Capture w/Trace in Firepower Threat Defense

A few days ago I wrote an article demonstrating the Packet Tracer feature for troubleshooting Firepower Threat Defense. Another very cool tool for troubleshooting is the Capture w/Trace Feature. The power of this tool comes from both capturing a PCAP file (for Wireshark or your tool of choice) and a separate window pane that has a view of the device operation (very similar to the Packet Tracer output).

Similar to Packet Tracer, to initiate Capture w/Trace in the Firepower Management Console, choose ‘Devices‘ then ‘Device Management‘. Next, select the device that you want to perform the operation and select the icon that looks like a screwdriver and wrench.

DevDevMgmt

Note to reader: All Firepower content can be accessed by clicking here (or choosing Firepower from the menu at the top of the page).

This will produce the screen that provides health monitoring and troubleshooting for the device. Selecting “Advanced Troubleshooting” will change the view to a multi-tab troubleshooting screen.

AdvTroubleshoot

Select the Capture w/Trace tab. The Add Capture button will allow for selection of filter criteria for the capture.

CapturewTrace

Add Capture

AddCapture

After filling out this information and choosing “Save“, an entry will be created for tracking and capturing troubleshooting data. Selecting that entry will provide a raw and tree view in the bottom pain very similar to the Packet Tracer feature. Additionally, this provides a way stop and start the process as well as download a PCAP (packet capture).

CapturewTraceComp

This Tree View Can be expanded to yield the device logic.

TreeExpanded

Choosing the Save button from the middle pane produces a PCAP file. This can be opened in Wireshark.

CaptureTraceWireshark

Conclusion

Like Packet Tracer, the Capture with Trace feature is a very powerful tool for understanding the logic and operation of a Firepower Threat Defense Devices.

If you have other tips or tricks for maintaining and operating a Firepower solution, please share them by commenting below.

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may does not reflect the position of past, present or future employers.

No related content found.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in Security and tagged , . Bookmark the permalink.