How to Automate Getting Packet Captures off of an ASA

Document

Fri, 08/22/2014 - 11:12
Jul 3rd, 2009
User Badges:
  • Cisco Employee,

Brian Kimsey-Hickman, Orange County Controller's Office, Orlando, FL, USA.


For weeks I have been trying to figure out how to get packet captures off an an ASA before the buffer is full or overwritten. It always seems like I was too late to get the capture I wanted manually, so here is what I came up with. I have found this to be a life saver for intermittent and unpredictable network events.


Using a circular-buffer and the Linux wget and crontab commands you can automate the download of your capture file off of your ASA and store as many captures as you have disk space. There might be some overlap between captures but at least you are going to have the packet captures you need. I am using Debian Etch but the commands are very generic and should work with any Linux distribution or Cygwin if you are stuck with Windows. My ASA software is version 7.2(3)12.


First, create an access-list for the captures you want on your ASA. Let's say between two devices:

access-list cap extended permit ip host 10.10.150.1 host 192.168.0.1
access-list cap extended permit ip host 192.168.0.1 host 10.10.150.1

Second, start your capture.

capture capout access-list cap interface outside buffer 1000000 circular-buffer

I am increasing the size of the buffer so I don't have to pull the captures off of the ASA so often. And, I am setting the circular-buffer command so the capture buffer starts overwriting old packet captures

when it gets full. If you don't set this the capture just stops when the buffer is full.


Third, create an executable file on your Linux box and enter all on one line:

wget -P /home/directory 'https://username:[email protected]/capture/capout/pcap' -–no-check-certificate

wget is a very powerful program from the Linux/Unix world. It is great for pulling content off of a website without going through a browser. This command will place your capture files in the /home/directory. Unfortunately this is not very secure because the password to your ASA is in this file for anyone who has privileges to read. So be careful where you put it and who can see it.


Fourth, create your crontab. We will set the crontab to download the capture every half hour.

At the command prompt enter:

crontab -e

Then add a line like this:

30 * * * *  /directory/of/your/executable_in_step_three


Make sure the permissions on the file allow it be executed. Now, what will happen is every half hour the crontab will download the pcap file to the directory you specified. The first file will be named pcap, the second pcap.1, third pcap.2 and so on. You need to be careful to make sure your crontab is downloading the pcap file before the new packet captures get overwritten. You can adjust either your crontab time or the buffer size on your ASA to accomplish this.


To receive the latest information on Cisco online tools, certifications, support documentation, insights from Cisco experts and peers, and upcoming events, check out the Cisco Technical Services Newsletter today.

Loading.
christopher.clayden Fri, 11/19/2010 - 07:33
User Badges:

Hi Brian,

Thanks for this post.  I was exactly in the same predicament and the ASA at this time does not have this type functionality built in.

Your idea is great, crontab and wget work flawlessly.  The only problem that I have is that I am capturing such a significant amount of data.  I am in a position where I have to grab/pull the new capture very frequently (less than a minute).  The ACL used for the packet capture is written host to host with the protocol specified, so I don’t have an option to further define the traffic to be matched.

As a feature request for Cisco and the ASA team, I would like to see Cisco implement some capture functionality similar to the logging flash-bufferwrap and logging ftp-bufferwrap.  I would like to see the ASA write out new capture files as the buffer is filled and have the functionality to write these out to a remote server, i.e. tftp, ftp, scp, etc, etc…  Maybe I will get around to submitting a feature request via TAC...

In any case, great post and thanks for your help!

Cheers.

M4uricioPC Fri, 08/22/2014 - 11:12
User Badges:

Hello,

I can download capture from web browser as follows:
https://myusername:[email protected]/capture/capin/pcap

but wget at linux shows the following:

[[email protected] ~]$ wget -P /home/linuxuser 'https://myusername:[email protected]/capture/capin/pcap' --no-check-certificate
--2030-07-22 07:57:03--  https://myusername:[email protected]/capture/capin/pcap
Connecting to 192.168.1.100:443... connected.
WARNING: cannot verify 192.168.1.100’s certificate, issued by “/CN=192.168.1.100”:
  Self-signed certificate encountered.
HTTP request sent, awaiting response... 401 Unauthorized

any idea?

Actions

This Document

Related Content