packet capture on cisco ASA firewall with trace

Good capture option here for ASA

You can do a show trace on it and it goes though it like a packet tracer

capture capout2 type raw-data trace detail interface OUTSIDE include-decrypted match ip host 192.168.10.50 host 8.8.4.4

show capture capout2 trace detail packet-number 1

download packet capture (pcap) file from FMC / FTD / firepower

connect to the sensor of the FTD

use "system support diagnostic-cli" to go into ASA CLI

setup your capture as normal and capture your traffic.

Once complete "copy /pcap capture: disk0:"

now type exit twice to get out of ASA CLI

type "expert"

cd to "/mnt/disk0"

cp MYCAP.pcap /ngfw/var/common

On the FMC web interface

Devices -> hammer + wrech icon -> advanced 

Go into advanced troubleshooting -> File download

Enter MYCAP.pcap and click download.

packet capture on cisco router/switch

*** Setup ACL
ip access-list extended CAP_ACL
permit ip host x host y

*** Setup buffer
monitor capture buffer CAP_BUFF circular

*** Filter the buffer with the ACL
monitor capture buffer CAP_BUFF filter access-list CAP_ACL

*** Setup the cap point and on what interface
monitor capture point ip cef CAP_POINT fa0/0 both

*** Assign the buffer to point
monitor capture point associate CAP_POINT CAP_BUFF

*** Show the setup
show monitor capture buffer CAP_BUFF

*** Start the cap
monitor capture point start CAP_POINT

*** Send the test traffic
send test traffic ping or telnet on the port etc

*** Stop the cap
monitor capture point stop CAP_POINT

*** show brief
show monitor capture buffer CAP_BUFF brief

*** export the capture to tftp server
monitor capture buffer CAP_BUFF export tftp://10.50.50.22/mycap.pcap

*** Open the pcap in wireshark

For 3850 - but it didn't work for me

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/epc/configuration/xe-16/epc-xe-16-book/nm-packet-capture-xe.html#GUID-DCB20ADF-1F8E-434B-AE97-54802879F34F

tracing latency with wireshark

Run you capture, run your test

Open the capture, click on a packet.

right click on TCP in the bottom pane
-> protocol preferences -> calculate conversation timestamps

timestamps appears under TCP
right click -> Apply as column

sort highest number on top. Value is in seconds 1.0 is one second
0.02 is 2 ms.

FIN ACKs can be ignored as they are just closing connections

setting up packet captures on the cisco ASA

cap capin interface inside match ip host 192.168.1.50 host 200.100.100.100 circular-buffer

This will capture data in both directions
circular buffer means it will overwrite when buffer is full
Otherwise it will fill up and stop capturing
You can use clear cap capin to clear out the data

Will capture all the drops of any type
capture asp-drop type asp-drop all
sh cap asp-drop

You can also look in sh asp drop to see if they are increasing

The capture file can be saved and copied off the ASA:

https://100.100.100.200/capture/my-cap-name/pcap

To save the capture file
copy /pcap capture: disk0:

Copy the file off with CLI or ASDM file transfer.

There is also a way to connect ASDM directly to wireshark.