top of page
Untitled-2-01_edited_edited.png

Reading a Packet Capture on Cisco ASA: What Your Firewall Is Telling You

  • The Itvue Team
  • 3 days ago
  • 2 min read

Author: Ermias Teffera, (CCIE# 70053)


Packet captures are one of the most powerful troubleshooting tools available on a Cisco ASA. When logs aren’t enough, a capture shows you exactly what traffic is hitting your firewall—and how it behaves.


Let’s break down a real capture and learn how to read it. improving performance.




What Are We Looking At?

At the top, we see:

20 packets captured

This simply tells us how many packets matched the capture criteria.

Each line below represents one packet, displayed in order.


How to Read a Single Line

Let’s take one example:

1: 10:15:27.241351 802.1Q vlan#100 P0 160.136.150.24.58854 > 140.194.234.1.443: S ...

Here’s how to decode it:


1. Packet Number

1:

This is just the sequence number in the capture.


2. Timestamp

10:15:27.241351

This shows exactly when the packet was captured (HH:MM:SS.microseconds)

👉 Useful for timing issues and latency analysis


3. VLAN / Interface Info

802.1Q vlan#100 P0

  • 802.1Q → VLAN tagging is in use

  • vlan#100 → Packet belongs to VLAN 100

  • P0 → ASA internal interface identifier


4. Source → Destination

160.136.150.24.58854 > 140.194.234.1.443

  • Source IP + Port → 160.136.150.24:58854

  • Destination IP + Port → 140.194.234.1:443

👉 This tells us:

  • Client is initiating traffic

  • Destination is HTTPS (port 443)


5. TCP Flags (Very Important)

S

This is the TCP flag.

  • S = SYN → Connection is being initiated


What Pattern Do We See?

Looking at your capture:

  • Multiple packets show S (SYN)

  • Same destination: 140.194.234.1:443

  • Different source ports

👉 This indicates:

⚠️ Repeated connection attempts (SYNs) with no response

You do NOT see:

  • SYN-ACK (response from server)

  • ACK (connection completion)


What This Means

This pattern typically points to one of the following:

🔴 Traffic is being dropped

  • Firewall rule blocking return traffic

  • Upstream device filtering

🔴 Destination is not responding

  • Server down

  • Port closed

🔴 Routing issue

  • Return path is broken


Quick Troubleshooting Tips

When you see repeated SYNs:

  1. ✅ Check firewall rules (ACL / security policy)

  2. ✅ Verify NAT configuration

  3. ✅ Confirm routing (both directions)

  4. ✅ Test reachability (ping / traceroute)

  5. ✅ Run packet-tracer to confirm behavior


Why Packet Captures Matter

Packet captures remove assumptions.

Instead of guessing:

  • You see exactly what leaves the client

  • You verify if a response comes back

👉 In this case, the firewall sees the traffic, but the connection never completes



Final Thought

If packet-tracer tells you what should happen…

A packet capture shows you what’s actually happening.

Use both together—and troubleshooting becomes fast, precise, and predictable.

 
 
 

Recent Posts

See All

Comments

bottom of page