Use the "capture" Command to Capture NSEL Packets Sent from the ASA to the SEC

Use the command line interface in Security Cloud Control to send these commands to the ASAs that you have configured for NSEL.

Procedure


Step 1

In the navigation pane, click Security Devices.

Step 2

Click the Devices tab.

Step 3

Click the appropriate device type tab and select the ASA you configured to send NSEL events to the SEC.

Step 4

In the Device Actions pane on the right, click Command Line Interface.

Step 5

In the command window, run this capture command:

> capturecapture_nameinterfaceinterface_name match udp any host IP_of_SECeqNetFlow_port

Where

  • capture_name is the name of the packet capture.

  • interface_name is the name of the interface from which NSEL packets leave the ASA.

  • IP_of_SEC is the IP address of the SEC VM.

  • NetFlow_port is the port to which NSEL events are sent.

This starts the packet capture.

Step 6

Run the show capture command to view the captured packets:

> show capturecapture_name

Where capture_name is the name of the packet capture you defined in the previous step.

Here is an example of the output showing the time of the capture, the IP address from which the packet was sent, the IP address, and the port the packet was sent to. In this example, 192.168.25.4 is the IP address of the SEC and port 10425 is the port on the SEC that receives NSEL events.

6 packets captured

1: 14:23:51.706308 192.168.0.169.16431 > 192.168.25.4.10425: udp 476

2: 14:23:53.923017 192.168.0.169.16431 > 192.168.25.4.10425: udp 248

3: 14:24:07.411904 192.168.0.169.16431 > 192.168.25.4.10425: udp 1436

4: 14:24:07.411920 192.168.0.169.16431 > 192.168.25.4.10425: udp 1276

5: 14:24:21.021208 192.168.0.169.16431 > 192.168.25.4.10425: udp 112

6: 14:24:27.444755 192.168.0.169.16431 > 192.168.25.4.10425: udp 196

Step 7

Run the capture stop command to manually stop the packet capture:

> capture capture_namestop

Where capture_name is the name of the packet capture you defined in the previous step.