一、ASA的inside,outside接口抓包
1、打开syslog
logging on
logging timestamp
logging trap information
logging host inside X.X.X.X（日志服务器）
Clear conn
Clear xlate
 
2、配置要抓包的数据流
点对点抓包
access-list cap permit ip host X.X.X.X host X.X.X.X
access-list cap permit ip host X.X.X.X host X.X.X.X
capture asa_cap_inside type raw-data access-list tac_capture buffer 10000000 interface inside
capture asa_cap_outside type raw-data access-list tac_capture buffer 10000000 interface outside
全局抓包
access-list cap permit ip any any
capture asa_cap_inside type raw-data access-list tac_capture buffer 10000000 interface inside
capture asa_cap_outside type raw-data access-list tac_capture buffer 10000000 interface outside

3、查看相关信息
show clock
show conn address X.X.X.X
show local-host X.X.X.X
show asp drop
show xlate
show capture
d)拷贝capture到tftp服务器上
copy /pcap capture:asa_cap_inside tftp://X.X.X.X/asa_inside.cap
copy /pcap capture:asa_cap_outside tftp://X.X.X.X/asa_outside.cap
 
4、取消capture
no capture asa_capture_inside_1
no capture asa_capture_outside_1
clear capture asa_capture_inside_1
clear capture asa_capture_outside_1
no access-list cap permit ip host X.X.X.X host X.X.X.X
no access-list cap permit ip host X.X.X.X host X.X.X.X
no access-list cap permit ip host any any

二、交换机上抓包
1、交换机做span
configure terminal
monitor session 1 source interface fastethernet X/X/X
monitor session 1 destination interface fastethernet X/X/X

no monitor session X

show monitor

三、主机上抓包（linux）

tcpdump -s 0 -w /tmp/X.cap -i 网口 host X.X.X.X

tcpdump -nn -f host X.X.X.X and ! X.X.X.X

tcpdump -w test.cap -i 网口 tcp port 端口 or udp \( 端口 or 端口 \)