How to copy a pcap file from ASA firewall

Cisco uses a different way to run and save packet captures on its ASA firewall than a popular Linux tcpdump/Wireshark tools. Below is a quick recipe how to copy out a pcap file from the firewall for offline analysis.

Problem

How to copy pcap file from ASA.

Solution

This is our exmaple capture session running on ASA

 
capture mycap type raw-data access-list myacl buffer 100000 interface outside

By using scp method.

 
ssh FW
# conf t
# (config) ssh scopy enable

# copy /pcap capture: flash:myfile.pcap

Source capture name []? mycap

Destination filename [myfile.pcap]?

!!!!!!!!!!!!!!!!!
433 packets copied in 0.170 secs

# now from another box you can download the file 
# scp user@fw-ip:myfile.pcap .

By using https mothod.

 
# if you want to restrict access to https specify ip and netmask instead of 0
http 0.0.0.0 0.0.0.0 outside
http server enable

https://user:pass@fw-ip/capture/capure-name
https://user:pass@fw-ip/capture/capure-name/pcap

References

1. http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml
2. http://www.techrepublic.com/blog/networking/easy-packet-captures-straight-from-the-cisco-asa-firewall/1317
3. http://www.fir3net.com/Cisco-PIX/pix-download-packet-capture.html
4. https://supportforums.cisco.com/docs/DOC-17345
5. http://www.networksa.org/?p=263