Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2920
Views
0
Helpful
7
Replies

ASA Capture

pemasirid
Level 1
Level 1

‎06-29-2011 12:48 PM - edited ‎03-11-2019 01:52 PM

Hi,

I just want to know what exactly capturing if we you capture command with some ACL on the firewall where there is limited buffer size. The reason I want to know is that we need to capture some traffic between firewall (inside/dmz) where this traffic will be more than 50GB and it will be about 5-10minitues.

thanks

Labels:
0 Helpful
7 Replies 7

Nicolas Fournier
Cisco Employee
Cisco Employee

‎06-29-2011 01:16 PM

Hi,

As you can see here, the maximum capture size on an ASA is way below the 50Gb you need to capture:

asa5505-23(config)# capture test buffer ?
exec mode commands/options:
  <1534-33554432>  Size of capture buffer in bytes
asa5505-23(config)#

If you know exactly which part of those 50Gb you need, you can use the circular-buffer keyword in your capture command and just stop the capture once the traffic you are interested in just passed through the ASA.

If you need the full 50Gb, I would advise you to use a span a a switch where you connect a host to the span destination to capture the copy of the traffic.

You can also try to limit the size of the traffic captured by binding an ACL to the capture with the access-list keyword. Just keep in mind that if you want

to capture all the data between A and B, you'll need two ACL statements:

access-list cap-acl permit ip host A host B      
access-list cap-acl permit ip host B host A

Regards,

Nicolas

0 Helpful

pemasirid
Level 1
Level 1
In response to Nicolas Fournier

‎06-29-2011 01:24 PM

Hi Nicolas,

Thanks for the reply. Actually I what I really want to know is that when we use capature command with acl for particular host/s what is exactly we going to capature. Is it capturing only the header information alone or is it capturing all data including contents of it.

We having issue the communication passing between inside/dmz on ASA firewall and we need to capture the traffic between those two zone for two hosts using ACL. The traffic going to be traversing from inside to DMZ will be around 50GB. So my question is that when we use capture command on the firewall will it going to capture everything or just a header informaiton. Since the firewall we use is having limited amount of buffer we worry that it will hang the firewall due to capturing.

0 Helpful

Nicolas Fournier
Cisco Employee
Cisco Employee
In response to pemasirid

‎06-29-2011 01:32 PM

Hi,

First of all, if the capture reaches it's maximum buffer length, it is simply going to stop and should not hang the firewall.

Regarding what the firewall is capturing, it gets by default the first 1518 bytes of the packet.

If you are only interested by the first bytes of the packet (Ethernet/IP/TCP headers for instance) you can lower this value with the packet-length option of the capture commands and thus capture way more packets before the buffer gets completely filled.

Regards,

Nicolas

0 Helpful

pemasirid
Level 1
Level 1
In response to Nicolas Fournier

‎06-29-2011 01:50 PM

HI Nicolas,

thanks for your prompt reply.,Sorry I still didnt get answer to my question anyway

1) can you please clarify me what you really capture when you use capture command on ASA

2) is there any method that we can directly get the output of capture to a external file via ftp/tftp.?

0 Helpful

Nicolas Fournier
Cisco Employee
Cisco Employee
In response to pemasirid

‎06-29-2011 01:57 PM

Hi, 

1) can you please clarify me what you really capture when you use capture command on ASA

You capture the traffic in pcap format.

2) is there any method that we can directly get the output of capture to a external file via ftp/tftp.?

Directly, you can't but once the capture is done, you can export it from the ASA with the

copy capture: [t}ftp: command.

Regards,

Nicolas

0 Helpful

varrao
Level 10
Level 10
In response to Nicolas Fournier

‎06-29-2011 07:28 PM

Hi,

Please go through the capture doc:

https://supportforums.cisco.com/docs/DOC-1222

Moreover, if your issue is buffer size on the ASA, you can also apply automated captures on the ASA:

https://supportforums.cisco.com/docs/DOC-5817

These two docs should help you out.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

lcaruso
Level 6
Level 6
In response to pemasirid

‎06-29-2011 09:22 PM

You can directly download the capture as a Wireshark file (.pcap format) like this:

Assume your ASAs outside address is 123.123.123.123

Assume your ASAs http server is on port 442

Assume your capture name is CAPOUT (case sensitive)

Then put this url into your favorite browser and download the capture.

https://123.123.123.123:442/capture/CAPOUT/pcap

Rename it to whatever.pcap and double click the file and Wireshark will load it.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card