本產品的文件集力求使用無偏見用語。針對本文件集的目的,無偏見係定義為未根據年齡、身心障礙、性別、種族身分、民族身分、性別傾向、社會經濟地位及交織性表示歧視的用語。由於本產品軟體使用者介面中硬式編碼的語言、根據 RFP 文件使用的語言,或引用第三方產品的語言,因此本文件中可能會出現例外狀況。深入瞭解思科如何使用包容性用語。
思科已使用電腦和人工技術翻譯本文件,讓全世界的使用者能夠以自己的語言理解支援內容。請注意,即使是最佳機器翻譯,也不如專業譯者翻譯的內容準確。Cisco Systems, Inc. 對這些翻譯的準確度概不負責,並建議一律查看原始英文文件(提供連結)。
本文檔介紹Firepower的配置和驗證,以及安全防火牆內部交換機捕獲。
基本的產品知識,捕獲分析。
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
本文中的資訊係根據以下軟體和硬體版本:
從資料包流的角度來看,Firepower 4100/9300和安全防火牆3100/4200的體系結構視覺化,如下圖所示:
機箱包括以下元件:
下表顯示Firepower 4100/9300上的背板介面和安全防火牆3100/4200上的上行鏈路介面:
平台 |
支援的安全模組數目 |
背板/上行鏈路介面 |
管理上行鏈路介面 |
對映的應用介面 |
Firepower 4100(Firepower 4110/4112除外) |
1 |
SM1: Ethernet1/9 Ethernet1/10 |
不適用 |
Internal-Data0/0 Internal-Data0/1 |
Firepower 4110/4112 |
1 |
Ethernet1/9 |
不適用 |
Internal-Data0/0 Internal-Data0/1 |
Firepower 9300 |
3 |
SM1: Ethernet1/9 Ethernet1/10 SM2: Ethernet1/11 Ethernet1/12 SM3: Ethernet1/13 Ethernet1/14 |
不適用 |
Internal-Data0/0 Internal-Data0/1
Internal-Data0/1
Internal-Data0/1 |
安全防火牆3100 |
1 |
SM1:in_data_uplink1 |
in_mgmt_uplink1 |
Internal-Data0/1 管理1/1 |
安全防火牆4200 |
1 |
SM1:in_data_uplink1 SM1:in_data_uplink2(僅限4245) |
in_mgmt_uplink1 in_mgmt_uplink2 |
Internal-Data0/1 Internal-Data0/2(僅限4245) 管理1/1 管理1/2 |
在每模組具有2個背板介面的Firepower 4100/9300或具有2個資料上行鏈路介面的安全防火牆4245中,內部交換機和模組上的應用程式在兩個介面上執行流量負載均衡。
使用show interface detail命令驗證內部介面:
> show interface detail | grep Interface
Interface Internal-Control0/0 "ha_ctl_nlp_int_tap", is up, line protocol is up
Control Point Interface States:
Interface number is 6
Interface config status is active
Interface state is active
Interface Internal-Data0/0 "", is up, line protocol is up
Control Point Interface States:
Interface number is 2
Interface config status is active
Interface state is active
Interface Internal-Data0/1 "", is up, line protocol is up
Control Point Interface States:
Interface number is 3
Interface config status is active
Interface state is active
Interface Internal-Data0/2 "nlp_int_tap", is up, line protocol is up
Control Point Interface States:
Interface number is 4
Interface config status is active
Interface state is active
Interface Internal-Data0/3 "ccl_ha_nlp_int_tap", is up, line protocol is up
Control Point Interface States:
Interface number is 5
Interface config status is active
Interface state is active
Interface Internal-Data0/4 "cmi_mgmt_int_tap", is up, line protocol is up
Control Point Interface States:
Interface number is 7
Interface config status is active
Interface state is active
Interface Port-channel6.666 "", is up, line protocol is up
Interface Ethernet1/1 "diagnostic", is up, line protocol is up
Control Point Interface States:
Interface number is 8
Interface config status is active
Interface state is active
Firepower 4100/9300
為做出轉發決策,內部交換機使用介面VLAN標籤或埠VLAN標籤以及虛擬網路標籤(VN標籤)。
內部交換機使用埠VLAN標籤來標識介面。交換機會將埠VLAN標籤插入到位於前介面的每個入口資料包中。VLAN標籤由系統自動配置,無法手動更改。 標籤值可以在fxos命令shell中檢查:
firepower# connect fxos
…
firepower(fxos)# show run int e1/2
!Command: show running-config interface Ethernet1/2
!Time: Tue Jul 12 22:32:11 2022
version 5.0(3)N2(4.120)
interface Ethernet1/2
description U: Uplink
no lldp transmit
no lldp receive
no cdp enable
switchport mode dot1q-tunnel
switchport trunk native vlan 102
speed 1000
duplex full
udld disable
no shutdown
VN標籤也由內部交換機插入,用於轉發資料包到應用。系統會自動設定它,且無法手動變更。
埠VLAN標籤和VN標籤與應用共用。應用程式將各自的輸出介面VLAN標籤和VN標籤插入每個封包中。當背板介面上的內部交換機接收到來自應用的資料包時,交換機讀取出口介面VLAN標籤和VN標籤,辨識應用和出口介面,刪除埠VLAN標籤和VN標籤,並將資料包轉發到網路。
安全防火牆3100/4200
與Firepower 4100/9300一樣,內部交換機使用埠VLAN標籤來辨識介面。
埠VLAN標籤與應用程式共用。應用程式將各個輸出介面VLAN標籤插入每個封包中。當上行鏈路介面上的內部交換機接收到來自應用的資料包時,交換機讀取出口介面VLAN標籤,辨識出口介面,刪除埠VLAN標籤,並將資料包轉發到網路。
Firepower 4100/9300和安全防火牆3100
Firepower 4100/9300和安全防火牆3100防火牆支援內部交換機介面上的資料包捕獲。
下圖顯示了機箱和應用中資料包路徑上的資料包捕獲點:
捕獲點包括:
內部交換器僅支援輸入介面擷取。也就是說,只能捕獲從網路或ASA/FTD應用接收的資料包。不支援輸出封包擷取。
安全防火牆4200
安全防火牆4200防火牆支援內部交換機介面上的資料包捕獲。下圖顯示了機箱和應用中資料包路徑上的資料包捕獲點:
捕獲點包括:
內部交換機可選擇支援雙向-入口和出口-捕獲。預設情況下,內部交換器會擷取輸入方向上的封包。
可以在FCM上的Tools > Packet Capture中或在FXOS CLI中的scope packet-capture中配置Firepower 4100/9300內部交換機捕獲。有關資料包捕獲選項的說明,請參閱Cisco Firepower 4100/9300 FXOS機箱管理器配置指南或Cisco Firepower 4100/9300 FXOS CLI配置指南的故障排除一章資料包捕獲部分。
這些場景包括Firepower 4100/9300內部交換機捕獲的常見使用案例。
使用FCM和CLI在介面Ethernet1/2或Portchannel1介面上配置和驗證資料包捕獲。對於埠通道介面,請確保選擇所有物理成員介面。
拓撲、資料包流和捕獲點
組態
FCM
在FCM上執行以下步驟,在介面Ethernet1/2或Portchannel1上配置資料包捕獲:
FXOS CLI
在FXOS CLI上執行以下步驟,在介面Ethernet1/2或Portchannel1上配置資料包捕獲:
firepower# scope ssa
firepower /ssa # show app-instance
App Name Identifier Slot ID Admin State Oper State Running Version Startup Version Deploy Type Turbo Mode Profile Name Cluster State Cluster Role
---------- ---------- ---------- ----------- ---------------- --------------- --------------- ----------- ---------- ------------ --------------- ------------
ftd ftd1 1 Enabled Online 7.2.0.82 7.2.0.82 Native No Not Applicable None
firepower# connect fxos
<output skipped>
firepower(fxos)# show port-channel summary
Flags: D - Down P - Up in port-channel (members)
I - Individual H - Hot-standby (LACP only)
s - Suspended r - Module-removed
S - Switched R - Routed
U - Up (port-channel)
M - Not in use. Min-links not met
--------------------------------------------------------------------------------
Group Port- Type Protocol Member Ports
Channel
--------------------------------------------------------------------------------
1 Po1(SU) Eth LACP Eth1/4(P) Eth1/5(P)
firepower# scope packet-capture
firepower /packet-capture # create session cap1
firepower /packet-capture/session* # create phy-port Eth1/2
firepower /packet-capture/session/phy-port* # set app ftd
firepower /packet-capture/session/phy-port* # set app-identifier ftd1
firepower /packet-capture/session/phy-port* # up
firepower /packet-capture/session* # enable
firepower /packet-capture/session* # commit
firepower /packet-capture/session #
對於埠通道介面,為每個成員介面配置單獨的捕獲:
firepower# scope packet-capture
firepower /packet-capture # create session cap1
firepower /packet-capture/session* # create phy-port Eth1/4
firepower /packet-capture/session/phy-port* # set app ftd
firepower /packet-capture/session/phy-port* # set app-identifier ftd1
firepower /packet-capture/session/phy-port* # up
firepower /packet-capture/session* # create phy-port Eth1/5
firepower /packet-capture/session/phy-port* # set app ftd
firepower /packet-capture/session/phy-port* # set app-identifier ftd1
firepower /packet-capture/session/phy-port* # up
firepower /packet-capture/session* # enable
firepower /packet-capture/session* # commit
firepower /packet-capture/session #
驗證
FCM
驗證介面名稱,確保Operational Status為up且File Size (in bytes)增加:
Portchannel1與成員介面Ethernet1/4和Ethernet1/5:
FXOS CLI
驗證scope packet-capture中的捕獲詳細資訊:
firepower# scope packet-capture
firepower /packet-capture # show session cap1
Traffic Monitoring Session:
Packet Capture Session Name: cap1
Session: 1
Admin State: Enabled
Oper State: Up
Oper State Reason: Active
Config Success: Yes
Config Fail Reason:
Append Flag: Overwrite
Session Mem Usage: 256 MB
Session Pcap Snap Len: 1518 Bytes
Error Code: 0
Drop Count: 0
Physical ports involved in Packet Capture:
Slot Id: 1
Port Id: 2
Pcapfile: /workspace/packet-capture/session-1/cap1-ethernet-1-2-0.pcap
Pcapsize: 75136 bytes
Filter:
Sub Interface: 0
Application Instance Identifier: ftd1
Application Name: ftd
具有成員介面Ethernet1/4和Ethernet1/5的Port-channel 1:
firepower# scope packet-capture
firepower /packet-capture # show session cap1
Traffic Monitoring Session:
Packet Capture Session Name: cap1
Session: 1
Admin State: Enabled
Oper State: Up
Oper State Reason: Active
Config Success: Yes
Config Fail Reason:
Append Flag: Overwrite
Session Mem Usage: 256 MB
Session Pcap Snap Len: 1518 Bytes
Error Code: 0
Drop Count: 0
Physical ports involved in Packet Capture:
Slot Id: 1
Port Id: 4
Pcapfile: /workspace/packet-capture/session-1/cap1-ethernet-1-4-0.pcap
Pcapsize: 310276 bytes
Filter:
Sub Interface: 0
Application Instance Identifier: ftd1
Application Name: ftd
Slot Id: 1
Port Id: 5
Pcapfile: /workspace/packet-capture/session-1/cap1-ethernet-1-5-0.pcap
Pcapsize: 160 bytes
Filter:
Sub Interface: 0
Application Instance Identifier: ftd1
Application Name: ftd
收集捕獲檔案
執行收集Firepower 4100/9300內部交換機捕獲檔案部分中的步驟。
捕獲檔案分析
使用資料包捕獲檔案讀取器應用程式打開Ethernet1/2的捕獲檔案。選擇第一個資料包並檢查要點:
選擇第二個資料包並檢查要點:
打開Portchannel1成員介面的捕獲檔案。選擇第一個資料包並檢查要點:
選擇第二個資料包並檢查要點:
說明
在前端介面上設定封包擷取時,交換器會同時擷取每個封包兩次:
按照操作順序,VN標籤在比埠VLAN標籤插入更晚的階段插入。但是,在捕獲檔案中,帶有VN標籤的資料包比帶有埠VLAN標籤的資料包顯示得更早。
此表格總結列出作業:
工作 |
捕獲點 |
捕獲的資料包中的內部埠VLAN |
方向 |
捕獲的流量 |
在介面Ethernet1/2上配置並檢驗資料包捕獲 |
Ethernet1/2 |
102 |
僅限入口 |
從主機192.0.2.100到主機198.51.100.100的ICMP回應請求 |
在介面Portchannel1上配置並檢驗帶有成員介面Ethernet1/4和Ethernet1/5的資料包捕獲 |
Ethernet1/4 Ethernet1/5 |
1001 |
僅限入口 |
從主機192.0.2.100到主機198.51.100.100的ICMP回應請求 |
使用FCM和CLI配置並驗證背板介面上的資料包捕獲。
拓撲、資料包流和捕獲點
組態
FCM
在FCM上執行下列步驟,在背板介面上設定封包擷取:
FXOS CLI
在FXOS CLI上執行以下步驟,在背板介面上配置資料包捕獲:
firepower# scope ssa
firepower /ssa# show app-instance
App Name Identifier Slot ID Admin State Oper State Running Version Startup Version Deploy Type Turbo Mode Profile Name Cluster State Cluster Role
---------- ---------- ---------- ----------- ---------------- --------------- --------------- ----------- ---------- ------------ --------------- ------------
ftd ftd1 1 Enabled Online 7.2.0.82 7.2.0.82 Native No Not Applicable None
firepower# scope packet-capture
firepower /packet-capture # create session cap1
firepower /packet-capture/session* # create phy-port Eth1/9
firepower /packet-capture/session/phy-port* # set app ftd
firepower /packet-capture/session/phy-port* # set app-identifier ftd1
firepower /packet-capture/session/phy-port* # up
firepower /packet-capture/session* # create phy-port Eth1/10
firepower /packet-capture/session/phy-port* # set app ftd
firepower /packet-capture/session/phy-port* # set app-identifier ftd1
firepower /packet-capture/session/phy-port* # up
firepower /packet-capture/session* # enable
firepower /packet-capture/session* # commit
firepower /packet-capture/session #
驗證
FCM
驗證介面名稱,確保Operational Status為up且File Size (in bytes)增加:
FXOS CLI
驗證scope packet-capture中的捕獲詳細資訊:
firepower# scope packet-capture
firepower /packet-capture # show session cap1
Traffic Monitoring Session:
Packet Capture Session Name: cap1
Session: 1
Admin State: Enabled
Oper State: Up
Oper State Reason: Active
Config Success: Yes
Config Fail Reason:
Append Flag: Overwrite
Session Mem Usage: 256 MB
Session Pcap Snap Len: 1518 Bytes
Error Code: 0
Drop Count: 0
Physical ports involved in Packet Capture:
Slot Id: 1
Port Id: 10
Pcapfile: /workspace/packet-capture/session-1/cap1-ethernet-1-10-0.pcap
Pcapsize: 1017424 bytes
Filter:
Sub Interface: 0
Application Instance Identifier: ftd1
Application Name: ftd
Slot Id: 1
Port Id: 9
Pcapfile: /workspace/packet-capture/session-1/cap1-ethernet-1-9-0.pcap
Pcapsize: 1557432 bytes
Filter:
Sub Interface: 0
Application Instance Identifier: ftd1
Application Name: ftd
收集捕獲檔案
執行收集Firepower 4100/9300內部交換機捕獲檔案部分中的步驟。
捕獲檔案分析
使用資料包捕獲檔案讀取器應用程式打開捕獲檔案。如果有一個以上的背板介面,請確定開啟每個背板介面的所有擷取檔案。在這種情況下,封包會在背板介面Ethernet1/9上擷取。
選擇第一個和第二個資料包,並檢查要點:
選擇第三和第四個資料包,並檢查要點:
說明
在背板介面上設定封包擷取時,交換器會同時擷取每個封包兩次。在這種情況下,內部交換機將接收安全模組上的應用已標籤了埠VLAN標籤和VN標籤的資料包。VLAN標籤標識內部機箱用於將資料包轉發到網路的輸出介面。ICMP回應請求資料包中的VLAN標籤103將Ethernet1/3標識為輸出介面,而ICMP回應應答資料包中的VLAN標籤102將Ethernet1/2標識為輸出介面。在將資料包轉發到網路之前,內部交換機刪除VN標籤和內部介面VLAN標籤。
此表格總結列出作業:
工作 |
捕獲點 |
捕獲的資料包中的內部埠VLAN |
方向 |
捕獲的流量 |
配置並驗證背板介面上的資料包捕獲 |
背板介面 |
102 103 |
僅限入口 |
從主機192.0.2.100到主機198.51.100.100的ICMP回應請求 從主機198.51.100.100到主機192.0.2.100的ICMP回應應答 |
如果使用者指定應用捕獲方向,則應用或應用埠資料包捕獲始終配置在背板介面上,並配置在前端介面上。
主要有2個使用案例:
本節介紹這兩種使用案例。
任務1
使用FCM和CLI在背板介面上設定和驗證封包擷取。應用程式連線埠Ethernet1/2被辨識為輸出介面的封包會被擷取。在本例中,捕獲ICMP回覆。
拓撲、資料包流和捕獲點
組態
FCM
在FCM上執行下列步驟,在FTD應用程式和應用程式連線埠Ethernet1/2上設定封包擷取:
FXOS CLI
在FXOS CLI上執行以下步驟,在背板介面上配置資料包捕獲:
firepower# scope ssa
firepower /ssa# show app-instance
App Name Identifier Slot ID Admin State Oper State Running Version Startup Version Deploy Type Turbo Mode Profile Name Cluster State Cluster Role
---------- ---------- ---------- ----------- ---------------- --------------- --------------- ----------- ---------- ------------ --------------- ------------
ftd ftd1 1 Enabled Online 7.2.0.82 7.2.0.82 Native No Not Applicable None
firepower# scope packet-capture
firepower /packet-capture # create session cap1
firepower /packet-capture/session* # create app-port 1 l12 Ethernet1/2 ftd
firepower /packet-capture/session/app-port* # set app-identifier ftd1
firepower /packet-capture/session/app-port* # set filter ""
firepower /packet-capture/session/app-port* # set subinterface 0
firepower /packet-capture/session/app-port* # up
firepower /packet-capture/session* # commit
firepower /packet-capture/session #
驗證
FCM
驗證介面名稱,確保Operational Status為up且File Size (in bytes)增加:
FXOS CLI
驗證scope packet-capture中的捕獲詳細資訊:
firepower# scope packet-capture
firepower /packet-capture # show session cap1
Traffic Monitoring Session:
Packet Capture Session Name: cap1
Session: 1
Admin State: Enabled
Oper State: Up
Oper State Reason: Active
Config Success: Yes
Config Fail Reason:
Append Flag: Overwrite
Session Mem Usage: 256 MB
Session Pcap Snap Len: 1518 Bytes
Error Code: 0
Drop Count: 0
Application ports involved in Packet Capture:
Slot Id: 1
Link Name: l12
Port Name: Ethernet1/2
App Name: ftd
Sub Interface: 0
Application Instance Identifier: ftd1
Application ports resolved to:
Name: vnic1
Eq Slot Id: 1
Eq Port Id: 9
Pcapfile: /workspace/packet-capture/session-1/cap1-vethernet-1036.pcap
Pcapsize: 53640 bytes
Vlan: 102
Filter:
Name: vnic2
Eq Slot Id: 1
Eq Port Id: 10
Pcapfile: /workspace/packet-capture/session-1/cap1-vethernet-1175.pcap
Pcapsize: 1824 bytes
Vlan: 102
Filter:
收集捕獲檔案
執行收集Firepower 4100/9300內部交換機捕獲檔案部分中的步驟。
捕獲檔案分析
使用資料包捕獲檔案讀取器應用程式打開捕獲檔案。如果有多個背板介面,請確保打開每個背板介面的所有捕獲檔案。在這種情況下,封包會在背板介面Ethernet1/9上擷取。
選擇第一個和第二個資料包,並檢查要點:
說明
在這種情況下,連線埠VLAN標籤為102的Ethernet1/2是ICMP回應回覆封包的輸出介面。
當在捕獲選項中將應用程式捕獲方向設定為Egress時,將在入口方向的背板介面上捕獲乙太網報頭中埠VLAN標籤為102的資料包。
此表格總結列出作業:
工作 |
捕獲點 |
捕獲的資料包中的內部埠VLAN |
方向 |
捕獲的流量 |
配置並驗證應用和應用程式埠Ethernet1/2上的捕獲資訊 |
背板介面 |
102 |
僅限入口 |
從主機198.51.100.100到主機192.0.2.100的ICMP回應應答 |
任務2
使用FCM和CLI在背板介面和正面介面Ethernet1/2上設定和驗證封包擷取。
同時資料包捕獲配置在:
拓撲、資料包流和捕獲點
組態
FCM
在FCM上執行下列步驟,在FTD應用程式和應用程式連線埠Ethernet1/2上設定封包擷取:
FXOS CLI
在FXOS CLI上執行以下步驟,在背板介面上配置資料包捕獲:
firepower# scope ssa
firepower /ssa# show app-instance
App Name Identifier Slot ID Admin State Oper State Running Version Startup Version Deploy Type Turbo Mode Profile Name Cluster State Cluster Role
---------- ---------- ---------- ----------- ---------------- --------------- --------------- ----------- ---------- ------------ --------------- ------------
ftd ftd1 1 Enabled Online 7.2.0.82 7.2.0.82 Native No Not Applicable None
firepower# scope packet-capture
firepower /packet-capture # create session cap1
firepower /packet-capture/session* # create phy-port eth1/2
firepower /packet-capture/session/phy-port* # set app-identifier ftd1
firepower /packet-capture/session/phy-port* # exit
firepower /packet-capture/session* # create app-port 1 link12 Ethernet1/2 ftd
firepower /packet-capture/session/app-port* # set app-identifier ftd1
firepower /packet-capture/session* # enable
firepower /packet-capture/session* # commit
firepower /packet-capture/session # commit
驗證
FCM
驗證介面名稱,確保Operational Status為up且File Size (in bytes)增加:
FXOS CLI
驗證scope packet-capture中的捕獲詳細資訊:
firepower# scope packet-capture
firepower /packet-capture # show session cap1
Traffic Monitoring Session:
Packet Capture Session Name: cap1
Session: 1
Admin State: Enabled
Oper State: Up
Oper State Reason: Active
Config Success: Yes
Config Fail Reason:
Append Flag: Overwrite
Session Mem Usage: 256 MB
Session Pcap Snap Len: 1518 Bytes
Error Code: 0
Drop Count: 0
Physical ports involved in Packet Capture:
Slot Id: 1
Port Id: 2
Pcapfile: /workspace/packet-capture/session-1/cap1-ethernet-1-2-0.pcap
Pcapsize: 410444 bytes
Filter:
Sub Interface: 0
Application Instance Identifier: ftd1
Application Name: ftd
Application ports involved in Packet Capture:
Slot Id: 1
Link Name: link12
Port Name: Ethernet1/2
App Name: ftd
Sub Interface: 0
Application Instance Identifier: ftd1
Application ports resolved to:
Name: vnic1
Eq Slot Id: 1
Eq Port Id: 9
Pcapfile: /workspace/packet-capture/session-1/cap1-vethernet-1036.pcap
Pcapsize: 128400 bytes
Vlan: 102
Filter:
Name: vnic2
Eq Slot Id: 1
Eq Port Id: 10
Pcapfile: /workspace/packet-capture/session-1/cap1-vethernet-1175.pcap
Pcapsize: 2656 bytes
Vlan: 102
Filter:
收集捕獲檔案
執行收集Firepower 4100/9300內部交換機捕獲檔案部分中的步驟。
捕獲檔案分析
使用資料包捕獲檔案讀取器應用程式打開捕獲檔案。如果有多個背板介面,請確保打開每個背板介面的所有捕獲檔案。 在這種情況下,封包會在背板介面Ethernet1/9上擷取。
打開介面Ethernet1/2的捕獲檔案,選擇第一個資料包,然後檢查要點:
選擇第二個資料包並檢查要點:
打開介面Ethernet1/9的捕獲檔案,選擇第一個和第二個資料包,然後檢查要點:
說明
如果選擇應用捕獲方向中的所有資料包選項,則會配置與所選應用埠Ethernet1/2相關的2個同時資料包捕獲:前介面Ethernet1/2上的捕獲以及所選背板介面上的捕獲。
在前端介面上設定封包擷取時,交換器會同時擷取每個封包兩次:
按照操作順序,VN標籤在比埠VLAN標籤插入更晚的階段插入。但在捕獲檔案中,帶有VN標籤的資料包比帶有埠VLAN標籤的資料包顯示得更早。在本範例中,ICMP回應要求封包中的VLAN標籤102將Ethernet1/2辨識為輸入介面。
在背板介面上設定封包擷取時,交換器會同時擷取每個封包兩次。內部交換機接收已由安全模組上的應用標籤了埠VLAN標籤和VN標籤的資料包。埠VLAN標籤標識內部機箱用於將資料包轉發到網路的輸出介面。在本例中,ICMP應答資料包中的VLAN標籤102將Ethernet1/2標識為輸出介面。
在將資料包轉發到網路之前,內部交換機刪除VN標籤和內部介面VLAN標籤。
此表格總結列出作業:
工作 |
捕獲點 |
捕獲的資料包中的內部埠VLAN |
方向 |
捕獲的流量 |
配置並驗證應用和應用程式埠Ethernet1/2上的捕獲資訊 |
背板介面 |
102 |
僅限入口 |
從主機198.51.100.100到主機192.0.2.100的ICMP回應應答 |
Interface Ethernet1/2 |
102 |
僅限入口 |
從主機192.0.2.100到主機198.51.100.100的ICMP回應請求 |
使用FCM和CLI在子介面Ethernet1/2.205或埠通道子介面Portchannel1.207上配置和驗證資料包捕獲。只有在容器模式下使用FTD應用程式時,才支援子介面上的子介面和擷取。在這種情況下,會在Ethernet1/2.205和Portchannel1.207上設定封包擷取。
拓撲、資料包流和捕獲點
組態
FCM
在FCM上執行下列步驟,在FTD應用程式和應用程式連線埠Ethernet1/2上設定封包擷取:
3. 對於埠通道子介面,由於Cisco bug ID CSCvq33119子介面在FCM中是不可見的。使用FXOS CLI在埠通道子介面上配置捕獲。
FXOS CLI
在FXOS CLI上執行以下步驟,在子介面Ethernet1/2.205和Portchannel1.207上配置資料包捕獲:
firepower# scope ssa
firepower /ssa # show app-instance
App Name Identifier Slot ID Admin State Oper State Running Version Startup Version Deploy Type Turbo Mode Profile Name Cluster State Cluster Role
---------- ---------- ---------- ----------- ---------------- --------------- --------------- ----------- ---------- ------------ --------------- ------------
ftd ftd1 1 Enabled Online 7.2.0.82 7.2.0.82 Container No RP20 Not Applicable None
ftd ftd2 1 Enabled Online 7.2.0.82 7.2.0.82 Container No RP20 Not Applicable None
firepower# connect fxos
<output skipped>
firepower(fxos)# show port-channel summary
Flags: D - Down P - Up in port-channel (members)
I - Individual H - Hot-standby (LACP only)
s - Suspended r - Module-removed
S - Switched R - Routed
U - Up (port-channel)
M - Not in use. Min-links not met
--------------------------------------------------------------------------------
Group Port- Type Protocol Member Ports
Channel
--------------------------------------------------------------------------------
1 Po1(SU) Eth LACP Eth1/3(P) Eth1/3(P)
firepower# scope packet-capture
firepower /packet-capture # create session cap1
firepower /packet-capture/session* # create phy-port Eth1/2
firepower /packet-capture/session/phy-port* # set app ftd
firepower /packet-capture/session/phy-port* # set app-identifier ftd1
firepower /packet-capture/session/phy-port* # set subinterface 205
firepower /packet-capture/session/phy-port* # up
firepower /packet-capture/session* # enable
firepower /packet-capture/session* # commit
firepower /packet-capture/session #
對於埠通道子介面,請為每個埠通道成員介面建立一個資料包捕獲:
firepower# scope packet-capture
firepower /packet-capture # create filter vlan207
firepower /packet-capture/filter* # set ovlan 207
firepower /packet-capture/filter* # up
firepower /packet-capture* # create session cap1
firepower /packet-capture/session* create phy-port Eth1/3
firepower /packet-capture/session/phy-port* # set app ftd
firepower /packet-capture/session/phy-port* # set app-identifier ftd1
firepower /packet-capture/session/phy-port* # set subinterface 207
firepower /packet-capture/session/phy-port* # up
firepower /packet-capture/session* # create phy-port Eth1/4
firepower /packet-capture/session/phy-port* # set app ftd
firepower /packet-capture/session/phy-port* # set app-identifier ftd1
firepower /packet-capture/session/phy-port* # set subinterface 207
firepower /packet-capture/session/phy-port* # up
firepower /packet-capture/session* # enable
firepower /packet-capture/session* # commit
firepower /packet-capture/session #
驗證
FCM
驗證介面名稱,確保Operational Status為up且File Size (in bytes)增加:
在FXOS CLI上配置的埠通道子介面捕獲在FCM上也可以看到;但是,無法編輯這些捕獲:
FXOS CLI
驗證scope packet-capture中的捕獲詳細資訊:
firepower# scope packet-capture
firepower /packet-capture # show session cap1
Traffic Monitoring Session:
Packet Capture Session Name: cap1
Session: 1
Admin State: Enabled
Oper State: Up
Oper State Reason: Active
Config Success: Yes
Config Fail Reason:
Append Flag: Overwrite
Session Mem Usage: 256 MB
Session Pcap Snap Len: 1518 Bytes
Error Code: 0
Drop Count: 0
Physical ports involved in Packet Capture:
Slot Id: 1
Port Id: 2
Pcapfile: /workspace/packet-capture/session-1/cap1-ethernet-1-2-0.pcap
Pcapsize: 9324 bytes
Filter:
Sub Interface: 205
Application Instance Identifier: ftd1
Application Name: ftd
帶有成員介面Ethernet1/3和Ethernet1/4的Port-channel 1:
firepower# scope packet-capture
firepower /packet-capture # show session cap1
Traffic Monitoring Session:
Packet Capture Session Name: cap1
Session: 1
Admin State: Enabled
Oper State: Up
Oper State Reason: Active
Config Success: Yes
Config Fail Reason:
Append Flag: Overwrite
Session Mem Usage: 256 MB
Session Pcap Snap Len: 1518 Bytes
Error Code: 0
Drop Count: 0
Physical ports involved in Packet Capture:
Slot Id: 1
Port Id: 3
Pcapfile: /workspace/packet-capture/session-1/cap1-ethernet-1-3-0.pcap
Pcapsize: 160 bytes
Filter:
Sub Interface: 207
Application Instance Identifier: ftd1
Application Name: ftd
Slot Id: 1
Port Id: 4
Pcapfile: /workspace/packet-capture/session-1/cap1-ethernet-1-4-0.pcap
Pcapsize: 624160 bytes
Filter:
Sub Interface: 207
Application Instance Identifier: ftd1
Application Name: ftd
收集捕獲檔案
執行收集Firepower 4100/9300內部交換機捕獲檔案部分中的步驟。
捕獲檔案分析
使用資料包捕獲檔案讀取器應用程式打開捕獲檔案。選擇第一個資料包並檢查要點:
選擇第二個資料包並檢查要點:
現在開啟Portchannel1.207的擷取檔案。選擇第一個資料包並檢查要點
選擇第二個資料包並檢查要點:
說明
在前端介面上設定封包擷取時,交換器會同時擷取每個封包兩次:
按照操作順序,VN標籤在比埠VLAN標籤插入更晚的階段插入。但在捕獲檔案中,帶有VN標籤的資料包比帶有埠VLAN標籤的資料包顯示得更早。此外,對於子介面,在捕獲檔案中,每秒資料包不包含埠VLAN標籤。
此表格總結列出作業:
工作 |
捕獲點 |
捕獲的資料包中的內部埠VLAN |
方向 |
捕獲的流量 |
在子介面Ethernet1/2.205上配置並檢驗資料包捕獲 |
Ethernet1/2.205 |
102 |
僅限入口 |
從主機192.0.2.100到主機198.51.100.100的ICMP回應請求 |
在帶有成員介面Ethernet1/3和Ethernet1/4的Portchannel1子介面上配置並檢驗資料包捕獲 |
Ethernet1/3 Ethernet1/4 |
1001 |
僅限入口 |
從192.168.207.100到主機192.168.207.102的ICMP回應請求 |
使用FCM和CLI在帶有過濾器的介面Ethernet1/2上配置並驗證資料包捕獲。
拓撲、資料包流和捕獲點
組態
FCM
在FCM上執行下列步驟,為從主機192.0.2.100到主機198.51.100.100的ICMP回應請求封包設定擷取過濾器,並將其套用到介面Ethernet1/2上的封包擷取:
使用Tools > Packet Capture > Filter List > Add Filter建立捕獲過濾器。
FXOS CLI
在FXOS CLI上執行以下步驟,在背板介面上配置資料包捕獲:
firepower# scope ssa
firepower /ssa# show app-instance
App Name Identifier Slot ID Admin State Oper State Running Version Startup Version Deploy Type Turbo Mode Profile Name Cluster State Cluster Role
---------- ---------- ---------- ----------- ---------------- --------------- --------------- ----------- ---------- ------------ --------------- ------------
ftd ftd1 1 Enabled Online 7.2.0.82 7.2.0.82 Native No Not Applicable None
2. 在https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml中確定IP協定號。在本例中,ICMP協定號是1。
3. 建立擷取階段作業:
firepower# scope packet-capture
firepower /packet-capture # create filter filter_icmp
firepower /packet-capture/filter* # set destip 198.51.100.100
firepower /packet-capture/filter* # set protocol 1
firepower /packet-capture/filter* # set srcip 192.0.2.100
firepower /packet-capture/filter* # exit
firepower /packet-capture* # create session cap1
firepower /packet-capture/session* # create phy-port Ethernet1/2
firepower /packet-capture/session/phy-port* # set app ftd
firepower /packet-capture/session/phy-port* # set app-identifier ftd1
firepower /packet-capture/session/phy-port* # set filter filter_icmp
firepower /packet-capture/session/phy-port* # exit
firepower /packet-capture/session* # enable
firepower /packet-capture/session* # commit
firepower /packet-capture/session #
驗證
FCM
驗證介面名稱,確保Operational Status為up且File Size (in bytes)增加:
在Tools > Packet Capture > Capture Session中,驗證介面名稱和過濾器,確保Operational Status為up且File Size (bytes)增加:
FXOS CLI
驗證scope packet-capture中的捕獲詳細資訊:
firepower# scope packet-capture
firepower /packet-capture # show filter detail
Configure a filter for packet capture:
Name: filter_icmp
Protocol: 1
Ivlan: 0
Ovlan: 0
Src Ip: 192.0.2.100
Dest Ip: 198.51.100.100
Src MAC: 00:00:00:00:00:00
Dest MAC: 00:00:00:00:00:00
Src Port: 0
Dest Port: 0
Ethertype: 0
Src Ipv6: ::
Dest Ipv6: ::
firepower /packet-capture # show session cap1
Traffic Monitoring Session:
Packet Capture Session Name: cap1
Session: 1
Admin State: Enabled
Oper State: Up
Oper State Reason: Active
Config Success: Yes
Config Fail Reason:
Append Flag: Overwrite
Session Mem Usage: 256 MB
Session Pcap Snap Len: 1518 Bytes
Error Code: 0
Drop Count: 0
Physical ports involved in Packet Capture:
Slot Id: 1
Port Id: 2
Pcapfile: /workspace/packet-capture/session-1/cap1-ethernet-1-2-0.pcap
Pcapsize: 213784 bytes
Filter: filter_icmp
Sub Interface: 0
Application Instance Identifier: ftd1
Application Name: ftd
收集捕獲檔案
執行收集Firepower 4100/9300內部交換機捕獲檔案部分中的步驟。
捕獲檔案分析
使用資料包捕獲檔案讀取器應用程式打開捕獲檔案。選擇第一個資料包並檢查要點
選擇第二個資料包,並檢查要點:
說明
在前端介面上設定封包擷取時,交換器會同時擷取每個封包兩次:
按照操作順序,VN標籤在比埠VLAN標籤插入更晚的階段插入。但在捕獲檔案中,帶有VN標籤的資料包比帶有埠VLAN標籤的資料包顯示得更早。
應用捕獲過濾器時,僅捕獲與入口方向上的過濾器匹配的資料包。
此表格總結列出作業:
工作 |
捕獲點 |
捕獲的資料包中的內部埠VLAN |
方向 |
使用者篩選 |
捕獲的流量 |
在前介面Ethernet1/2上使用過濾器配置並檢驗資料包捕獲 |
Ethernet1/2 |
102 |
僅限入口 |
協定:ICMP 來源:192.0.2.100 目的地: 198.51.100.100 |
從主機192.0.2.100到主機198.51.100.100的ICMP回應請求 |
FCM
在FCM上執行下列步驟以收集內部交換器擷取檔案:
對於埠通道介面,請對每個成員介面重複此步驟。
FXOS CLI
在FXOS CLI上執行以下步驟以收集捕獲檔案:
firepower# scope packet-capture
firepower /packet-capture # scope session cap1
firepower /packet-capture/session # disable
firepower /packet-capture/session* # commit
firepower /packet-capture/session # up
firepower /packet-capture # show session cap1 detail
Traffic Monitoring Session:
Packet Capture Session Name: cap1
Session: 1
Admin State: Disabled
Oper State: Down
Oper State Reason: Admin Disable
Config Success: Yes
Config Fail Reason:
Append Flag: Overwrite
Session Mem Usage: 256 MB
Session Pcap Snap Len: 1518 Bytes
Error Code: 0
Drop Count: 0
Physical ports involved in Packet Capture:
Slot Id: 1
Port Id: 2
Pcapfile: /workspace/packet-capture/session-1/cap1-ethernet-1-2-0.pcap
Pcapsize: 115744 bytes
Filter:
Sub Interface: 0
Application Instance Identifier: ftd1
Application Name: ftd
firepower# connect local-mgmt
firepower(local-mgmt)# copy /packet-capture/session-1/cap1-ethernet-1-2-0.pcap ?
ftp: Dest File URI
http: Dest File URI
https: Dest File URI
scp: Dest File URI
sftp: Dest File URI
tftp: Dest File URI
usbdrive: Dest File URI
volatile: Dest File URI
workspace: Dest File URI
firepower(local-mgmt)# copy /packet-capture/session-1/cap1-ethernet-1-2-0.pcap ftp://ftpuser@10.10.10.1/cap1-ethernet-1-2-0.pcap
Password:
對於埠通道介面,請為每個成員介面複製捕獲檔案。
有關與Firepower 4100/9300內部交換機捕獲相關的準則和限制,請參閱Cisco Firepower 4100/9300 FXOS機箱管理器配置指南或Cisco Firepower 4100/9300 FXOS CLI配置指南的故障排除一章的資料包捕獲部分。
這是基於TAC案例中資料包捕獲使用情況的最佳實踐清單:
與Firepower 4100/9300不同,安全防火牆3100/4200上的內部交換機捕獲透過capture <name> switch命令在應用程式命令列介面上配置,其中switch選項指定捕獲在內部交換機上配置。
以下是具有switch選項的capture命令:
> capture cap_sw switch ?
buffer Configure size of capture buffer, default is 256MB
ethernet-type Capture Ethernet packets of a particular type, default is IP
interface Capture packets on a specific interface
ivlan Inner Vlan
match Capture packets based on match criteria
ovlan Outer Vlan
packet-length Configure maximum length to save from each packet, default is
64 bytes
real-time Display captured packets in real-time. Warning: using this
option with a slow console connection may result in an
excessive amount of non-displayed packets due to performance
limitations.
stop Stop packet capture
trace Trace the captured packets
type Capture packets based on a particular type
<cr>
資料包捕獲配置的一般步驟如下:
交換機捕獲配置接受輸入介面nameif。使用者可以指定資料介面名稱、內部上行鏈路或管理介面:
> capture capsw switch interface ?
Available interfaces to listen:
in_data_uplink1 Capture packets on internal data uplink1 interface
in_mgmt_uplink1 Capture packets on internal mgmt uplink1 interface
inside Name of interface Ethernet1/1.205
management Name of interface Management1/1
安全防火牆4200支援雙向捕獲。除非另有指定,否則預設值為ingress:
> capture capi switch interface inside direction
both To capture switch bi-directional traffic
egress To capture switch egressing traffic
ingress To capture switch ingressing traffic
此外,安全防火牆4245具有2個內部資料和2個管理上行鏈路介面:
> capture capsw switch interface
eventing Name of interface Management1/2
in_data_uplink1 Capture packets on internal data uplink1 interface
in_data_uplink2 Capture packets on internal data uplink2 interface
in_mgmt_uplink1 Capture packets on internal mgmt uplink1 interface
in_mgmt_uplink2 Capture packets on internal mgmt uplink2 interface
management Name of interface Management1/1
> capture capsw switch interface inside ethernet-type ?
802.1Q
<0-65535> Ethernet type
arp
ip
ip6
pppoed
pppoes
rarp
sgt
vlan
> capture capsw switch interface inside match ?
<0-255> Enter protocol number (0 - 255)
ah
eigrp
esp
gre
icmp
icmp6
igmp
igrp
ip
ipinip
ipsec
mac Mac-address filter
nos
ospf
pcp
pim
pptp
sctp
snp
spi SPI value
tcp
udp
<cr>
> capture capsw switch interface inside match ip
> no capture capsw switch stop
> show capture capsw
27 packet captured on disk using switch capture
Reading of capture file from disk is not supported
> show capture capsw detail
Packet Capture info
Name: capsw
Session: 1
Admin State: enabled
Oper State: up
Oper State Reason: Active
Config Success: yes
Config Fail Reason:
Append Flag: overwrite
Session Mem Usage: 256
Session Pcap Snap Len: 1518
Error Code: 0
Drop Count: 0
Total Physical ports involved in Packet Capture: 1
Physical port:
Slot Id: 1
Port Id: 1
Pcapfile: /mnt/disk0/packet-capture/sess-1-capsw-ethernet-1-1-0.pcap
Pcapsize: 18838
Filter: capsw-1-1
Packet Capture Filter Info
Name: capsw-1-1
Protocol: 0
Ivlan: 0
Ovlan: 205
Src Ip: 0.0.0.0
Dest Ip: 0.0.0.0
Src Ipv6: ::
Dest Ipv6: ::
Src MAC: 00:00:00:00:00:00
Dest MAC: 00:00:00:00:00:00
Src Port: 0
Dest Port: 0
Ethertype: 0
Total Physical breakout ports involved in Packet Capture: 0
0 packet captured on disk using switch capture
Reading of capture file from disk is not supported
> capture capsw switch stop
> show capture capsw detail
Packet Capture info
Name: capsw
Session: 1
Admin State: disabled
Oper State: down
Oper State Reason: Session_Admin_Shut
Config Success: yes
Config Fail Reason:
Append Flag: overwrite
Session Mem Usage: 256
Session Pcap Snap Len: 1518
Error Code: 0
Drop Count: 0
Total Physical ports involved in Packet Capture: 1
Physical port:
Slot Id: 1
Port Id: 1
Pcapfile: /mnt/disk0/packet-capture/sess-1-capsw-ethernet-1-1-0.pcap
Pcapsize: 24
Filter: capsw-1-1
Packet Capture Filter Info
Name: capsw-1-1
Protocol: 0
Ivlan: 0
Ovlan: 205
Src Ip: 0.0.0.0
Dest Ip: 0.0.0.0
Src Ipv6: ::
Dest Ipv6: ::
Src MAC: 00:00:00:00:00:00
Dest MAC: 00:00:00:00:00:00
Src Port: 0
Dest Port: 0
Ethertype: 0
Total Physical breakout ports involved in Packet Capture: 0
0 packet captured on disk using switch capture
Reading of capture file from disk is not supported
8. 收集擷取檔案。執行收集安全防火牆內部交換機捕獲檔案部分中的步驟。
在安全防火牆軟體版本7.4中,FMC或FDM不支援內部交換機捕獲配置。在ASA軟體版本9.18(1)及更高版本中,可以在ASDM版本7.18.1.x及更高版本中配置內部交換機捕獲。
這些場景包括安全防火牆3100/4200內部交換機捕獲的常見使用案例。
使用FTD或ASA CLI在介面Ethernet1/1或Portchannel1介面上配置和驗證資料包捕獲。兩個介面都具有nameif inside。
拓撲、資料包流和捕獲點
安全防火牆3100:
具有雙向捕獲功能的安全防火牆4200:
組態
在ASA或FTD CLI上執行以下步驟,在介面Ethernet1/1或Port-channel1上配置資料包捕獲:
> show nameif
Interface Name Security
Ethernet1/1 inside 0
Ethernet1/2 outside 0
Management1/1 diagnostic 0
> show nameif
Interface Name Security
Port-channel1 inside 0
Ethernet1/2 outside 0
Management1/1 diagnostic 0
> capture capsw switch interface inside
安全防火牆4200支援捕獲方向性:
> capture capsw switch interface inside direction ?
both To capture switch bi-directional traffic
egress To capture switch egressing traffic
ingress To capture switch ingressing traffic
> capture capsw switch interface inside direction both
> no capture capsw switch stop
驗證
驗證捕獲會話名稱、管理和操作狀態、介面插槽和識別符號。確保Pcapsize值(以位元組為單位)增加且捕獲的資料包數非零:
> show capture capsw detail
Packet Capture info
Name: capsw
Session: 1
Admin State: enabled
Oper State: up
Oper State Reason: Active
Config Success: yes
Config Fail Reason:
Append Flag: overwrite
Session Mem Usage: 256
Session Pcap Snap Len: 1518
Error Code: 0
Drop Count: 0
Total Physical ports involved in Packet Capture: 1
Physical port:
Slot Id: 1
Port Id: 1
Pcapfile: /mnt/disk0/packet-capture/sess-1-capsw-ethernet-1-1-0.pcap
Pcapsize: 12653
Filter: capsw-1-1
Packet Capture Filter Info
Name: capsw-1-1
Protocol: 0
Ivlan: 0
Ovlan: 0
Src Ip: 0.0.0.0
Dest Ip: 0.0.0.0
Src Ipv6: ::
Dest Ipv6: ::
Src MAC: 00:00:00:00:00:00
Dest MAC: 00:00:00:00:00:00
Src Port: 0
Dest Port: 0
Ethertype: 0
Total Physical breakout ports involved in Packet Capture: 0
79 packets captured on disk using switch capture
Reading of capture file from disk is not supported
安全防火牆4200:
> show cap capsw detail
Packet Capture info
Name: capsw
Session: 1
Admin State: enabled
Oper State: up
Oper State Reason: Active
Config Success: yes
Config Fail Reason:
Append Flag: overwrite
Session Mem Usage: 256
Session Pcap Snap Len: 1518
Error Code: 0
Drop Count: 0
Total Physical ports involved in Packet Capture: 1
Physical port:
Slot Id: 1
Port Id: 1
Pcapfile: /mnt/disk0/packet-capture/sess-1-capsw-ethernet-1-1-0.pcap
Pcapsize: 0
Direction: both
Drop: disable
Filter: capsw-1-1
Packet Capture Filter Info
Name: capsw-1-1
Protocol: 0
Ivlan: 0
Ovlan: 0
Src Ip: 0.0.0.0
Dest Ip: 0.0.0.0
Src Ipv6: ::
Dest Ipv6: ::
Src MAC: 00:00:00:00:00:00
Dest MAC: 00:00:00:00:00:00
Src Port: 0
Dest Port: 0
Ethertype: 0
Total Physical breakout ports involved in Packet Capture: 0
33 packet captured on disk using switch capture
Reading of capture file from disk is not supported
對於Port-channel1,捕獲在所有成員介面上配置:
> show capture capsw detail
Packet Capture info
Name: capsw
Session: 1
Admin State: enabled
Oper State: up
Oper State Reason: Active
Config Success: yes
Config Fail Reason:
Append Flag: overwrite
Session Mem Usage: 256
Session Pcap Snap Len: 1518
Error Code: 0
Drop Count: 0
Total Physical ports involved in Packet Capture: 2
Physical port:
Slot Id: 1
Port Id: 4
Pcapfile: /mnt/disk0/packet-capture/sess-1-capsw-ethernet-1-4-0.pcap
Pcapsize: 28824
Filter: capsw-1-4
Packet Capture Filter Info
Name: capsw-1-4
Protocol: 0
Ivlan: 0
Ovlan: 0
Src Ip: 0.0.0.0
Dest Ip: 0.0.0.0
Src Ipv6: ::
Dest Ipv6: ::
Src MAC: 00:00:00:00:00:00
Dest MAC: 00:00:00:00:00:00
Src Port: 0
Dest Port: 0
Ethertype: 0
Physical port:
Slot Id: 1
Port Id: 3
Pcapfile: /mnt/disk0/packet-capture/sess-1-capsw-ethernet-1-3-0.pcap
Pcapsize: 18399
Filter: capsw-1-3
Packet Capture Filter Info
Name: capsw-1-3
Protocol: 0
Ivlan: 0
Ovlan: 0
Src Ip: 0.0.0.0
Dest Ip: 0.0.0.0
Src Ipv6: ::
Dest Ipv6: ::
Src MAC: 00:00:00:00:00:00
Dest MAC: 00:00:00:00:00:00
Src Port: 0
Dest Port: 0
Ethertype: 0
Total Physical breakout ports involved in Packet Capture: 0
56 packet captured on disk using switch capture
Reading of capture file from disk is not supported
可以在FXOS local-mgmt命令外殼中透過show portchannel summary 命令驗證埠通道成員介面:
> connect fxos
…
firewall# connect local-mgmt
firewall(local-mgmt)# show portchannel summary
Flags: D - Down P - Up in port-channel (members)
I - Individual H - Hot-standby (LACP only)
s - Suspended r - Module-removed
S - Switched R - Routed
U - Up (port-channel)
M - Not in use. Min-links not met
-------------------------------------------------------------------------------
Group Port- Type Protocol Member Ports
Channel
--------------------------------------------------------------------------------
1 Po1(U) Eth LACP Eth1/3(P) Eth1/4(P)
LACP KeepAlive Timer:
--------------------------------------------------------------------------------
Channel PeerKeepAliveTimerFast
--------------------------------------------------------------------------------
1 Po1(U) False
Cluster LACP Status:
--------------------------------------------------------------------------------
Channel ClusterSpanned ClusterDetach ClusterUnitID ClusterSysID
--------------------------------------------------------------------------------
1 Po1(U) False False 0 clust
要訪問ASA上的FXOS,請運行connect fxos admin命令。如果是多情景,請在管理情景中運行命令。
收集捕獲檔案
執行收集安全防火牆內部交換機捕獲檔案部分中的步驟。
捕獲檔案分析
使用資料包捕獲檔案讀取器應用程式打開Ethernet1/1的捕獲檔案。在本示例中,分析安全防火牆3100上捕獲的資料包。選擇第一個資料包並檢查要點:
打開Portchannel1成員介面的捕獲檔案。選擇第一個資料包並檢查要點:
說明
交換器擷取是在介面Ethernet1/1或Portchannel1上設定。
此表格總結列出作業:
工作 |
捕獲點 |
內部篩選器 |
方向 |
捕獲的流量 |
在介面Ethernet1/1上配置並檢驗資料包捕獲 |
Ethernet1/1 |
無 |
僅限入口* |
從主機192.0.2.100到主機198.51.100.100的ICMP回應請求 |
在介面Portchannel1上配置並檢驗帶有成員介面Ethernet1/3和Ethernet1/4的資料包捕獲 |
Ethernet1/3 Ethernet1/4 |
無 |
僅限入口* |
從主機192.0.2.100到主機198.51.100.100的ICMP回應請求 |
* 與3100不同,安全防火牆4200支援雙向(入口和出口)捕獲。
使用FTD或ASA CLI配置和驗證子介面Ethernet1/1.205或Portchannel1.205上的資料包捕獲。兩個子介面都有nameif inside。
拓撲、資料包流和捕獲點
安全防火牆3100:
安全防火牆4200:
組態
在ASA或FTD CLI上執行以下步驟,在介面Ethernet1/1或Port-channel1上配置資料包捕獲:
> show nameif
Interface Name Security
Ethernet1/1.205 inside 0
Ethernet1/2 outside 0
Management1/1 diagnostic 0
> show nameif
Interface Name Security
Port-channel1.205 inside 0
Ethernet1/2 outside 0
Management1/1 diagnostic 0
> capture capsw switch interface inside
安全防火牆4200支援捕獲方向性:
> capture capsw switch interface inside direction ?
both To capture switch bi-directional traffic
egress To capture switch egressing traffic
ingress To capture switch ingressing traffic
> capture capsw switch interface inside direction both
3. 啟用擷取階段作業:
> no capture capsw switch stop
驗證
驗證捕獲會話名稱、管理和操作狀態、介面插槽和識別符號。確保Pcapsize值(以位元組為單位)增加且捕獲的資料包數非零:
> show capture capsw detail
Packet Capture info
Name: capsw
Session: 1
Admin State: enabled
Oper State: up
Oper State Reason: Active
Config Success: yes
Config Fail Reason:
Append Flag: overwrite
Session Mem Usage: 256
Session Pcap Snap Len: 1518
Error Code: 0
Drop Count: 0
Total Physical ports involved in Packet Capture: 1
Physical port:
Slot Id: 1
Port Id: 1
Pcapfile: /mnt/disk0/packet-capture/sess-1-capsw-ethernet-1-1-0.pcap
Pcapsize: 6360
Filter: capsw-1-1
Packet Capture Filter Info
Name: capsw-1-1
Protocol: 0
Ivlan: 0
Ovlan: 205
Src Ip: 0.0.0.0
Dest Ip: 0.0.0.0
Src Ipv6: ::
Dest Ipv6: ::
Src MAC: 00:00:00:00:00:00
Dest MAC: 00:00:00:00:00:00
Src Port: 0
Dest Port: 0
Ethertype: 0
Total Physical breakout ports involved in Packet Capture: 0
46 packets captured on disk using switch capture
Reading of capture file from disk is not supported
在這種情況下,會建立一個外部VLAN Ovlan=205的過濾器並應用於介面。
對於Port-channel1,在所有成員介面上配置了帶過濾器Ovlan=205的捕獲:
> show capture capsw detail
Packet Capture info
Name: capsw
Session: 1
Admin State: enabled
Oper State: up
Oper State Reason: Active
Config Success: yes
Config Fail Reason:
Append Flag: overwrite
Session Mem Usage: 256
Session Pcap Snap Len: 1518
Error Code: 0
Drop Count: 0
Total Physical ports involved in Packet Capture: 2
Physical port:
Slot Id: 1
Port Id: 4
Pcapfile: /mnt/disk0/packet-capture/sess-1-capsw-ethernet-1-4-0.pcap
Pcapsize: 23442
Filter: capsw-1-4
Packet Capture Filter Info
Name: capsw-1-4
Protocol: 0
Ivlan: 0
Ovlan: 205
Src Ip: 0.0.0.0
Dest Ip: 0.0.0.0
Src Ipv6: ::
Dest Ipv6: ::
Src MAC: 00:00:00:00:00:00
Dest MAC: 00:00:00:00:00:00
Src Port: 0
Dest Port: 0
Ethertype: 0
Physical port:
Slot Id: 1
Port Id: 3
Pcapfile: /mnt/disk0/packet-capture/sess-1-capsw-ethernet-1-3-0.pcap
Pcapsize: 5600
Filter: capsw-1-3
Packet Capture Filter Info
Name: capsw-1-3
Protocol: 0
Ivlan: 0
Ovlan: 205
Src Ip: 0.0.0.0
Dest Ip: 0.0.0.0
Src Ipv6: ::
Dest Ipv6: ::
Src MAC: 00:00:00:00:00:00
Dest MAC: 00:00:00:00:00:00
Src Port: 0
Dest Port: 0
Ethertype: 0
Total Physical breakout ports involved in Packet Capture: 0
49 packet captured on disk using switch capture
Reading of capture file from disk is not supported
可以在FXOS local-mgmt命令外殼中透過show portchannel summary 命令驗證埠通道成員介面:
> connect fxos
…
firewall# connect local-mgmt
firewall(local-mgmt)# show portchannel summary
Flags: D - Down P - Up in port-channel (members)
I - Individual H - Hot-standby (LACP only)
s - Suspended r - Module-removed
S - Switched R - Routed
U - Up (port-channel)
M - Not in use. Min-links not met
-------------------------------------------------------------------------------
Group Port- Type Protocol Member Ports
Channel
--------------------------------------------------------------------------------
1 Po1(U) Eth LACP Eth1/3(P) Eth1/4(P)
LACP KeepAlive Timer:
--------------------------------------------------------------------------------
Channel PeerKeepAliveTimerFast
--------------------------------------------------------------------------------
1 Po1(U) False
Cluster LACP Status:
--------------------------------------------------------------------------------
Channel ClusterSpanned ClusterDetach ClusterUnitID ClusterSysID
--------------------------------------------------------------------------------
1 Po1(U) False False 0 clust
要訪問ASA上的FXOS,請運行connect fxos admin命令。如果是多情景,請在管理情景中運行此命令。
收集捕獲檔案
執行收集安全防火牆內部交換機捕獲檔案部分中的步驟。
捕獲檔案分析
使用資料包捕獲檔案讀取器應用程式打開Ethernet1/1.205的捕獲檔案。在本示例中,分析安全防火牆3100上捕獲的資料包。選擇第一個資料包並檢查要點:
打開Portchannel1成員介面的捕獲檔案。選擇第一個資料包並檢查要點:
說明
使用與外部VLAN 205匹配的過濾器在子介面Ethernet1/1.205或Portchannel1.205上配置交換機捕獲。
此表格總結列出作業:
工作 |
捕獲點 |
內部篩選器 |
方向 |
捕獲的流量 |
在子介面Ethernet1/1.205上配置並檢驗資料包捕獲 |
Ethernet1/1 |
外部VLAN 205 |
僅限入口* |
從主機192.0.2.100到主機198.51.100.100的ICMP回應請求 |
在子介面Portchannel1.205上配置並檢驗帶有成員介面Ethernet1/3和Ethernet1/4的資料包捕獲 |
Ethernet1/3 Ethernet1/4 |
外部VLAN 205 |
僅限入口* |
從主機192.0.2.100到主機198.51.100.100的ICMP回應請求 |
* 與3100不同,安全防火牆4200支援雙向(入口和出口)捕獲。
安全防火牆3100有2個內部介面:
Secure Firewall 4200最多有4個內部介面:
任務1
使用FTD或ASA CLI在上行鏈路介面in_data_uplink1上配置和驗證資料包捕獲。
拓撲、資料包流和捕獲點
安全防火牆3100:
安全防火牆4200:
組態
在ASA或FTD CLI上執行以下步驟,在in_data_uplink1介面上配置資料包捕獲:
> capture capsw switch interface in_data_uplink1
安全防火牆4200支援捕獲方向性:
> capture capsw switch interface in_data_uplink1 direction ?
both To capture switch bi-directional traffic
egress To capture switch egressing traffic
ingress To capture switch ingressing traffic
> capture capsw switch interface in_data_uplink1 direction both
2. 啟用捕獲會話:
> no capture capsw switch stop
驗證
驗證捕獲會話名稱、管理和操作狀態、介面插槽和識別符號。確保Pcapsize值(以位元組為單位)增加且捕獲的資料包數非零:
> show capture capsw detail
Packet Capture info
Name: capsw
Session: 1
Admin State: enabled
Oper State: up
Oper State Reason: Active
Config Success: yes
Config Fail Reason:
Append Flag: overwrite
Session Mem Usage: 256
Session Pcap Snap Len: 1518
Error Code: 0
Drop Count: 0
Total Physical ports involved in Packet Capture: 1
Physical port:
Slot Id: 1
Port Id: 18
Pcapfile: /mnt/disk0/packet-capture/sess-1-capsw-data-uplink1.pcap
Pcapsize: 7704
Filter: capsw-1-18
Packet Capture Filter Info
Name: capsw-1-18
Protocol: 0
Ivlan: 0
Ovlan: 0
Src Ip: 0.0.0.0
Dest Ip: 0.0.0.0
Src Ipv6: ::
Dest Ipv6: ::
Src MAC: 00:00:00:00:00:00
Dest MAC: 00:00:00:00:00:00
Src Port: 0
Dest Port: 0
Ethertype: 0
Total Physical breakout ports involved in Packet Capture: 0
66 packets captured on disk using switch capture
Reading of capture file from disk is not supported
在這種情況下,會在具有內部ID 18的介面上建立捕獲,內部ID是Secure Firewall 3130上的in_data_uplink1介面。FXOS local-mgmt命令外殼中的show portmanager switch status命令顯示介面ID:
> connect fxos
…
firewall# connect local-mgmt
firewall(local-mgmt)# show portmanager switch status
Dev/Port Mode Link Speed Duplex Loopback Mode Port Manager
--------- ---------------- ----- ----- ------ ------------- ------------
0/1 SGMII Up 1G Full None Link-Up
0/2 SGMII Up 1G Full None Link-Up
0/3 SGMII Up 1G Full None Link-Up
0/4 SGMII Up 1G Full None Link-Up
0/5 SGMII Down 1G Half None Mac-Link-Down
0/6 SGMII Down 1G Half None Mac-Link-Down
0/7 SGMII Down 1G Half None Mac-Link-Down
0/8 SGMII Down 1G Half None Mac-Link-Down
0/9 1000_BaseX Down 1G Full None Link-Down
0/10 1000_BaseX Down 1G Full None Link-Down
0/11 1000_BaseX Down 1G Full None Link-Down
0/12 1000_BaseX Down 1G Full None Link-Down
0/13 1000_BaseX Down 1G Full None Link-Down
0/14 1000_BaseX Down 1G Full None Link-Down
0/15 1000_BaseX Down 1G Full None Link-Down
0/16 1000_BaseX Down 1G Full None Link-Down
0/17 1000_BaseX Up 1G Full None Link-Up
0/18 KR2 Up 50G Full None Link-Up
0/19 KR Up 25G Full None Link-Up
0/20 KR Up 25G Full None Link-Up
0/21 KR4 Down 40G Full None Link-Down
0/22 n/a Down n/a Full N/A Reset
0/23 n/a Down n/a Full N/A Reset
0/24 n/a Down n/a Full N/A Reset
0/25 1000_BaseX Down 1G Full None Link-Down
0/26 n/a Down n/a Full N/A Reset
0/27 n/a Down n/a Full N/A Reset
0/28 n/a Down n/a Full N/A Reset
0/29 1000_BaseX Down 1G Full None Link-Down
0/30 n/a Down n/a Full N/A Reset
0/31 n/a Down n/a Full N/A Reset
0/32 n/a Down n/a Full N/A Reset
0/33 1000_BaseX Down 1G Full None Link-Down
0/34 n/a Down n/a Full N/A Reset
0/35 n/a Down n/a Full N/A Reset
0/36 n/a Down n/a Full N/A Reset
要訪問ASA上的FXOS,請運行connect fxos admin命令。如果是多情景,請在管理情景中運行此命令。
收集捕獲檔案
執行收集安全防火牆內部交換機捕獲檔案部分中的步驟。
捕獲檔案分析
使用資料包捕獲檔案讀取器應用程式打開介面in_data_uplink1的捕獲檔案。在本示例中,分析安全防火牆3100上捕獲的資料包。
檢查要點-在本例中,捕獲ICMP回應請求和應答資料包。這些是從應用傳送到內部交換機的資料包。
說明
當在上行鏈路介面上配置交換機捕獲時,僅捕獲從應用傳送到內部交換機的資料包。不會捕獲傳送到應用程式的資料包。
此表格總結列出作業:
工作 |
捕獲點 |
內部篩選器 |
方向 |
捕獲的流量 |
在in_data_uplink1上行鏈路介面上配置並檢驗資料包捕獲 |
in_data_uplink1 |
無 |
僅限入口* |
從主機192.0.2.100到主機198.51.100.100的ICMP回應請求 從主機198.51.100.100到主機192.0.2.100的ICMP回應應答 |
* 與3100不同,安全防火牆4200支援雙向(入口和出口)捕獲。
任務2
使用FTD或ASA CLI在上行鏈路介面in_mgmt_uplink1上配置和驗證資料包捕獲。僅捕獲管理平面連線的資料包。
拓撲、資料包流和捕獲點
安全防火牆3100:
安全防火牆4200:
組態
在ASA或FTD CLI上執行以下步驟,在in_mgmt_uplink1介面上配置資料包捕獲:
> capture capsw switch interface in_mgmt_uplink1
安全防火牆4200支援捕獲方向性:
> capture capsw switch interface in_mgmt_uplink1 direction ?
both To capture switch bi-directional traffic
egress To capture switch egressing traffic
ingress To capture switch ingressing traffic
> capture capsw switch interface in_mgmt_uplink1 direction both
2. 啟用擷取階段作業:
> no capture capsw switch stop
驗證
驗證捕獲會話名稱、管理和操作狀態、介面插槽和識別符號。確保Pcapsize值(以位元組為單位)增加且捕獲的資料包數非零:
> show capture capsw detail
Packet Capture info
Name: capsw
Session: 1
Admin State: enabled
Oper State: up
Oper State Reason: Active
Config Success: yes
Config Fail Reason:
Append Flag: overwrite
Session Mem Usage: 256
Session Pcap Snap Len: 1518
Error Code: 0
Drop Count: 0
Total Physical ports involved in Packet Capture: 1
Physical port:
Slot Id: 1
Port Id: 19
Pcapfile: /mnt/disk0/packet-capture/sess-1-capsw-mgmt-uplink1.pcap
Pcapsize: 137248
Filter: capsw-1-19
Packet Capture Filter Info
Name: capsw-1-19
Protocol: 0
Ivlan: 0
Ovlan: 0
Src Ip: 0.0.0.0
Dest Ip: 0.0.0.0
Src Ipv6: ::
Dest Ipv6: ::
Src MAC: 00:00:00:00:00:00
Dest MAC: 00:00:00:00:00:00
Src Port: 0
Dest Port: 0
Ethertype: 0
Total Physical breakout ports involved in Packet Capture: 0
281 packets captured on disk using switch capture
Reading of capture file from disk is not supported
在這種情況下,會在介面上使用內部ID 19建立捕獲,內部ID 19是安全防火牆3130上的in_mgmt_uplink1介面。FXOS local-mgmt命令外殼中的show portmanager switch status命令顯示介面ID:
> connect fxos
…
firewall# connect local-mgmt
firewall(local-mgmt)# show portmanager switch status
Dev/Port Mode Link Speed Duplex Loopback Mode Port Manager
--------- ---------------- ----- ----- ------ ------------- ------------
0/1 SGMII Up 1G Full None Link-Up
0/2 SGMII Up 1G Full None Link-Up
0/3 SGMII Up 1G Full None Link-Up
0/4 SGMII Up 1G Full None Link-Up
0/5 SGMII Down 1G Half None Mac-Link-Down
0/6 SGMII Down 1G Half None Mac-Link-Down
0/7 SGMII Down 1G Half None Mac-Link-Down
0/8 SGMII Down 1G Half None Mac-Link-Down
0/9 1000_BaseX Down 1G Full None Link-Down
0/10 1000_BaseX Down 1G Full None Link-Down
0/11 1000_BaseX Down 1G Full None Link-Down
0/12 1000_BaseX Down 1G Full None Link-Down
0/13 1000_BaseX Down 1G Full None Link-Down
0/14 1000_BaseX Down 1G Full None Link-Down
0/15 1000_BaseX Down 1G Full None Link-Down
0/16 1000_BaseX Down 1G Full None Link-Down
0/17 1000_BaseX Up 1G Full None Link-Up
0/18 KR2 Up 50G Full None Link-Up
0/19 KR Up 25G Full None Link-Up
0/20 KR Up 25G Full None Link-Up
0/21 KR4 Down 40G Full None Link-Down
0/22 n/a Down n/a Full N/A Reset
0/23 n/a Down n/a Full N/A Reset
0/24 n/a Down n/a Full N/A Reset
0/25 1000_BaseX Down 1G Full None Link-Down
0/26 n/a Down n/a Full N/A Reset
0/27 n/a Down n/a Full N/A Reset
0/28 n/a Down n/a Full N/A Reset
0/29 1000_BaseX Down 1G Full None Link-Down
0/30 n/a Down n/a Full N/A Reset
0/31 n/a Down n/a Full N/A Reset
0/32 n/a Down n/a Full N/A Reset
0/33 1000_BaseX Down 1G Full None Link-Down
0/34 n/a Down n/a Full N/A Reset
0/35 n/a Down n/a Full N/A Reset
0/36 n/a Down n/a Full N/A Reset
要訪問ASA上的FXOS,請運行connect fxos admin命令。如果是多情景,請在管理情景中運行此命令。
收集捕獲檔案
執行收集安全防火牆內部交換機捕獲檔案部分中的步驟。
捕獲檔案分析
使用資料包捕獲檔案讀取器應用程式打開介面in_mgmt_uplink1的捕獲檔案。在本示例中,分析安全防火牆3100上捕獲的資料包。
檢查要點-在這種情況下,僅顯示來自管理IP地址192.0.2.200的資料包。例如SSH、Sftunnel或ICMP回應應答資料包。這些資料包是從應用管理介面透過內部交換機傳送到網路的。
說明
在管理上行鏈路介面上配置交換機捕獲時,僅捕獲從應用管理介面傳送的入口資料包。不會捕獲發往應用程式管理介面的資料包。
此表格總結列出作業:
工作 |
捕獲點 |
內部篩選器 |
方向 |
捕獲的流量 |
在管理上行鏈路介面上配置並檢驗資料包捕獲 |
in_mgmt_uplink1 |
無 |
僅限入口* (透過內部交換機從管理介面連線到網路) |
從FTD管理IP位址192.0.2.200到主機192.0.2.100的ICMP回應回覆 從FTD管理IP位址192.0.2.200到FMC IP位址192.0.2.101的Sftunnel 從FTD管理IP位址192.0.2.200到主機192.0.2.100的SSH |
* 與3100不同,安全防火牆4200支援雙向(入口和出口)捕獲。
內部交換機資料包捕獲過濾器的配置方式與資料平面捕獲的配置方式相同。使用ethernet-type和match選項配置過濾器。
組態
在ASA或FTD CLI上執行以下步驟,使用與來自主機198.51.100.100的ARP幀或ICMP資料包(位於介面Ethernet1/1)匹配的過濾器配置資料包捕獲:
> show nameif
Interface Name Security
Ethernet1/1 inside 0
Ethernet1/2 outside 0
Management1/1 diagnostic 0
> capture capsw switch interface inside ethernet-type arp
> capture capsw switch interface inside match icmp 198.51.100.100
驗證
驗證捕獲會話名稱和過濾器。以十進位制表示,Ethertype值為2054,十六進位制表示為0x0806:
> show capture capsw detail
Packet Capture info
Name: capsw
Session: 1
Admin State: disabled
Oper State: down
Oper State Reason: Session_Admin_Shut
Config Success: yes
Config Fail Reason:
Append Flag: overwrite
Session Mem Usage: 256
Session Pcap Snap Len: 1518
Error Code: 0
Drop Count: 0
Total Physical ports involved in Packet Capture: 1
Physical port:
Slot Id: 1
Port Id: 1
Pcapfile: /mnt/disk0/packet-capture/sess-1-capsw-ethernet-1-1-0.pcap
Pcapsize: 0
Filter: capsw-1-1
Packet Capture Filter Info
Name: capsw-1-1
Protocol: 0
Ivlan: 0
Ovlan: 0
Src Ip: 0.0.0.0
Dest Ip: 0.0.0.0
Src Ipv6: ::
Dest Ipv6: ::
Src MAC: 00:00:00:00:00:00
Dest MAC: 00:00:00:00:00:00
Src Port: 0
Dest Port: 0
Ethertype: 2054
Total Physical breakout ports involved in Packet Capture: 0
0 packet captured on disk using switch capture
Reading of capture file from disk is not supported
這是對ICMP過濾器的驗證。IP協定1是ICMP:
> show capture capsw detail
Packet Capture info
Name: capsw
Session: 1
Admin State: disabled
Oper State: down
Oper State Reason: Session_Admin_Shut
Config Success: yes
Config Fail Reason:
Append Flag: overwrite
Session Mem Usage: 256
Session Pcap Snap Len: 1518
Error Code: 0
Drop Count: 0
Total Physical ports involved in Packet Capture: 1
Physical port:
Slot Id: 1
Port Id: 1
Pcapfile: /mnt/disk0/packet-capture/sess-1-capsw-ethernet-1-1-0.pcap
Pcapsize: 0
Filter: capsw-1-1
Packet Capture Filter Info
Name: capsw-1-1
Protocol: 1
Ivlan: 0
Ovlan: 0
Src Ip: 198.51.100.100
Dest Ip: 0.0.0.0
Src Ipv6: ::
Dest Ipv6: ::
Src MAC: 00:00:00:00:00:00
Dest MAC: 00:00:00:00:00:00
Src Port: 0
Dest Port: 0
Ethertype: 0
Total Physical breakout ports involved in Packet Capture: 0
0 packets captured on disk using switch capture
Reading of capture file from disk is not supported
使用ASA或FTD CLI收集內部交換機捕獲檔案。在FTD上,也可透過CLI的copy命令將擷取檔案匯出到透過資料或診斷介面可存取的目標。
或者,您可以在專家模式下將檔案複製到/ngfw/var/common中,然後透過File Download選項從FMC中下載該檔案。
對於埠通道介面,請確保從所有成員介面收集資料包捕獲檔案。
ASA
在ASA CLI上執行以下步驟收集內部交換機捕獲檔案:
asa# capture capsw switch stop
asa# show capture capsw detail
Packet Capture info
Name: capsw
Session: 1
Admin State: disabled
Oper State: down
Oper State Reason: Session_Admin_Shut
Config Success: yes
Config Fail Reason:
Append Flag: overwrite
Session Mem Usage: 256
Session Pcap Snap Len: 1518
Error Code: 0
Drop Count: 0
Total Physical ports involved in Packet Capture: 1
Physical port:
Slot Id: 1
Port Id: 1
Pcapfile: /mnt/disk0/packet-capture/sess-1-capsw-ethernet-1-1-0.pcap
Pcapsize: 139826
Filter: capsw-1-1
Packet Capture Filter Info
Name: capsw-1-1
Protocol: 0
Ivlan: 0
Ovlan: 0
Src Ip: 0.0.0.0
Dest Ip: 0.0.0.0
Src Ipv6: ::
Dest Ipv6: ::
Src MAC: 00:00:00:00:00:00
Dest MAC: 00:00:00:00:00:00
Src Port: 0
Dest Port: 0
Ethertype: 0
Total Physical breakout ports involved in Packet Capture: 0
886 packets captured on disk using switch capture
Reading of capture file from disk is not supported
使用CLI的copy命令將檔案導出到遠端目標:
asa# copy flash:/packet-capture/sess-1-capsw-ethernet-1-1-0.pcap ?
cluster: Copy to cluster: file system
disk0: Copy to disk0: file system
disk1: Copy to disk1: file system
flash: Copy to flash: file system
ftp: Copy to ftp: file system
running-config Update (merge with) current system configuration
scp: Copy to scp: file system
smb: Copy to smb: file system
startup-config Copy to startup configuration
system: Copy to system: file system
tftp: Copy to tftp: file system
asa# copy flash:/packet-capture/sess-1-capsw-ethernet-1-1-0.pcap tftp://198.51.100.10/
Source filename [/packet-capture/sess-1-capsw-ethernet-1-1-0.pcap]?
Destination filename [sess-1-capsw-ethernet-1-1-0.pcap]?
Copy in progress...C
139826 bytes copied in 0.532 secs
FTD
執行下列步驟,收集FTD CLI上的內部交換器擷取檔案,並將其複製到透過資料或診斷介面可存取的伺服器:
> system support diagnostic-cli
Attaching to Diagnostic CLI ... Click 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.
firepower> enable
Password: <-- Enter
firepower#
firepower# capture capi switch stop
firepower# show capture capsw detail
Packet Capture info
Name: capsw
Session: 1
Admin State: disabled
Oper State: down
Oper State Reason: Session_Admin_Shut
Config Success: yes
Config Fail Reason:
Append Flag: overwrite
Session Mem Usage: 256
Session Pcap Snap Len: 1518
Error Code: 0
Drop Count: 0
Total Physical ports involved in Packet Capture: 1
Physical port:
Slot Id: 1
Port Id: 1
Pcapfile: /mnt/disk0/packet-capture/sess-1-capsw-ethernet-1-1-0.pcap
Pcapsize: 139826
Filter: capsw-1-1
Packet Capture Filter Info
Name: capsw-1-1
Protocol: 0
Ivlan: 0
Ovlan: 0
Src Ip: 0.0.0.0
Dest Ip: 0.0.0.0
Src Ipv6: ::
Dest Ipv6: ::
Src MAC: 00:00:00:00:00:00
Dest MAC: 00:00:00:00:00:00
Src Port: 0
Dest Port: 0
Ethertype: 0
Total Physical breakout ports involved in Packet Capture: 0
886 packets captured on disk using switch capture
Reading of capture file from disk is not supported
firepower# copy flash:/packet-capture/sess-1-capsw-ethernet-1-1-0.pcap ?
cluster: Copy to cluster: file system
disk0: Copy to disk0: file system
disk1: Copy to disk1: file system
flash: Copy to flash: file system
ftp: Copy to ftp: file system
running-config Update (merge with) current system configuration
scp: Copy to scp: file system
smb: Copy to smb: file system
startup-config Copy to startup configuration
system: Copy to system: file system
tftp: Copy to tftp: file system
firepower# copy flash:/packet-capture/sess-1-capsw-ethernet-1-1-0.pcap tftp://198.51.100.10/
Source filename [/packet-capture/sess-1-capsw-ethernet-1-1-0.pcap]?
Destination filename [sess-1-capsw-ethernet-1-1-0.pcap]?
Copy in progress...C
139826 bytes copied in 0.532 secs
在上執行以下步驟,透過File Download選項從FMC收集捕獲檔案:
> capture capsw switch stop
> show capture capsw detail
Packet Capture info
Name: capsw
Session: 1
Admin State: disabled
Oper State: down
Oper State Reason: Session_Admin_Shut
Config Success: yes
Config Fail Reason:
Append Flag: overwrite
Session Mem Usage: 256
Session Pcap Snap Len: 1518
Error Code: 0
Drop Count: 0
Total Physical ports involved in Packet Capture: 1
Physical port:
Slot Id: 1
Port Id: 1
Pcapfile: /mnt/disk0/packet-capture/sess-1-capsw-ethernet-1-1-0.pcap
Pcapsize: 139826
Filter: capsw-1-1
Packet Capture Filter Info
Name: capsw-1-1
Protocol: 0
Ivlan: 0
Ovlan: 0
Src Ip: 0.0.0.0
Dest Ip: 0.0.0.0
Src Ipv6: ::
Dest Ipv6: ::
Src MAC: 00:00:00:00:00:00
Dest MAC: 00:00:00:00:00:00
Src Port: 0
Dest Port: 0
Ethertype: 0
Total Physical breakout ports involved in Packet Capture: 0
886 packets captured on disk using switch capture
Reading of capture file from disk is not supported
> expert
admin@firepower:~$ sudo su
root@firepower:/home/admin
root@KSEC-FPR3100-1:/home/admin cp /mnt/disk0/packet-capture/sess-1-capsw-ethernet-1-1-0.pcap /ngfw/var/common/
root@KSEC-FPR3100-1:/home/admin ls -l /ngfw/var/common/sess*
-rwxr-xr-x 1 root admin 139826 Aug 7 20:14 /ngfw/var/common/sess-1-capsw-ethernet-1-1-0.pcap
-rwxr-xr-x 1 root admin 24 Aug 6 21:58 /ngfw/var/common/sess-1-capsw-ethernet-1-3-0.pcap
準則和限制:
在多情景ASA中,交換機在資料介面上的捕獲是在使用者情景中配置的。僅在管理情景中支援交換機在in_data_uplink1和in_mgmt_uplink1介面上捕獲。
這是基於TAC案例中資料包捕獲使用情況的最佳實踐清單:
修訂 | 發佈日期 | 意見 |
---|---|---|
2.0 |
17-Sep-2022 |
初始版本 |
1.0 |
27-Aug-2022 |
初始版本 |