Use the "capture" Command to Capture NSEL Packets Sent from the ASA to the SEC
-
Make sure you have configured your ASA to send NSEL events to the SEC. See Configuring NSEL for ASA Devices Using a Security Cloud Control Macro.
-
The SEC IP address is the flow collector address for NSEL events. If you have onboarded more than one SEC to your tenant be sure you are using the correct IP address.
-
Find the UDP port number used to forward NetFlow events. See Finding Your Device's TCP, UDP, and NSEL Port Used for Cisco Security Analytics and Logging.
-
Our recommended interface on the ASA from which to send NSEL events is the management interface; your interface may be different.
Use the command line interface in Security Cloud Control to send these commands to the ASAs that you have configured for NSEL.
Procedure
Step 1 | In the navigation pane, click Security Devices. |
Step 2 | Click the Devices tab. |
Step 3 | Click the appropriate device type tab and select the ASA you configured to send NSEL events to the SEC. |
Step 4 | In the Device Actions pane on the right, click Command Line Interface. |
Step 5 | In the command window, run this capture command: > capturecapture_nameinterfaceinterface_name match udp any host IP_of_SECeqNetFlow_port Where
This starts the packet capture. |
Step 6 | Run the show capture command to view the captured packets: > show capturecapture_name Where capture_name is the name of the packet capture you defined in the previous step. Here is an example of the output showing the time of the capture, the IP address from which the packet was sent, the IP address, and the port the packet was sent to. In this example, 192.168.25.4 is the IP address of the SEC and port 10425 is the port on the SEC that receives NSEL events. 6 packets captured
|
Step 7 | Run the capture stop command to manually stop the packet capture: > capture capture_namestop Where capture_name is the name of the packet capture you defined in the previous step. |