Use the "capture" Command to Capture NSEL Packets Sent from the ASA to the SEC
-
Make sure you have configured your ASA to send NSEL events to the SEC. See Configuring NSEL for ASA Devices Using a Security Cloud Control Macro.
-
The SEC IP address is the flow collector address for NSEL events. If you have onboarded more than one SEC to your tenant be sure you are using the correct IP address.
-
Find the UDP port number used to forward NetFlow events. See Finding Your Device's TCP, UDP, and NSEL Port Used for Cisco Security Analytics and Logging.
-
Our recommended interface on the ASA from which to send NSEL events is the management interface; your interface may be different.
Use the command line interface in Security Cloud Control to send these commands to the ASAs that you have configured for NSEL.
Procedure
1 |
In the navigation pane, click Security Devices. |
2 |
Click the Devices tab. |
3 |
Click the appropriate device type tab and select the ASA you configured to send NSEL events to the SEC. |
4 |
In the Device Actions pane on the right, click Command Line Interface. |
5 |
In the command window, run this capture command:
>
capture
capture_name
interface
interface_name
match udp any host
IP_of_SEC
eq
NetFlow_port
Where
This starts the packet capture. |
6 |
Run the show capture command to view the captured packets:
> show capture
capture_name
Where capture_name is the name of the packet capture you defined in the previous step. Here is an example of the output showing the time of the capture, the IP address from which the packet was sent, the IP address, and the port the packet was sent to. In this example, 192.168.25.4 is the IP address of the SEC and port 10425 is the port on the SEC that receives NSEL events. 6 packets captured
|
7 |
Run the capture stop command to manually stop the packet capture:
> capture
capture_name
stop
Where capture_name is the name of the packet capture you defined in the previous step. |