jueves, 18 de febrero de 2016

[Cisco IOS] Packet capture on cisco IOS

Pretty much everyone familiar with a cisco ASA know how useful and handy the capture command can be! Have you ever wonder how to do something similar on routers? Well, a embedded packet capture feature was introduced staring at v12.4(20)T for IOS and 15.2(4)S for IOS-XE.

It requires additional steps than his firewall cousin, but the results are pretty much the same. I will not cover the details since you can found a lot of documentation on the web, but pretty much this is wht you need to do:

conf t
access-list 177 permit ip host
access-list 177 permit ip host
access-list 177 permit ip host
access-list 177 permit ip host
monitor capture buffer CAPTURE1
monitor capture buffer CAPTURE1 filter access-list 177
monitor capture point ip cef CUSTOMTRACE gigabitEthernet 0/1 both
monitor capture point associate CUSTOMTRACE CAPTURE1
monitor capture point start CUSTOMTRACE
! diplay the information capture
show monitor capture buffer CAPTURE1 parameters
show monitor capture buffer CAPTURE1 dump
monitor capture point stop CUSTOMTRACE
monitor capture buffer CAPTURE1 clear

In my opinion, this captures aren't that easy to read, this is an example of the output of the capture:

For simplicity I always transfer the capture to a tftp server so I can read it using Wireshark.

monitor capture buffer holdpackets export tftp://

I hope you can find this useful.

[Cisco ASA] Determine unused object-groups

There is not one answer when it comes to network management, and the things gets more difficult when it comes to cleaning tasks.

Fate threw me a few ASA that for better or worse were managed by tooooo many hands before me, and like a really good friend told me once "OCD in the networking world is usually a good thing" and the OCD monster living inside me forced me to start the titanic task of cleaning and standardize the configuration of this firewalls.

At some point I needed to deal with Object-Groups and with the help of a my friend Julio Guevara (@juliogbberry || @MAXxATTAXx) we came up with the idea of count how many time the object-groups is being used, not only to determine those that aren't used, but also get rid of those that are not necessarily needed (used five times or less).

Thanks to a little python script we can determine how many times the objects are being used, to accomplish that we need two files, one with all the names of the objects (List_ASA1), and the lines you want to compare with, for simplicity I narrow it for access control lists (ACL_ASA1).

Is quite simple:
  1. Place the pair of file to compare on the same folder.
  2. The files must be named List_abc & ACL_abc, where abc can be anything.
  3. Open the Python console and once you have the script ready issue the following commands. Remember to change the location where you have your files.
    • firewall = FirewallClean()
    • firewall.workFolder("C:\\firewall") 

If everything works, you should have a file called Results_abc (Results_ASA1) and you can determine what is being used and not.

The script and all the example files can be found here: Download Script.

I hope that many of you can found this helpful.


This is an experimental tool. Backup your config before making any changes suggested by this tool.