Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1368
Views
4
Helpful
4
Replies

Packet Captures Save Location

Go to solution
Mike Keenan
Level 1
Level 1

‎10-10-2014 07:34 AM - edited ‎03-11-2019 09:54 PM

Where is the data from packet captures saved to on the ASA firewall? It seems as though there is plenty of documentation out there on how to set up packet captures but none on where that data is stored. Is it stored to memory? Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎10-10-2014 07:54 AM

Hi,

 

Did a quick test on my home ASA5505

 

It seems to me that when you configure the "capture" and set the "buffer" the ASA immediately reserves that amount from the RAM

 

capture TEST-CAP type raw-data access-list TEST-CAP buffer 20000000 packet-length 1522 interface WAN circular-buffer [Capturing - 7090435 bytes]


ASA# show memory
Free memory:          20269800 bytes ( 8%)
Used memory:         248165656 bytes (92%)
-------------     ------------------
Total memory:        268435456 bytes (100%)


ASA# no capture TEST-CAP


ASA# show memory
Free memory:          40275512 bytes (15%)
Used memory:         228159944 bytes (85%)
-------------     ------------------
Total memory:        268435456 bytes (100%)

 

As you can see, after removing the capture which is set for around 20MB that amount of RAM is freed up on the ASA.


Hope this helps :)

 

- Jouni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-10-2014 07:46 AM

Hi,

 

To my understanding the ASA keeps it in the RAM. Too bad that there does not seem to be a option to save the capture data somewhere else. The limitation of about 35MB per capture seems silly considering the ASA models we are using have 12GB RAM and its not really in heavy use. Not to mention there are HD slots on the units which cant be used either.

 

One special thing about the capture configuration also is that it does not get saved in the configurations and when a reload happens the captured data is gone also.

 

- Jouni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎10-10-2014 07:54 AM

Hi,

 

Did a quick test on my home ASA5505

 

It seems to me that when you configure the "capture" and set the "buffer" the ASA immediately reserves that amount from the RAM

 

capture TEST-CAP type raw-data access-list TEST-CAP buffer 20000000 packet-length 1522 interface WAN circular-buffer [Capturing - 7090435 bytes]


ASA# show memory
Free memory:          20269800 bytes ( 8%)
Used memory:         248165656 bytes (92%)
-------------     ------------------
Total memory:        268435456 bytes (100%)


ASA# no capture TEST-CAP


ASA# show memory
Free memory:          40275512 bytes (15%)
Used memory:         228159944 bytes (85%)
-------------     ------------------
Total memory:        268435456 bytes (100%)

 

As you can see, after removing the capture which is set for around 20MB that amount of RAM is freed up on the ASA.


Hope this helps :)

 

- Jouni

0 Helpful

Go to solution
Mike Keenan
Level 1
Level 1
In response to Jouni Forss

‎10-10-2014 08:16 AM

Wow Jouni! Thanks!

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9

‎10-10-2014 08:02 AM

hi,

i would agree with jouni. there's a special buffer that's stored in RAM (or DRAM).

you could verify this with show memory command before and after doing packet captures on the ASA.

just look under the % free and used memory.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card