https://community.cisco.com/t5/network-security/asa-capture/m-p/1664832#M528872 <HTML><HEAD></HEAD><BODY><P>Hi Nicolas,</P><P></P><P>Thanks for the reply. Actually I what I really want to know is that when we use capature command with acl for particular host/s what is exactly we going to capature. Is it capturing only the header information alone or is it capturing all data including contents of it.</P><P></P><P>We having issue the communication passing between inside/dmz on ASA firewall and we need to capture the traffic between those two zone for two hosts using ACL. The traffic going to be traversing from inside to DMZ will be around 50GB. So my question is that when we use capture command on the firewall will it going to capture everything or just a header informaiton. Since the firewall we use is having limited amount of buffer we worry that it will hang the firewall due to capturing.</P></BODY></HTML> Wed, 29 Jun 2011 20:24:35 GMT pemasirid 2011-06-29T20:24:35Z https://community.cisco.com/t5/network-security/asa-capture/m-p/1664830#M528870 <P>Hi,</P><P></P><P>I just want to know what exactly capturing if we you capture command with some ACL on the firewall where there is limited buffer size. The reason I want to know is that we need to capture some traffic between firewall (inside/dmz) where this traffic will be more than 50GB and it will be about 5-10minitues.</P><P></P><P>thanks</P> Mon, 11 Mar 2019 20:52:49 GMT https://community.cisco.com/t5/network-security/asa-capture/m-p/1664830#M528870 pemasirid 2019-03-11T20:52:49Z https://community.cisco.com/t5/network-security/asa-capture/m-p/1664831#M528871 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>As you can see here, the maximum capture size on an ASA is way below the 50Gb you need to capture:</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P><STRONG>asa5505-23(config)# capture test buffer ?</STRONG></P><P></P><P><STRONG>exec mode commands/options:</STRONG></P><P><STRONG>&nbsp; &lt;1534-33554432&gt;&nbsp; Size of capture buffer in bytes</STRONG></P><P><STRONG>asa5505-23(config)#</STRONG></P></PRE><P></P><P>If you know exactly which part of those 50Gb you need, you can use the <STRONG>circular-buffer </STRONG>keyword in your capture command and just stop the capture once the traffic you are interested in just passed through the ASA.</P><P>If you need the full 50Gb, I would advise you to use a span a a switch where you connect a host to the span destination to capture the copy of the traffic.</P><P>You can also try to limit the size of the traffic captured by binding an ACL to the capture with the <STRONG>access-list </STRONG>keyword. Just keep in mind that if you want </P><P>to capture all the data between A and B, you'll need two ACL statements:</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P><STRONG>access-list cap-acl permit ip host A host B&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </STRONG></P><P><STRONG>access-list cap-acl permit ip host B host A </STRONG></P></PRE><P></P><P>Regards,</P><P>Nicolas</P></BODY></HTML> Wed, 29 Jun 2011 20:16:13 GMT https://community.cisco.com/t5/network-security/asa-capture/m-p/1664831#M528871 Nicolas Fournier 2011-06-29T20:16:13Z https://community.cisco.com/t5/network-security/asa-capture/m-p/1664832#M528872 <HTML><HEAD></HEAD><BODY><P>Hi Nicolas,</P><P></P><P>Thanks for the reply. Actually I what I really want to know is that when we use capature command with acl for particular host/s what is exactly we going to capature. Is it capturing only the header information alone or is it capturing all data including contents of it.</P><P></P><P>We having issue the communication passing between inside/dmz on ASA firewall and we need to capture the traffic between those two zone for two hosts using ACL. The traffic going to be traversing from inside to DMZ will be around 50GB. So my question is that when we use capture command on the firewall will it going to capture everything or just a header informaiton. Since the firewall we use is having limited amount of buffer we worry that it will hang the firewall due to capturing.</P></BODY></HTML> Wed, 29 Jun 2011 20:24:35 GMT https://community.cisco.com/t5/network-security/asa-capture/m-p/1664832#M528872 pemasirid 2011-06-29T20:24:35Z https://community.cisco.com/t5/network-security/asa-capture/m-p/1664833#M528873 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>First of all, if the capture reaches it's maximum buffer length, it is simply going to stop and should not hang the firewall.</P><P>Regarding what the firewall is capturing, it gets by default the first 1518 bytes of the packet.</P><P>If you are only interested by the first bytes of the packet (Ethernet/IP/TCP headers for instance) you can lower this value with the <STRONG>packet-length</STRONG> option of the capture commands and thus capture way more packets before the buffer gets completely filled.</P><P></P><P>Regards,</P><P>Nicolas</P></BODY></HTML> Wed, 29 Jun 2011 20:32:02 GMT https://community.cisco.com/t5/network-security/asa-capture/m-p/1664833#M528873 Nicolas Fournier 2011-06-29T20:32:02Z https://community.cisco.com/t5/network-security/asa-capture/m-p/1664834#M528874 <HTML><HEAD></HEAD><BODY><P>HI Nicolas,</P><P></P><P>thanks for your prompt reply.,Sorry I still didnt get answer to my question anyway</P><P></P><P>1) can you please clarify me what you really capture when you use capture command on ASA</P><P>2) is there any method that we can directly get the output of capture to a external file via ftp/tftp.?</P></BODY></HTML> Wed, 29 Jun 2011 20:50:02 GMT https://community.cisco.com/t5/network-security/asa-capture/m-p/1664834#M528874 pemasirid 2011-06-29T20:50:02Z https://community.cisco.com/t5/network-security/asa-capture/m-p/1664835#M528875 <HTML><HEAD></HEAD><BODY><P>Hi, </P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>1) can you please clarify me what you really capture when you use capture command on ASA</P></PRE><P></P><P>You capture the traffic in pcap format.</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>2) is there any method that we can directly get the output of capture to a external file via ftp/tftp.?</P></PRE><P></P><P>Directly, you can't but once the capture is done, you can export it from the ASA with the </P><P><STRONG>copy capture: [t}ftp:</STRONG> command.</P><P></P><P>Regards,</P><P>Nicolas</P></BODY></HTML> Wed, 29 Jun 2011 20:57:39 GMT https://community.cisco.com/t5/network-security/asa-capture/m-p/1664835#M528875 Nicolas Fournier 2011-06-29T20:57:39Z https://community.cisco.com/t5/network-security/asa-capture/m-p/1664836#M528876 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Please go through the capture doc:</P><P><A class="jive-link-wiki-small" href="https://community.cisco.com/docs/DOC-1222">https://supportforums.cisco.com/docs/DOC-1222</A></P><P></P><P>Moreover, if your issue is buffer size on the ASA, you can also apply automated captures on the ASA:</P><P><A class="jive-link-wiki-small" href="https://community.cisco.com/docs/DOC-5817">https://supportforums.cisco.com/docs/DOC-5817</A></P><P></P><P>These two docs should help you out.</P><P></P><P>Thanks,</P><P>Varun</P></BODY></HTML> Thu, 30 Jun 2011 02:28:18 GMT https://community.cisco.com/t5/network-security/asa-capture/m-p/1664836#M528876 varrao 2011-06-30T02:28:18Z https://community.cisco.com/t5/network-security/asa-capture/m-p/1664837#M528877 <HTML><HEAD></HEAD><BODY><P>You can directly download the capture as a Wireshark file (.pcap format) like this:</P><P></P><P>Assume your ASAs outside address is 123.123.123.123</P><P></P><P>Assume your ASAs http server is on port 442</P><P></P><P>Assume your capture name is CAPOUT (case sensitive)</P><P></P><P>Then put this url into your favorite browser and download the capture.</P><P></P><P><A class="jive-link-external-small" href="https://123.123.123.123:442/capture/CAPOUT/pcap">https://123.123.123.123:442/capture/CAPOUT/pcap</A></P><P></P><P>Rename it to whatever.pcap and double click the file and Wireshark will load it.</P></BODY></HTML> Thu, 30 Jun 2011 04:22:57 GMT https://community.cisco.com/t5/network-security/asa-capture/m-p/1664837#M528877 lcaruso 2011-06-30T04:22:57Z