On a Cisco ASA you can configure capturing of data to allow for deeper troubleshooting of issues. With the recent issue of the Heartbleed bug, I needed a way to capture HTTPS traffic and inspect remote hosts for the vulnerability. If the site was vulnerable, I would create a temporary block until that site patched.
On the Cisco ASA I setup an access-list:
access-list heartbleed line 1 extended permit tcp any any eq https
I create a capture:
capture heartbleed access-list heartbleed interface inside
Then I can view the capture:
show capture heartbleed
Example output of the above command:
1025: 09:52:27.882385 10.147.204.104.55665 > 74.125.228.5.443: . ack 3734113485 win 64860 1026: 09:52:27.882858 192.168.1.104.55666 > 74.125.228.5.443: . ack 3798098736 win 64860 1027: 09:52:27.883239 192.168.1.104.55666 > 74.125.228.5.443: . ack 3798101496 win 64860 1028: 09:52:27.883438 192.168.1.104.55666 > 74.125.228.5.443: . ack 3798104256 win 64860
Alternatively, while the capture is enabled it is accessible via the web interface of the ASA.
https://192.168.1.1/admin/capture/heartbleed
