In this post, I am going to show you how to run a packet capture on Cisco Firepower Management Center (FMC). As we know, both FTD and FMC are Linux based which means we can rely on a few tools that are embedded in Linux operating system. In fact, when you log into the FMC or when you go into Expert mode on FTD, you will see that the majority of the commands you use are simply Linux commands.
Packet capture in FMC can be done by using tcpdump tool along with the list of options that tcpdump offers such as filtering per source, destination, port, etc. In this post, you will see how to run real-time packet capture in FMC, redirect the capture to a file, where to store the capture file, and how to download it through the GUI or to transfer it to a remote server through CLI. Let’s get started :).
The first thing we would need to do is to find out the FMC management interface name. Typically the interface name is eth0, but let’s double check by using the Linux based command ifconfig:
Now we will run the packet capture by using the Linux based tool tcpdump. In our example, we are going to apply a filter to capture the traffic between the FMC and the FTD:
The packet capture started right after we typed the FMC admin account password. Now let’s initiate some traffic from the FTD towards the FMC, in our example we are going to initiate some ICMP traffic:
Notice that we used the keyword system with the ping command. This keyword is used to initiate the traffic from the FTD management interface.
Now let’s stop the packet capture on the FMC by using ctrl+c, and check how it looks like:
It would be feasible to troubleshoot some issues directly on the terminal console. However, sometimes the packet capture might be too long for us to be able to analyze it on the terminal efficiently. In those cases we would need to redirect the capture to a file and then download it for further investigation.
Packet capture in FMC allows us to do the capture redirection, and also to download the file whether through the GUI or CLI. If we want to download the capture file through the GUI then we need to use a specific folder in which the capture file will be stored.
However, if we want to download the capture through the CLI then we can save the capture wherever we want on the FMC. Let’s have a look at the capture redirection and both examples of how we can download the capture file.
To redirect the capture to a file, we are going to use the same command as before with the addition of the -w option and the folder path where the capture file will be stored:
Notice the folder we used, it is /var/common in which the capture file will be stored. Also notice that when the capture is redirected to a file, we won’t see any capture on the screen. Now let’s initiate some ICMP traffic from the FTD towards the FMC:
Similar to what we’ve done before, we will stop the packet capture on FMC by using ctrl+c:
Let’s check if now we have the capture file stored in the folder /var/common:
Great, we have the file as expected. Now we need to download it to our computer. The first example will show you how to download it through the GUI. To do so, we need to log into the FMC through https and then go to System -> Health -> Monitor:
In the Health Monitor screen, we need to click on one of the status sections to find the FMC and then click on it. In the usual cases you would find the FMC under the Normal Status section. However, in this case, as you could see from the above screenshot, the FMC has a warning message. Because of this, the FMC now could be found under the Warning Status section.
In fact, by looking at the Count column, we can see that we have one device under Warning and another under Normal Status. The one under the Warning section would be the FMC, and the one under Normal Status would be the FTD.
If the FMC had a critical message, we would have found it under the Critical Status section, similar to the other status sections. Now let’s open up the Warning Status section by clicking on the little black arrow:
Now we need to click on the FMC under Appliance section:
Click on Advanced Troubleshooting:
On this screen notice that it asks to enter the capture file name that was stored in the folder /var/common, and there is no way to change the folder. This is why we are restricted to store the capture file into that folder if we are planning to download the capture file through the GUI:
Let’s type in the capture file name we set which is ftd_packet_capture.pcap and click on Download:
As you can see, the file has been downloaded successfully, and we could open it with Wireshark with no issues:
Now let’s try to store the capture file into a different folder and give it another name, and then try to download it through CLI:
If we try to download this capture file through the GUI we will get an error message stating that the file does not exist, but that is obvious since the GUI tries to search for the file into the folder /var/common:
Now let’s download this new file through the CLI. To do so we will use SCP, again this tool is a Linux tool and we would use it in the same way how we transfer files via SCP on Linux:
As you can see, we could transfer the capture file successfully through SCP to our remote server 172.16.1.200.
I hope you enjoyed reading this post, and as always, I would love to hear your feedback. Thanks for reading!