Yeah, that's what I've ended

mitchen · ‎11-06-2014

Investigating an intermittent issue we have with one of our systems, I have set-up a packet capture to look at the traffic going through the firewall. The problem is, because we have no way of knowing when the issue is going to occur, the buffer can fill up before the relevant traffic is captured. Likewise, if I use "circular-buffer" to overwrite the buffer from the beginning when full, I have still ended up missing the traffic I'm interested in because it's been overwritten by the time I go to look at it!

So, does anyone have a method whereby I could regularly copy off the packet captures to a TFTP server whenever the capture is full? (or at least on a regular basis so I can hopefully have as much of the traffic as possible captured and available to look back at?)

It can sometimes be weeks before the problem we are looking into becomes apparent so I don't want to have to manually transfer the packet captures each time.

Any suggestions would be appreciated!

Thanks.

AJ Cruz · ‎11-06-2014

I don't know of an easy way to do it since ASA doesn't have Kron. I can think of a couple not-so-easy ways though:

From a NMS platform (CiscoWorks/LMS, Rancid maybe??) schedule a job to run every x minutes to dump the cap and redirect it to a tftp server or a local file

Even more ghetto, if you use a terminal app like SecureCRT that can run VBScripts, create a vbscript to do the same thing (periodically log in and dump the cap with a redirect)

There's probably an easier way, I tend to over-think simple issues ><

good luck!

mitchen · ‎11-07-2014

Yeah, that's what I've ended up doing - just scripting a job to run daily and login to the ASA to run the commands to dump the file to my TFTP server. Was hoping there might be a "cleaner" and simpler way to do it via the ASA itself but alas, it seems that's not the case.

Thanks for the advice all the same!

Method to periodically transfer packet captures from ASA?