Cisco ASA Packet Capture

Cisco ASA Packet Capture
In: Cisco, Firewall

Having the ability to take packet captures directly on the Firewall is a lifesaver during any Network Troubleshooting. In this blog post, we will go through the steps required to take packet captures on the ASA.


The following examples are based on the shown diagram where the Server is behind the INSIDE interface of the ASA. The OUTSIDE interface is directly connected to the Internet.

ASA basic configurations

interface GigabitEthernet0/0
 nameif INSIDE
 security-level 100
 ip address 

interface GigabitEthernet0/6
 nameif OUTSIDE
 security-level 0
 ip address 

object network inside-subnet
 nat (INSIDE,OUTSIDE) dynamic interface

Packet Capture via ASDM

Let's say we want to take the captures for the traffic between the server  ( and

1. Navigate to Wizards > Packet Capture Wizard

2. Choose the Ingress interface and specify the source /destination IP and Protocol.

3. Choose the Egress interface

4. Buffer and Capture options, we can leave them at their defaults.

5. Based on the parameters used in the previous steps, ASDM will apply the shown commands to the ASA.

6. Select Start to start the captures

7. Once the required packets are captured, you can Stop the capture and save the file to your local computer.  You can also view the captures on the ASDM by selecting Get Capture Buffer

8. The capture file can then be analysed using tools such as Wireshark.

Please note that the Egress capture is showing as empty, that is because the traffic on the OUTSIDE interface is Post-NAT therefore the source IP address would have been which doesn't match the interesting traffic. 

Packet Capture via the CLI

You can start the packet capture process by using the capture command. In this example, the capture name CAPTURE_TEST is defined.

capture CAPTURE_TEST interface INSIDE match ip

asa-log# show capture CAPTURE_TEST

6 packets captured

   1: 11:03:36.789281 > icmp: echo request 
   2: 11:03:36.810520 > icmp: echo reply 
   3: 11:03:37.791417 > icmp: echo request 
   4: 11:03:37.803821 > icmp: echo reply 
   5: 11:03:38.794651 > icmp: echo request 
   6: 11:03:38.807972 > icmp: echo reply 
6 packets shown

You can download the capture files from the ASA by navigating to the following URL path.


Packet Capture for the Post-NAT traffic

How do we capture the post-NAT traffic? For example, when the traffic from the server leaves the ASA, its source IP is NATed to the OUTSIDE interface IP which is

Well, we need to specify the Post-NAT IP ( as the interesting traffic rather than the real IP ( as shown below.

asa-log(config)# capture NAT interface OUTSIDE match ip host host
asa-log(config)# exit
asa-log# show capture NAT                                                      

6 packets captured

   1: 18:19:28.947659 > icmp: echo request 
   2: 18:19:28.969401 > icmp: echo reply 
   3: 18:19:29.947247 > icmp: echo request 
   4: 18:19:29.963893 > icmp: echo reply 
   5: 18:19:30.949810 > icmp: echo request 
   6: 18:19:30.967998 > icmp: echo reply 
6 packets shown

Capture packets destined to/from the ASA

Let's say we want to capture the ICMP traffic originating from the ASA's OUTSIDE interface. The following command will capture will the traffic on the OUTSIDE interface including the one being generated from the ASA itself.

asa-log(config)# capture FROM_ASA interface OUTSIDE match ip host any 
asa-log(config)# exit

asa-log# ping
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/30 ms

asa-log# show capture FROM_ASA

10 packets captured

   1: 11:09:53.162345 > icmp: echo request 
   2: 11:09:53.191503 > icmp: echo reply 
   3: 11:09:53.194173 > icmp: echo request 
   4: 11:09:53.217518 > icmp: echo reply 
   5: 11:09:53.217807 > icmp: echo request 
   6: 11:09:53.242663 > icmp: echo reply 
   7: 11:09:53.243029 > icmp: echo request 
   8: 11:09:53.264268 > icmp: echo reply 
   9: 11:09:53.264695 > icmp: echo request 
  10: 11:09:53.289871 > icmp: echo reply 

Clear or Remove the captures

If you want to clear the capture buffer but want to continue taking the captures then use clear capture CAPTURE-NAME

If you, however, want to remove the capture completely, then use no capture CAPTURE-NAME command.

The less boring side of Networking

No spam, receive blog posts straight to your inbox. Unsubscribe anytime with just a single click.

Written by
Suresh Vina
Tech enthusiast sharing Networking, Cloud & Automation insights. Join me in a welcoming space to learn & grow with simplicity and practicality.
More from Packetswitch
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Packetswitch.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.