I never knew you could get tcpdump-format files from a cisco ASA. Very cool!
The capture process is the same, but then stop the capture with the command "no capture $CAPNAME interface $INTERFACE" instead of "no capture $CAPNAME". Then you can go to the ASA's web site and find the file in "http://$FIREWALL/capture/$CAPNAME/pcap"
Download it and then you're good to open it with tcpdump or wireshark or whatever your packet capture viewer of choice is.
It doesn't look like there's a way to tftp it rather than turning on the ASA's http server for the duration of the download.
- ▼ December (6)