Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Can't view all captured packets.

Hello,

Is there any command which allows to change number of displayed captured packets?

I have a following capture setup:

capture SFTP_TEST type raw-data access-list SFTP_TEST buffer 200000 interface inside circular-buffer [Capturing - 199102 bytes]

when I issue command show capture SFTP_TEST I get:

1676543 packets captured

1...

2...

and so on

157 packets shown.

So far I have tried:

show capture SFTP_TEST count 10000

same result (only 157 are shown)

same when I try

show capture SFTP_TEST count 10

(always displays magic number 157)

I have a very similar capture setup on another firewall and I can view all packets without any problems.

Any help will be much appreciated.

Regards

Mariusz


1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: Can't view all captured packets.

Hi,

And also,

I think your capture buffer is too small. Its 200KB and its filled already and the ASA is overwriting the old content because of "circular-buffer". This is why NOT every capture packet is in the capture as the buffer has been configured too small. I generally use the max size thats close to 33,5MB

- Jouni

4 REPLIES
Super Bronze

Can't view all captured packets.

Hi,

I would suggest copying the whole capture to your local computer and open it with Wireshark

copy /pcap capture:SFTP_TEST tftp://x.x.x.x/SFTP_TEST.pcap

Hope this helps

- Jouni

Super Bronze

Re: Can't view all captured packets.

Hi,

And also,

I think your capture buffer is too small. Its 200KB and its filled already and the ASA is overwriting the old content because of "circular-buffer". This is why NOT every capture packet is in the capture as the buffer has been configured too small. I generally use the max size thats close to 33,5MB

- Jouni

New Member

Can't view all captured packets.

Hi Jouni,

Thanks for replying.

I though the same, but the confusing bit was different number of packets captured and number of packets displayed.

Looks like the “packet captured” shows total number of packets processed by the defined capture rather than packets in the buffer so it makes sense what you said.

I have reconfigured this with the maximum 33554432 buffer and I’ll post the outcome in few days.

Regards

Mariusz

New Member

Can't view all captured packets.

That worked.

Many thanks!

117
Views
0
Helpful
4
Replies
CreatePlease to create content