Re: Saving captures/pcap directly to SFTP server

LovejitSingh130013 · ‎09-22-2022

I have ASA and running the capture for SMTP with a max buffer size of around 35 mb and with overwrite option enabled but this is not enough for my use case.

I want to run packet capture which will continue for weeks and should automatically copy/redirect the data on the SFTP server so that I can have full visibility of the whole packet capture instead of just the recent 35 mb of capture data.

Please suggest how I can achieve this?

Rob Ingram · ‎09-22-2022

@LovejitSingh130013 that's a very bespoke requirement, i don't believe there is a guide to do exactly what you require. Perhaps you can use an EEM script to initate a packet capture and then every x minutes export to the SFTP server. You'd have to play around with this yourself, here is an EEM guide which might provide some clues...

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117883-config-eem-00.html

Rakshith MN · ‎09-23-2022

Hi @LovejitSingh130013,

As @Rob Ingram mentioned, EEM script is the goto option.

You can use this example as a reference and test this out.

capture CAP interface Outside buffer 33554432 match tcp host 192.168.1.1 host 192.168.2.2

In EEM script call this command, with a watchdog timer you can append the output to a file in flash/disk, and later export for analysis.

"show capture Outside decode dump"

The decoded dump output can be uploaded to this packet analyser and can be analysed. [Even you can download in PCAP format]

https://community.cisco.com/t5/networking-knowledge-base/tool-to-assist-in-packet-capture-and-analysis/ta-p/3157571

NOTE: This method may consume your internal disk space.

Considering the requirement you have here, i would say, taking a span capture on connected switchport is a more viable option.