欢迎关注:1,欢迎关注本博客,你可点击右手边的【QQ邮件订阅】订阅本博客!2,本博客推出江湖救急计划,主要为工作中遇到疑难杂症的兄弟提供远程技术支持和分析,如有需要,请在江湖救急计划页面给我留言!

思科ASA防火墙下抓包方法

作者:易隐者 发布于:2012-2-26 17:43 Sunday 分类:参考资料

ASA防火墙抓包示例

capture asa_capture_inside_1 type raw-data access-list tac_capture buffer 10000000 interface inside
capture asa_capture_outside_1 type raw-data access-list tac_capture buffer 10000000 interface outside
no capture asa_capture_inside_1
no capture asa_capture_outside_1
clear capture asa_capture_inside_1
clear capture asa_capture_outside_1
copy /pcap capture:asa_capture_inside_1 tftp://172.16.1.200/asa_inside_capture.cap
copy /pcap capture:asa_capture_outside_1 tftp://172.16.1.200/asa_outside_capture.cap


access-list test permit ip host ip (inside) host ip(outside)
access-list test permit ip host ip (outside) host ip (inside)
capture inside access-list test buffer 10000000 interface inside interface outside
capture outside access-list test buffer 10000000 interface outside interface inside

其他示例

1 ,cisco防火墙troubleshooting之capture packet
首先定义需要抓报的类型,使用acl:
access-list capture permit icmp any any
capture test access-list capture interface outside
这样当有icmp包经过outside接口时,就会被抓取下来

copy /pcap capture: test tftp:

Source capture name [test]?  

Address or name of remote host []? 10.10.166.27

Destination filename [test]? test1

这样就会把原始包抓取下来,然后扩展名改为dmp
show capture test
或者通过:https://10.10.166.138/capture/captest/pcap直接可以查看
通过这个地址:https://10.10.166.138/capture/http/pcap来下载

no capture test
删除capture test缓存

       在抓取包的时候,如果是TCP,UDP数据包(基于状态)的时候,只有初始数据包处理,后续包直接进入加速处理器,不会被抓到。
       例如从一个接口1进入,从2口出来,然后返回数据包从2口进入,从1口出来。这个时候数据包只有1口进的时候才被抓取。而当专区icmp(没有状态)的时候,不管是进还是出都会被抓到,就是说,在1,2口的进出口都会被抓到。

2,思科防火墙与oracle兼容性有问题的抓包过程

配置要抓包的数据流
access-list tac_capture permit ip host 59.42.158.1 host 172.16.99.1
access-list tac_capture permit ip host 172.16.99.1 host 59.42.158.1
capture pix_dmz_capture_1 access-list tac_capture buffer 10000000 interface dmz
capture pix_inside_capture_1 access-list tac_capture buffer 10000000 interface inside
capture tac_dmz_capture intreface dmz
capture tac_inside_capture interface inside
            
 显示一些配置
show clock
show conn local 172.16.99.1
show conn foreign 59.42.158.18
show local-host 172.16.99.1
show local-host 59.42.158.1
show xlate local 172.16.99.1
show xlate global 59.42.158.1
show capture
拷贝capture 到tftp服务器上。
copy capture:pix_dmz_capture_1 tftp://172.16.1.200/pix_dmz_capture.cap pcap
copy capture:pix_inside_capture_1 tftp://172.16.1.200/pix_inside_capture.cap pcap
取消capture
clear capture tac_capture
no capture pix_dmz_capture_1
no capture pix_inside_capture_1
配置要抓包的数据流
access-list tac_capture permit ip host 59.42.158.1 host172.16.99.1
access-list   tac_capture permit ip host 172.16.99.1 host 59.42.158.1
capture asa_capture_inside_1 type raw-data access-list tac_capture buffer 10000000 interface inside
capture asa_capture_outside_1 type raw-data access-list tac_capture buffer 10000000 interface outside
capture tac_capture_inside access-list tac_capture interface inside
capture tac_capture_outside access-list tac_capture interface outside
c)
show clock
show conn address 172.16.99.1
show conn address 59.42.158.1
show local-host 172.16.99.1
show local-host 59.42.158.1
show asp drop
show xlate
show capture
d)拷贝capture到tftp服务器上
copy /pcap capture:asa_capture_inside_1 tftp://172.16.1.201/asa_inside_capture.cap
copy /pcap capture:asa_capture_outside_1 tftp://172.16.1.201/asa_outside_capture.cap
e)取消capture
no capture asa_capture_inside_1
no capture asa_capture_outside_1
clear capture asa_capture_inside_1
clear capture asa_capture_outside_1

阅读全文>>

标签: 防火墙 ACL 抓包 思科 ASA

评论(0) 引用(0) 浏览(33348)

思科PIX防火墙下抓包方法

作者:易隐者 发布于:2012-2-26 17:42 Sunday 分类:参考资料

命令语法

capture capture_name [type {asp-drop [drop-code] | raw-data | isakmp | webvpn user webvpn-user [url url]}] [access-list access_list_name] [buffer buf_size] [ethernet-type type] [interface interface_name] [packet-length bytes] [circular-buffer][trace trace_count] 

 在版本6.2中首次出现。
 可捕获在ACL中匹配的包。
 可用sniffer软件,如Iris,ethereal,sniffer等打开。
 保存在内存中,缺省512kb,当buffer满的时候会自动停止。

关键步骤:
 在ACL定义感兴趣的数据流。
 将ACL应用到目标接口。

示例

1,先设置感兴趣流量的ACL
access-list cisco_test  permit ip  host 211.91.211.54   host 61.242.223.17
access-list cisco_test  permit ip host 61.242.223.17 host 211.91.211.54
2,抓包
capture in_cap interface inside access-list cisco_test
capture out_cap interface outside access-list cisco_test
3,查看数据包
show capture
show capture in_cap detail
show capture out_cap detail
4,保存数据包
https://61.242.X.X/capture/in_cap/pcap
https://61.242.X.X/capture/out_cap/pcap
注意:确保PIX上启用了http server。

另外的示例

capture pix_dmz_capture_1 access-list tac_capture buffer 10000000 interface dmz

//抓取DMZ接口的数据包,抓包缓存为10000000B,抓包范围为ACL tac_capture,抓包保存的文件名为pix_dmz_capture_1。
capture pix_inside_capture_1 access-list tac_capture buffer 10000000 interface inside

//抓取inside接口的数据包,抓包缓存为10000000B,抓包范围为ACL tac_capture,抓包保存的文件名为pix_inside_capture_1。
no capture pix_dmz_capture_1

//删除抓包文件pix_dmz_capture_1
no capture pix_inside_capture_1

//删除抓包文件pix_inside_capture_1
copy capture:pix_dmz_capture_1 tftp://172.16.1.200/pix_dmz_capture.cap pcap

//将抓包文件pix_dmz_capture_1copy到tftp服务器172.16.1.200上。
copy capture:pix_inside_capture_1 tftp://172.16.1.200/pix_inside_capture.cap pcap

阅读全文>>

标签: 防火墙 ACL 抓包 思科 PIX

评论(0) 引用(0) 浏览(5222)

Powered by 易隐者 基于emlog 皖ICP备12002343号-1