Number of bytes for an interesting traffic

andymelgui · ‎03-21-2013

Hi,

I need to count the bytes for some interesting traffic crossing the firewall in ASA 5500. Packet Capture is so far as I need, cause I only need the number of bytes during a long time for about 3 months (source host - destination host)

capture capin type raw-data access-list cap buffer 33554432 interface inside circular-buffer [Capturing - 33553570 bytes]

I need to get only the exactly amount of "33553570 bytes" The pcap file is not needed

Please is there any way to try this ?

Thanks in advance

Andres

Jouni Forss · ‎03-21-2013

Hi,

I am not sure I quite follow what you are after?

You have a Capture running on the firewall and you need the mentioned amount of data captured but as the output says there is that much traffic captured at the time. And you continue to state that you dont need the actual capture file?

If you want to limit the amount of capture, you do it with the "buffer 33553570" in the capture configuration.

You current setting is the max buffer size for a single capture.

Can you please clarify what exactly you are trying to do.

- Jouni

andymelgui · ‎03-21-2013

Thanks Jouni for your answer and sorry for my explication, i'll try to make it better

I need to count the number of bytes for an interesting traffic. I only need to know the number of cumulative bytes of that traffic, not to capture the packets in a file also only to know the total bytes.

For example, the "show traffic" command displays something like this:

outside:
        received (in 124.650 secs):
          
                295468 packets  167218253 bytes
                2370 pkts/sec   1341502 bytes/sec
        transmitted (in 124.650 secs):
                260901 packets  120467981 bytes
                2093 pkts/sec   966449 bytes/sec

It shows the total amount of TX bytes (120467981) and RX bytes (120467981) for the outside interface, but my goal is to display the total bytes only for an interesting traffic, for example: a ftp connection between a source host and a destination host. How I could display the total bytes that the source sends to the destination without capture all the packets (I don't need capture the packets of the ftp session also only count the total bytes for that ftp traffic) ?

I thought at first in packet capture tool, but it's not good when total amount of bytes exceeds of 33554432. I just need to know the total amount not to capture the packets.

Thanks in advance.

Andres

Javier Portuguez · ‎03-21-2013

Hi Andres,

You could use the "show crypto ipsec sa" command and keep an eye on the output.

HTH.

Portu.

Javier Portuguez · ‎03-21-2013

Also the "show vpn-sessiondb detail L2L filter name remote_ip" it will show you the TX and RX.

HTH.

Portu.

andymelgui · ‎03-22-2013

Thanks Javier for your answer,

these commands are usefull when the session is tunneled or runs in VPN, but my traffic that I need to account is easier. For a simple ftp session between source - destination or icmp connection the "show crypto.." or "show vpn-sessiondb.:" dows not apply..

I'm thinking to make 2 captures (capture1 with buffer 30Mb and capture 2 with buffer 30Mb) and make a script in linux that login in to the ASA each 15 minutes and shows how many bytes is taking up the capture1. When capture 1 reaches 20 Mb the script stops capture 1 and loads capture 2 in the same way. When capture 2 reaches 20 Mb the script makes the same as before and so on.

The script goes saving the cumulative bytes of the capture while the ASA only has one file capturing data.

Maybe this is a posibility. What do you think about this ?

Thanks again

Andres

jocamare · ‎03-22-2013

If you are just trying to get the amount of data that has been transfered in a particular connection, and if you know at least one of the addresses of the involved parties of such connection, you can use the "show local X.X.X.X" command.

X.X.X.X being one of the addresses.

It will give you important information, including the total amount of transfered bytes.