How to automate getting packet captures of off an ASA

bkhickman — Mon, 11 Mar 2019 13:29:34 GMT

For weeks I have been trying to figure out how to get packet captures off an an ASA before the buffer is full or overwritten. It always seems like I was too late go get the capture I wanted manually so here is what I came up with. I hope this helps someone and if anybody has any better ideas please pipe in.

Using a circular-buffer and the Linux wget and crontab commands you can automate the download of your capture file off of your ASA and store as many captures as you have disk space. There might be some overlap but at least you are going to have the packet captures you need. I am using Debian Etch but the commands are very generic and should work with any Linux distribution or Cygwin if you are stuck with Windows. My ASA software is version 7.2(3)12.

First, create an access-list for the captures you want on your ASA. Let's say between two devices:

access-list cap extended permit ip host 10.10.150.1 host 192.168.0.1

access-list cap extended permit ip host 192.168.0.1 host 10.10.150.1

Second, start your capture.

capture capout access-list cap interface outside circular-buffer

Third, create an executable file on your Linux box and enter all on one line:

wget -P /home/directory 'https://username:'password'@ASA/capture/capout/pcap' -no-check-certificate

This will place your capture files in the /home/directory. Unfortunately this is not very secure because the password to your ASA is in this file for anyone who has privileges to read. So be careful where you put it and who can see it.

Fourth, create your crontab. We will set the crontab to download the capture every half hour. At the command prompt enter:

Crontab -e

Then add a line like this:

30 * * * * /directory/of/your/executable_in_step_three

Now, what will happen is every half hour the crontab will download the pcap file to the directory you specified. The first one will be named pcap, the second pcap.1, third pcap.2 and so on. You need to be careful to make sure your crontab is downloading the pcap file before sections start getting overwritten. You can adjust either your crontab time or the buffer size on your ASA to accomplish this.

Hope this helps.

Brian

Re: How to automate getting packet captures of off an ASA

jphilope — Mon, 11 Aug 2008 19:08:44 GMT

Brian,

Thanks, This is great. You should submit as a Tech Tip.

Jim

Re: How to automate getting packet captures of off an ASA

bkhickman — Fri, 15 Aug 2008 12:45:25 GMT

Thanks, I appreciate the compliment. And I did submit that. For others who might want to submit their great idea as a Tech Tip here is the link:

http://www.cisco.com/warp/public/437/readertips/index.html

Regards,

Brian

topic Re: How to automate getting packet captures of off an ASA in Network Security

How to automate getting packet captures of off an ASA

Re: How to automate getting packet captures of off an ASA

Re: How to automate getting packet captures of off an ASA