Starting with the new Cisco ASA firewall version 7.2(1), you can now capture detailed packet information traversing the firewall for analysis and for troubleshooting problems.
To enable packet tracing capabilities for packet sniffing and network fault isolation, use the packet-tracer command. To disable packet capture capabilities, use the no form of this command.
packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml]
no packet-tracer
In addition to capturing packets, it is possible to trace the lifespan of a packet through the security appliance to see if it is behaving as expected. The packet-tracer command lets you do the following:
Examples
To enable packet tracing from inside host 10.2.25.3 to external host 209.165.202.158 with detailed information, enter the following:
hostname# packet-tracer input inside tcp 10.2.25.3 www 209.165.202.158 aol detailed
To enable packet tracing capabilities for packet sniffing and network fault isolation, use the packet-tracer command. To disable packet capture capabilities, use the no form of this command.
packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml]
no packet-tracer
In addition to capturing packets, it is possible to trace the lifespan of a packet through the security appliance to see if it is behaving as expected. The packet-tracer command lets you do the following:
- Debug all packet drops in production network.
- Verify the configuration is working as intended.
- Show all rules applicable to a packet along with the CLI lines which caused the rule addition.
- Show a time line of packet changes in a data path.
- Inject tracer packets into the data path.
Examples
To enable packet tracing from inside host 10.2.25.3 to external host 209.165.202.158 with detailed information, enter the following:
hostname# packet-tracer input inside tcp 10.2.25.3 www 209.165.202.158 aol detailed
