11-06-2014 06:30 AM - edited 03-11-2019 10:02 PM
Investigating an intermittent issue we have with one of our systems, I have set-up a packet capture to look at the traffic going through the firewall. The problem is, because we have no way of knowing when the issue is going to occur, the buffer can fill up before the relevant traffic is captured. Likewise, if I use "circular-buffer" to overwrite the buffer from the beginning when full, I have still ended up missing the traffic I'm interested in because it's been overwritten by the time I go to look at it!
So, does anyone have a method whereby I could regularly copy off the packet captures to a TFTP server whenever the capture is full? (or at least on a regular basis so I can hopefully have as much of the traffic as possible captured and available to look back at?)
It can sometimes be weeks before the problem we are looking into becomes apparent so I don't want to have to manually transfer the packet captures each time.
Any suggestions would be appreciated!
Thanks.
11-06-2014 01:41 PM
I don't know of an easy way to do it since ASA doesn't have Kron. I can think of a couple not-so-easy ways though:
From a NMS platform (CiscoWorks/LMS, Rancid maybe??) schedule a job to run every x minutes to dump the cap and redirect it to a tftp server or a local file
Even more ghetto, if you use a terminal app like SecureCRT that can run VBScripts, create a vbscript to do the same thing (periodically log in and dump the cap with a redirect)
There's probably an easier way, I tend to over-think simple issues ><
good luck!
11-07-2014 09:23 AM
Yeah, that's what I've ended up doing - just scripting a job to run daily and login to the ASA to run the commands to dump the file to my TFTP server. Was hoping there might be a "cleaner" and simpler way to do it via the ASA itself but alas, it seems that's not the case.
Thanks for the advice all the same!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide