https://community.cisco.com/t5/network-security/method-to-periodically-transfer-packet-captures-from-asa/m-p/2565012#M205415 <P>Investigating an intermittent issue we have with one of our systems, I have set-up a packet capture to look at the traffic going through the firewall. &nbsp;The problem is, because we have no way of knowing when the issue is going to occur, the buffer can fill up before the relevant traffic is captured. &nbsp;Likewise, if I use "circular-buffer" to overwrite the buffer from the beginning when full, I have still ended up missing the traffic I'm interested in because it's been overwritten by the time I go to look at it!</P><P>So, does anyone have a method whereby I could regularly copy off the packet captures to a TFTP server whenever the capture is full? &nbsp;(or at least on a regular basis so I can hopefully have as much of the traffic as possible captured and available to look back at?)</P><P>It can sometimes be weeks before the problem we are looking into becomes apparent so I don't want to have to manually transfer the packet captures each time.</P><P><BR />Any suggestions would be appreciated!</P><P>&nbsp;</P><P>Thanks.</P> Tue, 12 Mar 2019 05:02:25 GMT mitchen 2019-03-12T05:02:25Z https://community.cisco.com/t5/network-security/method-to-periodically-transfer-packet-captures-from-asa/m-p/2565012#M205415 <P>Investigating an intermittent issue we have with one of our systems, I have set-up a packet capture to look at the traffic going through the firewall. &nbsp;The problem is, because we have no way of knowing when the issue is going to occur, the buffer can fill up before the relevant traffic is captured. &nbsp;Likewise, if I use "circular-buffer" to overwrite the buffer from the beginning when full, I have still ended up missing the traffic I'm interested in because it's been overwritten by the time I go to look at it!</P><P>So, does anyone have a method whereby I could regularly copy off the packet captures to a TFTP server whenever the capture is full? &nbsp;(or at least on a regular basis so I can hopefully have as much of the traffic as possible captured and available to look back at?)</P><P>It can sometimes be weeks before the problem we are looking into becomes apparent so I don't want to have to manually transfer the packet captures each time.</P><P><BR />Any suggestions would be appreciated!</P><P>&nbsp;</P><P>Thanks.</P> Tue, 12 Mar 2019 05:02:25 GMT https://community.cisco.com/t5/network-security/method-to-periodically-transfer-packet-captures-from-asa/m-p/2565012#M205415 mitchen 2019-03-12T05:02:25Z https://community.cisco.com/t5/network-security/method-to-periodically-transfer-packet-captures-from-asa/m-p/2565013#M205416 <P>I don't know of an easy way to do it since ASA doesn't have Kron. I can think of a couple not-so-easy ways though:</P><P>From a NMS platform (CiscoWorks/LMS, Rancid maybe??) schedule a job to run every x minutes to dump the cap and redirect it to a tftp server or a local file</P><P>Even more ghetto, if you use a terminal app like SecureCRT that can run VBScripts, create a vbscript to do the same thing (periodically log in and dump the cap with a redirect)</P><P>There's probably an easier way, I tend to over-think simple issues &gt;&lt;</P><P>good luck!</P> Thu, 06 Nov 2014 21:41:55 GMT https://community.cisco.com/t5/network-security/method-to-periodically-transfer-packet-captures-from-asa/m-p/2565013#M205416 AJ Cruz 2014-11-06T21:41:55Z https://community.cisco.com/t5/network-security/method-to-periodically-transfer-packet-captures-from-asa/m-p/2565014#M205417 <P>Yeah, that's what I've ended up doing - just scripting a job to run daily and login to the ASA to run the commands to dump the file to my TFTP server. &nbsp; Was hoping there might be a "cleaner" and simpler way to do it via the ASA itself but alas, it seems that's not the case. &nbsp;</P><P>Thanks for the advice all the same!</P> Fri, 07 Nov 2014 17:23:25 GMT https://community.cisco.com/t5/network-security/method-to-periodically-transfer-packet-captures-from-asa/m-p/2565014#M205417 mitchen 2014-11-07T17:23:25Z