Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
443
Views
0
Helpful
4
Replies

Can't view all captured packets.

Go to solution
Mariusz Bochen
Level 1
Level 1

‎10-10-2013 04:46 AM - edited ‎03-11-2019 07:50 PM

Hello,

Is there any command which allows to change number of displayed captured packets?

I have a following capture setup:

capture SFTP_TEST type raw-data access-list SFTP_TEST buffer 200000 interface inside circular-buffer [Capturing - 199102 bytes]

when I issue command show capture SFTP_TEST I get:

1676543 packets captured

1...

2...

and so on

157 packets shown.

So far I have tried:

show capture SFTP_TEST count 10000

same result (only 157 are shown)

same when I try

show capture SFTP_TEST count 10

(always displays magic number 157)

I have a very similar capture setup on another firewall and I can view all packets without any problems.

Any help will be much appreciated.

Regards

Mariusz


Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎10-10-2013 04:50 AM

Hi,

And also,

I think your capture buffer is too small. Its 200KB and its filled already and the ASA is overwriting the old content because of "circular-buffer". This is why NOT every capture packet is in the capture as the buffer has been configured too small. I generally use the max size thats close to 33,5MB

- Jouni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-10-2013 04:48 AM

Hi,

I would suggest copying the whole capture to your local computer and open it with Wireshark

copy /pcap capture:SFTP_TEST tftp://x.x.x.x/SFTP_TEST.pcap

Hope this helps

- Jouni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎10-10-2013 04:50 AM

Hi,

And also,

I think your capture buffer is too small. Its 200KB and its filled already and the ASA is overwriting the old content because of "circular-buffer". This is why NOT every capture packet is in the capture as the buffer has been configured too small. I generally use the max size thats close to 33,5MB

- Jouni

0 Helpful

Go to solution
Mariusz Bochen
Level 1
Level 1
In response to Jouni Forss

‎10-11-2013 01:58 AM

Hi Jouni,

Thanks for replying.

I though the same, but the confusing bit was different number of packets captured and number of packets displayed.

Looks like the “packet captured” shows total number of packets processed by the defined capture rather than packets in the buffer so it makes sense what you said.

I have reconfigured this with the maximum 33554432 buffer and I’ll post the outcome in few days.

Regards

Mariusz

0 Helpful

Go to solution
Mariusz Bochen
Level 1
Level 1
In response to Jouni Forss

‎10-11-2013 03:14 AM

That worked.

Many thanks!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card