Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Packet Captures Save Location

Where is the data from packet captures saved to on the ASA firewall? It seems as though there is plenty of documentation out there on how to set up packet captures but none on where that data is stored. Is it stored to memory? Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Hi, Did a quick test on my

Hi,

 

Did a quick test on my home ASA5505

 

It seems to me that when you configure the "capture" and set the "buffer" the ASA immediately reserves that amount from the RAM

 

capture TEST-CAP type raw-data access-list TEST-CAP buffer 20000000 packet-length 1522 interface WAN circular-buffer [Capturing - 7090435 bytes]


ASA# show memory
Free memory:          20269800 bytes ( 8%)
Used memory:         248165656 bytes (92%)
-------------     ------------------
Total memory:        268435456 bytes (100%)


ASA# no capture TEST-CAP


ASA# show memory
Free memory:          40275512 bytes (15%)
Used memory:         228159944 bytes (85%)
-------------     ------------------
Total memory:        268435456 bytes (100%)

 

As you can see, after removing the capture which is set for around 20MB that amount of RAM is freed up on the ASA.


Hope this helps :)

 

- Jouni

4 REPLIES
Super Bronze

Hi, To my understanding the

Hi,

 

To my understanding the ASA keeps it in the RAM. Too bad that there does not seem to be a option to save the capture data somewhere else. The limitation of about 35MB per capture seems silly considering the ASA models we are using have 12GB RAM and its not really in heavy use. Not to mention there are HD slots on the units which cant be used either.

 

One special thing about the capture configuration also is that it does not get saved in the configurations and when a reload happens the captured data is gone also.

 

- Jouni

Super Bronze

Hi, Did a quick test on my

Hi,

 

Did a quick test on my home ASA5505

 

It seems to me that when you configure the "capture" and set the "buffer" the ASA immediately reserves that amount from the RAM

 

capture TEST-CAP type raw-data access-list TEST-CAP buffer 20000000 packet-length 1522 interface WAN circular-buffer [Capturing - 7090435 bytes]


ASA# show memory
Free memory:          20269800 bytes ( 8%)
Used memory:         248165656 bytes (92%)
-------------     ------------------
Total memory:        268435456 bytes (100%)


ASA# no capture TEST-CAP


ASA# show memory
Free memory:          40275512 bytes (15%)
Used memory:         228159944 bytes (85%)
-------------     ------------------
Total memory:        268435456 bytes (100%)

 

As you can see, after removing the capture which is set for around 20MB that amount of RAM is freed up on the ASA.


Hope this helps :)

 

- Jouni

Community Member

Wow Jouni! Thanks!

Wow Jouni! Thanks!

hi,yes, i would agree with

hi,

i would agree with jouni. there's a special buffer that's stored in RAM (or DRAM).

you could verify this with show memory command before and after doing packet captures on the ASA.

just look under the % free and used memory.

69
Views
4
Helpful
4
Replies
CreatePlease to create content