Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1850
Views
0
Helpful
3
Replies

Get pcap data file via API

Kenjiro Kanemaki
Level 1
Level 1

‎02-03-2017 02:37 AM - edited ‎03-12-2019 06:16 AM

Hi experts,

I have a question about API capability for pcap file.

I want to deploy the following workflow system.

  1, Firepower filter and capture malformed packets in accordance with IPS rule.

  2, Firepower management center sends syslog alert to SIEM system about the filtering or capturing.

  3, The SIEM gets the pcap file that related to the syslog alert via API.

[Q]

Does firepower management center support the API to get pcap file?

Regards,

Kenjiro Kanemaki

Labels:
0 Helpful
3 Replies 3

dohurd
Cisco Employee
Cisco Employee

‎02-03-2017 07:42 AM

There two ways I know of to obtain the PCAP for a specific Snort (IDS/IPS) event.

1. Request packets through the eStreamer API.  You'll get all the packets all the time.  It is possible to request a specific PCAP through estreamer but I'm not entirely sure how thats done. Arcsight does using the timestamp for the Snort event but this approach is prone to error (see no.2).

2. Using the JDBC interface you can request a packet using Timestamp, Event ID and device name from the Snort event.  This tuple of information assures that you'll get _the_ correct packet and is a better way to implement option 1.

0 Helpful

Kenjiro Kanemaki
Level 1
Level 1
In response to dohurd

‎02-03-2017 08:54 AM

Thank you very much for your quick answer! I'll consider it with the two ways.

0 Helpful

kprior201
Level 1
Level 1
In response to dohurd

‎01-23-2019 01:27 PM

Do you have any further instructions on retrieving the PCAP via JDBC? I can't seem to retrieve a usable capture at this time - just the hex. The binary pull doesn't supply anything that is viewable.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card