 198.18.0.2 eq 80 host 192.0.2.100

     for the outside interface

          access-list cap-outside permit tcp host 198.18.0.1 host 198.18.0.2 eq 80

          access-list cap-outside permit tcp host 198.18.0.2 eq 80 host 198.18.0.1

     2. Start capturing on the interfaces, we need full packets and increased buffer

     capture capin access-list cap-inside interface Inside packet-length 1500 buffer 8000000

     capture capout access-list cap-outside interface Outside packet-length 1500 buffer 8000000

     3. If you want to check the status of the capture, type "show capture"

ASA# show capture

capture capin type raw-data buffer 8000000 [Capturing - 7653 bytes]

capture capout type raw-data buffer 8000000 [Capturing - 7653 bytes]

           In this example as you can see we receive and forward traffic on the Inside and Outside interfaces. If you see 0 bytes captured on the Outside interface, it means that either you made a mistake defining the interesting traffic in the ACL or the ASA drops the packets.

     4. To view in text format on the ASA itself, type "show capture capin"

ASA# show capture capin

 

24 packets captured

 

   1: 00:53:02.060223 802.1Q vlan#39 P0 192.0.2.100.10522 > 198.18.0.2.80: S 2749700501:2749700501(0) win 5560 <mss 1380,sackOK,timestamp 27240468 0,nop,wscale 7>

   2: 00:53:02.101587 802.1Q vlan#39 P0 198.18.0.2.80> 192.0.2.100.10522: S 2333916621:2333916621(0) ack 2749700502 win 5792 <mss 1380,sackOK,timestamp 924355820 27240468,nop,wscale 7>

   3: 00:53:02.102320 802.1Q vlan#39 P0 192.0.2.100.10522 > 198.18.0.2.80: . ack 2333916622 win 44 <nop,nop,timestamp 27240472 924355820>

      5. You can download the captures by cli command. We are running TFTP server on the client host.

ASA# copy /pcap capture:cap tftp:

Source capture name [cap]?

Address or name of remote host []? 192.0.2.100

Destination filename [cap]? cap.pcap

References

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c1.html#wp210889

How to Automate Getting Packet Captures off of an ASA

 

https://supportforums.cisco.com/docs/DOC-5817

资源下载链接为: https://pan.quark.cn/s/abbae039bf2a 无锡平芯微半导体科技有限公司生产的A1SHB三极管(全称PW2301A)是一款P沟道增强型MOSFET,具备低内阻、高重复雪崩耐受能力以及高效电源切换设计等优势。其技术规格如下:最大漏源电压(VDS)为-20V,最大连续漏极电流(ID)为-3A,可在此条件下稳定工作;栅源电压(VGS)最大值为±12V,能承受正反向电压;脉冲漏极电流(IDM)可达-10A,适合处理短暂高电流脉冲;最大功率耗散(PD)为1W,可防止器件过热。A1SHB采用3引脚SOT23-3封装,小型化设计利于空间受限的应用场景。热特性方面,结到环境的热阻(RθJA)为125℃/W,即每增加1W功率损耗,结温上升125℃,提示设计电路时需考虑散热。 A1SHB的电气性能出色,开关特性优异。开关测试电路及波形图(图1、图2)展示了不同条件下的开关性能,包括开关上升时间(tr)、下降时间(tf)、开启时间(ton)和关闭时间(toff),这些参数对评估MOSFET在高频开关应用中的效率至关重要。图4呈现了漏极电流(ID)与漏源电压(VDS)的关系,图5描绘了输出特性曲线,反映不同栅源电压下漏极电流的变化。图6至图10进一步揭示性能特征:转移特性(图7)显示栅极电压(Vgs)对漏极电流的影响;漏源开态电阻(RDS(ON))随Vgs变化的曲线(图8、图9)展现不同控制电压下的阻抗;图10可能涉及电容特性,对开关操作的响应速度和稳定性有重要影响。 A1SHB三极管(PW2301A)是高性能P沟道MOSFET,适用于低内阻、高效率电源切换及其他多种应用。用户在设计电路时,需充分考虑其电气参数、封装尺寸及热管理,以确保器件的可靠性和长期稳定性。无锡平芯微半导体科技有限公司提供的技术支持和代理商服务,可为用户在产品选型和应用过程中提供有
资源下载链接为: https://pan.quark.cn/s/9648a1f24758 在 JavaScript 中实现点击展开与隐藏效果是一种非常实用的交互设计,它能够有效提升用户界面的动态性和用户体验。本文将详细阐述如何通过 JavaScript 实现这种功能,并提供一个完整的代码示例。为了实现这一功能,我们需要掌握基础的 HTML 和 CSS 知识,以便构建基本的页面结构和样式。 在这个示例中,我们有一个按钮和一个提示框(prompt)。默认情况下,提示框是隐藏的。当用户点击按钮时,提示框会显示出来;再次点击按钮时,提示框则会隐藏。以下是 HTML 部分的代码: 接下来是 CSS 部分。我们通过设置提示框的 display 属性为 none 来实现默认隐藏的效果: 最后,我们使用 JavaScript 来处理点击事件。我们利用事件监听机制,监听按钮的点击事件,并通过动态改变提示框的 display 属性来实现展开和隐藏的效果。以下是 JavaScript 部分的代码: 为了进一步增强用户体验,我们还添加了一个关闭按钮(closePrompt),用户可以通过点击该按钮来关闭提示框。以下是关闭按钮的 JavaScript 实现: 通过以上代码,我们就完成了点击展开隐藏效果的实现。这个简单的交互可以通过添加 CSS 动画效果(如渐显渐隐等)来进一步提升用户体验。此外,这个基本原理还可以扩展到其他类似的交互场景,例如折叠面板、下拉菜单等。 总结来说,JavaScript 实现点击展开隐藏效果主要涉及 HTML 元素的布局、CSS 的样式控制以及 JavaScript 的事件处理。通过监听点击事件并动态改变元素的样式,可以实现丰富的交互功能。在实际开发中,可以结合现代前端框架(如 React 或 Vue 等),将这些交互封装成组件,从而提高代码的复用性和维护性。
一、AutoCAD 2016的工作界面 组成要素:由应用程序菜单、标题栏、快速访问工具栏、菜单栏、功能区、命令窗口、绘图窗口和状态栏组成。 1. 切换至AutoCAD 2016 1)工作空间 模式类型:提供草图与注释、三维基础、三维建模三种工作空间模式 二维绘图功能:在草图与注释空间中可使用默认、插入、注释、参数化、视图管理等选项卡进行二维图形绘制 切换方法: 快速访问工具栏→工作空间按钮下拉列表 状态栏→切换工作空间按钮下拉列表 三维功能:三维基础空间包含可视化、坐标、长方体等三维建模工具 2)应用程序菜单 位置:位于界面左上角 核心功能: 搜索命令 文件操作(新建/打开/保存/另存为/输出/发布/打印/关闭) 最近文档管理(可按日期/大小/类型排序) 选项设置(打开选项对话框) 3)标题栏 显示内容:当前程序名称(Autodesk AutoCAD 2016)和文件名称 信息中心功能: 帮助搜索 Autodesk账户登录 软件更新检查 窗口控制(最小化/最大化/关闭) 4)菜单栏 显示设置:通过自定义快速访问工具栏→显示菜单栏选项启用 菜单结构:包含文件、编辑、视图、插入等11个主菜单项 命令示例: 绘图→直线:进入直线绘制模式 绘图→圆弧:提供三点、起点-圆心-端点等11种绘制方式 5)选项卡和面板 组织结构: 选项卡(默认/插入/注释等) 面板(绘图/修改/注释等) 命令按钮(直线/多段线/圆等) 操作流程:单击命令按钮→绘图区操作→Enter键确认 6)工具栏 调用方式:工具→工具栏→AutoCAD→选择所需工具栏 控制方法: 显示:勾选对应工具栏选项 隐藏:取消勾选或点击工具栏关闭按钮 示例操作:绘图工具栏包含直线、构造线等绘图工具按钮 7)绘图窗口 主要功能:核心绘图工作区域 导航控制: 滚动条调整视图 模型/布局空间切换 显示
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值