Configuring a Basic Packet Capture for a Cisco FWSM Context

If you maintain a Cisco FWSM (FireWall Service Module) and keep an eye on your logs for security issues that might arise, you're more than likely going to want to quickly configure a packet capture to gain a better understanding of the questionable traffic you have identified on the network.

To configure a basic packet capture for a FWSM context, you must first create Access Control Lists (ACL’s) to identify the traffic that you want to capture. Once the ACL’s have been created, you’ll need to create the packet captures themselves – one for each interface you want to capture traffic on.

1. Create ACLs to Specify Traffic to be Captured
Before configuring and enabling the captures themselves, you first need to identify the traffic you want to capture using an ACL. A simple ACL to capture all traffic (IP, TCP and UDP traffic on all ports) would look like:

access-list capture_all extended permit ip any any

Of course, capturing all traffic passing through a FWSM context could result in a very large capture file very quickly. To limit the size of your capture file, consider creating specific ACL's for the traffic of interest you want to capture. For example, you could use the following capture to record the outbound traffic of an internal host (192.168.1.10) that is attempting to propogate malicious code over TCP port 135 to all available external hosts :

access-list capture_tcp135 permit tcp host 192.168.1.10 any eq 135

For more information on creating Cisco ACL's, please visit http://bit.ly/1aCgkx (at Cisco.com).

2. Create Capture to Record Traffic on the Context Interface(s)
Once the appropriate ACL’s have been created to identify what traffic you want to capture, you’ll need to create the captures themselves which specify which interfaces you’ll want to record the packets on.

More than likely, you’ll want to capture traffic on both the internal and external interfaces when examining network traffic. Additional interfaces might exist as well that should be considered for review.

For example, the following command will create a capture named ‘capin’ to record all traffic that passes through the internal interface that matches the traffic defined in the ACL ‘capture_tcp135’.

capture capin interface inside access-list capture_tcp135

The second capture, named ‘capout’, will capture all traffic that passes through the external interface that matches the pattern specified in the ACL ‘capture_all’.

capture capout interface outside access-list capture_all


Script to Capture All Traffic on Internal & External Interfaces
The following script creates an ACL named ‘capture_all’ to identify all IP traffic for recording. Then, a capture for all internal traffic is created named ‘capin’ along with a capture for all external traffic named ‘capout’. The last statement displays the status of each existing capture within the FWSM context.

config t
access-list capture_all permit ip any any
capture capin interface inside access-list capture_all
capture capout interface outside access-list capture_all
exit
sh capture

Reviewing Packet Captures
Once the captures are created, you can verify their existence using the ‘show capture’ command to list all captures currently active within the FWSM context:

router/CONTEXT# sh cap

capture capin type raw-data access-list capture_all interface inside[Capturing - 0 bytes]
capture capout type raw-data access-list capture_all interface outside[Capturing - 0 bytes]

As data passes through each interface that matches the previously defined ACL’s for capture traffic, you’ll note that the amount of data captured increases as frames are recorded:

router/CONTEXT# sh cap

capture capin type raw-data access-list capture_all interface inside[Capturing - 39792 bytes]
capture capout type raw-data access-list capture_all interface outside[Capturing - 39872 bytes]


Viewing a Packet Capture
To view the packets captured, use the ‘show capture x’ command – where ‘x’ is the name of the capture you wish to view. For example, ‘show capture inside’ will display the contents of the capture named ‘inside’ in a format similar to tcpdump/Windump.

In the below example, we can see a snippet of the traffic between an internal system (192.168.1.50) visiting google.com over HTTP.

109: 11:45:27.1918032530 P0 192.168.1.50.2935 > 209.85.225.113.80: P 2908144803:2908145748(945) ack 3047889605 win 64488
110: 11:45:27.1918032580 P0 209.85.225.113.80 > 192.168.1.50.2935: P 3047889605:3047889954(349) ack 2908145748 win 12311
111: 11:45:27.1918032830 P0 192.168.1.50.2935 > 209.85.225.113.80: . ack 3047889954 win 65535

In the next blog entry, we’ll look at how we can access FWSM captures in Wireshark/Pcap format and use Wireshark features for troubleshooting malicious activity.