Packet Capture – ASA and SNMP

Here are the exact capture commands you can run on the ASA to check SNMP traffic to/from NMS(192.0.2.101).

#CAPTURE CONFIG

Capture SNMP Polling (UDP/161)

This will capture SNMP requests (from NMS) and responses (from ASA/FXOS):

capture SNMP-POLL interface  match udp host 192.0.2.101 eq 161

Replace with the interface NMS uses to reach the ASA (for example inside or mgmt).

Capture SNMP Traps (UDP/162)

This will capture traps/notifications the ASA sends to NMS:

capture SNMP-TRAPS interface  match udp host 192.0.2.101 eq 162

Check Captures
To view packets in real time:

show capture SNMP-POLL
show capture SNMP-TRAPS

To export to Wireshark (more readable):

copy /pcap capture:SNMP-POLL tftp:
copy /pcap capture:SNMP-TRAPS tftp:

The OID requested (NMS → ASA)
The response (ASA → NMS)
Whether it’s a valid value, noSuchObject, or empty

#WIRESHARK FILTERS

Show Only SNMP Traffic

snmp

This will display all SNMP (v1, v2c, v3) packets.

Show Only Polling (Requests/Responses on UDP/161)

udp.port == 161

Show Only Traps (on UDP/162)

udp.port == 162

Filter by Your NMS Server

ip.addr == 192.0.2.101 && snmp

This shows only SNMP traffic to/from NMS.
Check for NULL or Missing OIDs

Expand the SNMP layer in Wireshark:
Look at the “Object Name (OID)” and “Value” fields.

If you see noSuchObject or noSuchInstance, it means the ASA/FXOS doesn’t support that OID in this version (or NMS is polling the wrong one).

If you see real values (like integers, counters, strings) but NMS still shows NULL, then the issue is NMS-side (MIB/translation).

#GETTING THE CAPTURE TO A SERVER OR LAPTOP

1. Export the Capture to a File
The ASA can export captures in .pcap format. Two common methods:

Option A: TFTP (most common in production)

copy /pcap capture:SNMP-POLL tftp:

It will prompt:

Address or name of remote host []?
Destination filename [SNMP-POLL.pcap]?
Repeat for SNMP-TRAPS if needed.

Now you’ll have a .pcap on your TFTP server that you can pull to your laptop and open in Wireshark.

Option B: Export via Browser (if HTTPS/ASDM is enabled)

If HTTPS is enabled on the ASA:
Go to:
https://{ASAIP/FQDN}/capture/SNMP-POLL/pcap

Or for traps:
https://{ASAIP/FQDN}/capture/SNMP-TRAPS/pcap

This downloads the capture directly to your laptop.
Option C: Export via FTP/SCP

If FTP or SCP is allowed:

copy /pcap capture:SNMP-POLL ftp:
copy /pcap capture:SNMP-POLL scp:

2. Open in Wireshark
Once the .pcap is on your laptop:
Double-click the file, or
Open Wireshark → File → Open → SNMP-POLL.pcap
Apply filters like:

ip.addr == 192.0.2.101 && snmp

That’s it. Now you’ll see the raw SNMP requests (NMS → ASA) and responses (ASA → NMS).

#CLEANUP

Remove a Specific Capture
If you only want to clear one:

no capture SNMP-POLL
no capture SNMP-TRAPS

Remove All Captures
To clear all captures at once:

clear capture

Verify Cleanup
Check that nothing is left:

show capture

If it returns nothing, the ASA memory is free of captures.

Best practice: Always clean up after exporting, since captures live in ASA memory and can fill up quickly if left running.

Packet Capture – ASA and SNMP

#CAPTURE CONFIG

#WIRESHARK FILTERS

#GETTING THE CAPTURE TO A SERVER OR LAPTOP

#CLEANUP

SNMP vs. Syslog: Understanding Traps, Polling, and When to Use Each

Cisco VPN Tunnel Troubleshooting – IKEv1 and IKEv2 – ASA and ASR1001 (with VRF examples)

Power Up Your Firewalls: A Guide to Using Palo Alto’s EDL Hosting Service

Using Chrome’s Net Export Tool for Network Diagnostics