Using the capture command in a Cisco Systems PIX firewall.

A vital tool to use when troubleshooting computer networking problems and monitoring computer networks is a packet sniffer. That being said, one of the best methods to use when troubleshooting connection problems or monitoring suspicious network activity in a Cisco Systems PIX firewall is by using the capture command. Many times Cisco TAC will request captures from a PIX in PCAP format for open problem tickets associated with unusual problems or activity associated with the PIX and the network.

The capture command was first introduced to the PIX OS in version 6.2 and has the ability to capture all data that passes through the PIX device. You can use access-lists to specify the type of traffic that you wish to capture, along with the source and destination addresses and ports. Multiple capture statements can be used to attach the capture command to multiple interfaces. You can even copy the raw header and hexadecimal data in PCAP format to a tftp server and open it with TCPDUMP or Ethereal.



Below is the command usage and syntax description per Cisco's PIX OS 7.0 documentation:
To enable packet capture capabilities for packet sniffing and network fault isolation, use the capture command. To disable packet capture capabilities, use the no form of this command (see the "Usage Guidelines" section for additional information about the no form of this command).
capture capture_name [access-list access_list_name] [buffer buf_size] [ethernet-type type] [interface interface_name] [packet-length bytes] [circular-buffer]
capture capture_name type asp-drop [drop-code] [buffer buf_size] [circular-buffer] [packet-length bytes]
capture capture_name type isakmp [access-list access_list_name] [buffer buf_size] [circular-buffer] [interface interface_name] [packet-length bytes]
capture capture_name type raw-data [access-list access_list_name] [buffer buf_size] [circular-buffer] [ethernet-type type] [interface interface_name] [packet-length bytes]
capture capture_name type webvpn user webvpn-user [url url]
no capture capture_name

Syntax Description:

access-list access_list_name	(Optional) Selects packets based on IP or higher fields for a specific access list identification.
buffer buf_size	(Optional) Defines the buffer size used to store the packet in bytes.
capture_name	Specifies the name of the packet capture.
circular-buffer	(Optional) Overwrites the buffer, starting from the beginning, when the buffer is full.
ethernet-type type	(Optional) Selects an Ethernet type to capture.
interface interface_name	(Optional) Specifies the interface on which to use packet capture, where interface_name is the name assigned to the interface by the nameif command.
packet-length bytes	(Optional) Sets the maximum number of bytes of each packet to store in the capture buffer.
type asp-drop drop-code	(Optional) Captures packets dropped for a reason. You can specify a particular reason by using the drop-code argument. Valid values for the drop-code argument are listed in the "Usage Guidelines" section, below.
type isakamp	(Optional) Captures encrypted and decrypted ISAKMP payloads.
type raw-data	(Optional) Captures inbound and outbound packets on one or more interfaces. This is the default.
type webvpn	(Optional) Captures WebVPN data for a specific WebVPN connection.
url url	(Optional) Specifies a URL for a WebVPN connection capture.
user webvpn-user	(Optional) Specifies a username for a WebVPN capture.

The Capture command defaults are as follows:

1. The capture type is raw data.
2. The buffer size is 512 KB.
3. All the Ethernet types are accepted.
4. All the IP packets are matched.
5. The packet-length is 68 bytes.