Cisco CCNP Security SNCF- Firepower Trigger PCAPS

---

Hi

I use Firepower at work and security events are fed in Splunk and from the there we have set up an Event Actions Workflow (visiable within any event) and I can click on custom text " Get PCAP Text" and and api call I believer is made to Firepower to pull back the trigger PCAP in text base format.

Is there a max time setting for how long these trigger PCAPs can be stored on the device for? It is currently set to 2.5 days, so if there is an event older than 2.5 days I can't rely on the trigger pcaps straight out of FirePower to assist in making a determination.

Does anyone know what the max setting is or any other way around this?

@Robert-Whittaker,

Anthony may have a better answer than I do on this one. If you're on a Firepower 4100/9300, you could download the pcap file via the CLI and SCP to your local computer.

I'm not that good with scripting (yet), but I'm fairly sure you could create a cron job to do this.

Remember pcap files are stored in the workspace://packet-capture directory

Firepower-chassis# connect localmgmt 
# copy workspace:/packet-capture/session-1/test-ethernet-1-1-0.pcap scp://user@192.168.10.11:/workspace/

Yeah - I like where Ronnie is going here, but I cannot find the setting which permits the configuration of retaining them for longer on the FTD.

I am sure you have seen this document:

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html