Capturing Traffic | The Best Damn Firewall Book Period

Cisco has provided an excellent tool for capturing and analyzing network traffic with the introduction of PIX software v6.2. When the capture command is used, the PIX can act as a packet sniffer on the target interface, capturing packets for later analysis. This command captures both inbound and outbound traffic.

Capturing packets that transit an interface is very useful for troubleshooting, because it enables you to determine exactly what traffic is being passed. When you're troubleshooting connectivity issues, it is often useful to capture packets from the incoming and outgoing interfaces. You can analyze the captured packets to determine if there are any problems with your configuration, such as IP address disagreement, or problems with IKE or IPsec, such as mismatched or expect parameters that are not being passed. Before this feature, the only recourse an engineer had was to install a packet capture device. The packet capture feature was introduced in PIX firewall v6.2 and is only available for Ethernet interfaces. The syntax of the command is as follows.

capture <capture-name> [access-list <ID>] [buffer <bytes>] [ethernet-type <type>]  [interface <if_name>] [packet-length <bytes>]

The first parameter, capture-name, defines a name for this particular capture session. All other parameters are optional. The access-list parameter specifies an access list to limit the source and destination of the traffic captured. By default, all IP packets are matched. The buffer parameter specifies the size of the buffer (in bytes) used to store captured packets. The maximum value is based on the amount of available memory on the PIX firewall. The default buffer size is 512K, and once the buffer fills up, the packet capture stops. The ethernet-type parameter specifies the protocols to capture. You can specify ip, arp, rarp, ip6, or any protocol number between 1 and 65535. By default, all Ethernet types are captured. (Setting the ethernet-type parameter to 0 specifies capturing all types.) The interface parameter specifies the interface on which to capture packets. The packet-length parameter specifies how much of each packet to capture. Usually for troubleshooting, only the first few bytes of a packet are necessary, and the PIX captures up to 68 bytes. For example:

PIX1# capture inside-traffic access-list 100 buffer 20000 interface inside packet- length 200

In this example, we are capturing the first 200 bytes of traffic matching access list 100 on the inside interface. We have allocated 20,000 bytes for buffer storage of these captured packets.

Multiple traffic captures can be run simultaneously. To view the list of captures, use the show capture command. For example, the following command shows two simultaneous captures, cap1 and cap2, being performed:

PIX1# show capture capture cap1 interface inside capture cap2 interface outside

To clear a capture buffer without stopping the capture, use the clear capture <capture-name> command. For example:

PIX1# clear capture cap1

To stop a capture and clear the associated buffer, use the no capture <capture-name> command. For example:

PIX1# no capture cap2

To stop a capture and save the associated buffer, use the no capture <capture-name> interface <if_name> command. For example:

PIX1# no capture cap1 interface inside

Displaying Captured Traffic

Cisco provides several options via which we can display our captured data. We can display it on the console, which provides for rudimentary viewing, or we can view it using a Web browser. We can even download our captured data and use third-party software such as Ethereal (www.ethereal.com) or tcpdump (www.tcpdump.org) to view them.

Display on the Console

In the course of troubleshooting a PIX firewall problem by capturing data, viewing the capture on the console is probably the most sensible option. If you opt to use the console for this purpose, it is best if you keep the packet length short enough to get the primary headers (IP, TCP, and so forth), because you can easily become confused scrolling through voluminous amounts of data on the simple textual console. To view a capture on the console, use the show capture _command:

show capture <capture-name> [access-list <ID>] [count <number>] [detail] [dump]

If you have captured a great deal of data, you can filter it out by specifying an access-list in this command, which acts as a display filter. The count parameter is used to limit the number of packets displayed on the screen. The detail parameter increases the level of detail displayed. The dump parameter specifies that the data should be displayed in hex (this does not display MAC information). An example packet capture is shown in the following output:

PIX1# show capture inside-traffic count 6 71 packets captured 17:29:35.648434 192.168.2.1.23 > 192.168.2.2.11002: P 942178590:942178597     (7) ack  2099017897 win 4096(fragment-packet) 17:29:35.848207 192.168.2.2.11002 > 192.168.2.1.23: . ack 942178597 win      3531(fragment-packet) 17:29:37.610258 192.168.2.2.11002 > 192.168.2.1.23: P 2099017897:     2099017898(1) ack 942178597 win 3531(fragment-packet) 17:29:37.610442 192.168.2.1.23 > 192.168.2.2.11002: . ack 2099017898 win     4095(fragment-packet) 17:29:37.610686 192.168.2.1.23 > 192.168.2.2.11002: P 942178597:942178598     (1) ack 2099017898 win 4096(fragment-packet) 17:29:37.808155 192.168.2.2.11002 > 192.168.2.1.23: . ack 942178598 win     3530(fragment-packet)

Notice how the acknowledgments (ACKs) are incrementing. This particular capture was part of a Telnet session between 192.168.2.1 and 192.168.2.2; the 23 at the end of 192.168.2.1 tells you that it is the Telnet server. At this point, you should have a good idea just how useful capture can be in the troubleshooting process.

Display to a Web Browser

Cisco also makes it very easy to securely view packet captures (the packet headers in ASCII format) using a Web browser. To view the contents using your Web browser, enter the appropriate URL to the PIX firewall. The syntax is as follows:

https://pix_ip_address/capture/<capture-name>/

For example:

https://192.168.1.1/capture/inside-traffic/

Downloading Captured Traffic

The PIX firewall saves packet capture buffers in PCAP format, which can be downloaded and viewed with third-party software such as Ethereal or tcpdump. The capture can be downloaded either using HTTPS or TFTP. To download the file using HTTPS, enter the appropriate URL to the PIX firewall. The syntax is as follows:

https://pix_ip_address/capture/<capture-name>/pcap

For example:

https://192.168.1.1/capture/inside/pcap

This syntax downloads the packet capture to your client in PCAP format. Alternatively, you can download the file using TFTP. This is accomplished using the copy command on the PIX firewall. The syntax is as follows:

copy capture:<capture-name> tftp://<location>/<filename> [pcap]

Without the pcap keyword, the ASCII packet headers will be copied. With the pcap keyword, the binary file in PCAP format will be copied. For example:

PIX1# copy capture:inside-traffic tftp://192.168.99.99/pix-capture pcap copying Capture to tftp://192.168.99.99/pix-capture:

In our example, we are copying the inside-traffic capture (in PCAP format) to the TFTP server at 192.168.99.99 to the pix-capture filename. Once the file has been copied, you can use any of the aforementioned software packages to open and analyze the captured packets.

Support Options as Troubleshooting Tools

The PIX firewall can be a very critical device on your network. Network architecture planning needs to consider various support options to handle the loss or failure of your PIX firewall. Consider this troubleshooting by prevention, if you will. You can do it all yourself, farm out support to a third-party vendor (reseller), or purchase support from Cisco. Let's examine each option:

In the "do it yourself" approach, you simply purchase the software and hardware, with no warranty or support other than what was provided as standard. If anything goes wrong, you need the knowledge and resources to fix it yourself.
In the third-party option, you have a special arrangement with your vendor (reseller) to provide whatever you need to fix your problem, whether software or hardware. Although your reseller might not have the depth and breadth of knowledge that Cisco does, as a reseller, it might be able to offer you a substantial discount on support.
Using Cisco via the SMARTnet program can ensure that you always have access to a large pool of expert knowledge and the "latest and greatest" information regarding configuration, troubleshooting, and bug fixes. The Cisco Web site offers a wealth of tools and information that you can use to aid your troubleshooting. You can also opt to acquire the Cisco Connection Online (CCO) membership to gain access to even more support such as the ability to open or browse TAC cases online. SMARTnet also provides hardware replacement and software upgrades.

Two things can break on your PIX firewall: the software or the hardware. To protect against hardware failures, you have the option of stockpiling spares. Depending on the ratio of active to stock units, this choice could be cost prohibitive. Software can be plagued with bugs that you discover after you have deployed the perfect configuration. Certain commands or features might not work as you want them to or not work at all. In any case, you will require information from Cisco to work around the problem or access to the latest release of software that fixes your problem. In general, you are better off putting your firewall under a SMARTnet maintenance contract with Cisco to ensure that you always have access to the latest releases of software. Software is generally much more difficult to fix on your own than hardware, which you can easily replace in case of a failure. You definitely cannot rewrite the software code to fix a problem, and you'll end up spending an excessive amount of time developing a workaround to a problem caused by a buggy software release.