How to adjust Cisco ASA capture buffer to allow higher tcp dump size

When troubleshooting communication across the network a lot of times you will be required to provide artifacts on why and who causing the RESET(RST) or reason for the drop.

There is no better tool then tcp dump that you can export to wireshark for analysis. Mastering this technique will make your life a lot easier – trust me!

Cisco capture command allows you to sniff on the specific interface based on source and destination. Only problem with this feature is its buffer size.

By default, any capture you script will be limited to 512 KB (524236 bytes) which in many cases will result in buffer being full and not able to grab what you need forcing you to redo the test.

capture drop type asp-drop all [Buffer Full - 524236 bytes] 

This can be increased by up to 64x or 32 MB (33554432 bytes).

To overwrite default buffer you need to define it after the capture is created i.e:

capture drop type asp-drop all
capture drop buffer x

x is where you can define your new sizeĀ  <1534-33554432> Size of capture buffer in bytes.

This tcp dump can later be reviewed within CLI or downloaded for further analysis on WireShark or other software.

Anybody running context mode firewalls there is an addition to the command in order to move that tcp dump over. Command executed from system context:

copy /pcap capture:contextName/captureName tftp://tftpServerIP/nameOfTcpDump.pcap 

That is it, I hope you find this informative and good luck.

Regards,
Bart

Add a Comment

Your email address will not be published. Required fields are marked *