Cisco ASA: Packet Capture On The ASA In CLI

I had to do some remote troubleshooting on an ASA that, according to the customer, was not allowing SIP traffic in on their new SIP services.  In this scenario, CLI was the only option, and really, I just glad about that.  Although, I do also like the GUI form of the packet capture that Cisco has in the ASDM.  Its easy.  Easier than CLI in this case, but I like CLI, so Im OK with it.  Here is the ACL I configured to capture traffic to their phone system's external IP:
CiscoASA# config t
CiscoASA(config)# access-list 188 permit ip any host 5.5.5.250
CiscoASA(config)# exit

Now, lets enable the capture on the outside interface:
CiscoASA# capture capin interface outside access-list 188

So now I run a ping to that 5.5.5.250 IP address.  Then, I make the phone call to see if SIP traffic came to the ASA.  Then, I HTTP'ed to the phone system.  So, how many bytes are captured?

CiscoASA# sho capture

capture capin type raw-data access-list 188 interface outside [Capturing - 360 bytes]

Now, what is in the packet capture log?

See the capture below:

CiscoASA#show capture capin

29 packets captured

   1: 00:41:49.017668 33.33.33.128 > 5.5.5.250: icmp: echo request

   2: 00:41:50.068218 33.33.33.128 > 5.5.5.250: icmp: echo request

   3: 00:41:54.843233 33.33.33.128 > 5.5.5.250: icmp: echo request

   4: 00:41:55.874863 33.33.33.128 > 5.5.5.250: icmp: echo request

   5: 00:45:23.107217 33.33.33.128.2098 > 5.5.5.250.80: S 2929358780:2929358780(0) win 8192 <mss 1260,nop,wscale 8,nop,nop,sackOK>

   6: 00:45:23.107523 33.33.33.128.2097 > 5.5.5.250.80: S 2605027608:2605027608(0) win 8192 <mss 1260,nop,wscale 8,nop,nop,sackOK>

   7: 00:45:23.331632 33.33.33.128.2098 > 5.5.5.250.80: . ack 1980576723 win 68

   8: 00:45:23.331846 33.33.33.128.2097 > 5.5.5.250.80: . ack 1928612590 win 68

   9: 00:45:23.335599 33.33.33.128.2097 > 5.5.5.250.80: P 2605027609:2605028002(393) ack 1928612590 win 68

  10: 00:45:23.413201 33.33.33.128.2099 > 5.5.5.250.8080: S 1012239204:1012239204(0) win 8192 <mss 1260,nop,wscale 8,nop,nop,sackOK>

  11: 00:45:23.413476 33.33.33.128.2100 > 5.5.5.250.8080: S 4230440435:4230440435(0) win 8192 <mss 1260,nop,wscale 8,nop,nop,sackOK>

  12: 00:45:23.489537 33.33.33.128.2099 > 5.5.5.250.8080: . ack 1452080160 win 68

  13: 00:45:23.491628 33.33.33.128.2100 > 5.5.5.250.8080: . ack 1273284172 win 68

  14: 00:45:23.495350 33.33.33.128.2099 > 5.5.5.250.8080: P 1012239205:1012239603(398) ack 1452080160 win 68

  15: 00:45:23.635495 33.33.33.128.2097 > 5.5.5.250.80: . ack 1928612939 win 67

  16: 00:45:23.663829 33.33.33.128.2099 > 5.5.5.250.8080: P 1012239603:1012240043(440) ack 1452080463 win 67

  17: 00:45:23.667690 33.33.33.128.2100 > 5.5.5.250.8080: P 4230440436:4230440774(338) ack 1273284172 win 68

  18: 00:45:23.750037 33.33.33.128.2099 > 5.5.5.250.8080: P 1012240043:1012240578(535) ack 1452080637 win 67

  19: 00:45:23.937359 33.33.33.128.2100 > 5.5.5.250.8080: . ack 1273285310 win 64

  20: 00:45:23.943371 33.33.33.128.2099 > 5.5.5.250.8080: . ack 1452083157 win 68

  21: 00:45:24.017333 33.33.33.128.2099 > 5.5.5.250.8080: . ack 1452085677 win 68

  22: 00:45:24.201329 33.33.33.128.2099 > 5.5.5.250.8080: . ack 1452088197 win 68

  23: 00:45:24.201390 33.33.33.128.2099 > 5.5.5.250.8080: . ack 1452090717 win 68

  24: 00:45:24.355709 33.33.33.128.2099 > 5.5.5.250.8080: . ack 1452093237 win 68

  25: 00:45:24.355740 33.33.33.128.2099 > 5.5.5.250.8080: . ack 1452098277 win 68

  26: 00:45:24.438881 33.33.33.128.2099 > 5.5.5.250.8080: . ack 1452103317 win 68

  27: 00:45:24.735542 33.33.33.128.2099 > 5.5.5.250.8080: . ack 1452104344 win 64

  28: 00:45:35.432396 33.33.33.128.2098 > 5.5.5.250.80: F 2929358781:2929358781(0) ack 1980576723 win 68

  29: 00:45:35.621702 33.33.33.128.2098 > 5.5.5.250.80: . ack 1980576724 win 68

29 packets shown

CiscoASA#

So, as you can see, no SIP traffic.  Its not making it to the ASA.  Now lets disable the capture:

CiscoASA# no capture capin interface outside access-list 188