For weeks I have been trying to figure out how to get packet captures off an ASA before the buffer is full or overwritten. It always seems like I was too late go get the capture I wanted manually, so here is what I came up with. I have found this to be a life saver for intermittent and unpredictable network events.
Using a circular-buffer and the Linux "wget" and "crontab" commands you can automate the download of your capture file off of your ASA and store as many captures as you have disk space. There might be some overlap between captures but at least you are going to have the packet captures you need. I am using Debian Etch but the commands are very generic and should work with any Linux distribution or Cygwin if you are stuck with Windows. My ASA software is version 7.2(3)12.
First, create an access-list for the captures you want on your ASA. Let's say between two devices:
access-list cap extended permit ip host 10.10.150.1 host 192.168.0.1
access-list cap extended permit ip host 192.168.0.1 host 10.10.150.1
Second, start your capture.
capture capout access-list cap interface outside buffer 1000000 circular-buffer
I am increasing the size of the buffer so I don't have to pull the captures off of the ASA so often. And, I am setting the circular-buffer command so the capture buffer starts overwriting old packet captures when it gets full. If you don't set this the capture just stops when the buffer is full.
Third, create an executable file on your Linux box and enter all on one line:
wget -P /home/directory 'https://username:'password'@ASA/capture/capout/pcap' -–no-check-certificate
wget is a very powerful program from the Linux/Unix world. It is great for pulling content off of a website without going through a browser. This command will place your capture files in the /home/directory. Unfortunately this is not very secure because the password to your ASA is in this file for anyone who has privileges to read. So be careful where you put it and who can see it.
Fourth, create your crontab. We will set the crontab to download the capture every half hour.
At the command prompt enter:
Then add a line like this:
30 * * * * /directory/of/your/executable_in_step_three
Make sure the permissions on the file allow it be executed. Now, what will happen is every half hour the crontab will download the pcap file to the directory you specified. The first file will be named pcap, the second pcap.1, third pcap.2 and so on. You need to be careful to make sure your crontab is downloading the pcap file before the new packet captures get overwritten. You can adjust either your crontab time or the buffer size on your ASA to accomplish this.
- Brian Kimsey-Hickman, Orange County Controller's Office, Orlando, FL, USA