ASA Trace via CLI + Browser

Code Location
Readme Here
Document status DRAFT
Developers Group Effort


  • Currently to run an ASA Trace you have to log in to get a packet capture
  • As a test project we will create a python script and web front end to do the ASA packet capture on a given firewall

Background and strategic fit

This is a project we can use to learn the basics – python, CLI access to an ASA, building a command line program, and then porting it to the web.

Prerequisite Reading

Installing the components: Installing Python, Installing PipInstalling pexpect.

To run a python script at the command line, enter python by the script name.

Expect script high level

The basic script before any additional editing is here

Understanding the python code in the script:

A few articles on how to use pexpect: for beginnerspexpect documentation

Using Expect scripts and the like isn’t really ‘network programming’ or ‘SDN’ – people have been able to do this for quite a while. However, API’s aren’t available on most devices today so this is an introductory exercise that you can test on equipment you have around, and we can eventually change the CLI to a REST API call, for example.



  • You’ve got a linux shell and python shell set up. Check out documentation on the getting started page to get started here.
  • You’ve got a firewall to test with or you’ve got access to the remote firewall in the Cisco lab. See the mailing list for access to the lab.

How to Run:

There’s a demo of this in the webex recording below, otherwise here’s the instructions.

Follow the installation instructions for these three:Installing Python, Installing PipInstalling pexpect.

Copy the code down with copy and paste or with git:

git clone

cd to the newly created asa-capture directory

VPN into the lab by using Anyconnect Instructions, ignore everything after the VPN is established in those documents

Test by pinging

On the command line in Ubuntu type: ssh cisco@, press ‘yes’ for accepting the key. This is a mandatory step, the script doesn’t do this yet.

Quit the ssh session

Run the script with: python

Type ‘ls’ and there will be .txt or .log files depending on what show commands you ran.

To view the files type ‘cat’ and then the filename.


Webex Sessions:

Session 1: Here. Summary: Went over the script, how to install python, pip, pexpect. Ran the script, went over the code and then modified it a few times based on suggestions on the call. from the end of the session.

Next Steps:

Fix the code and send the edits to the list so we can make the script better, and it will post up to the group Github.

The code currently has a few problems, see if you can fix them. If so, send the fixes over!

  • You have to SSH manually to accept the key before the script will work
  • Using exscript or paramiko may be better – try to get a script working with those modules instead
  • The password, username, hostname, and IP addresses are manually added in the script. Change it to variables or better yet command line options!
  • We need to extend this to do a packet capture and pull the packet capture down manually – can you code that?


User Story
User Story
1 Send parameters Send ACL + intefaces and capture names to ASA 5 tuple
  • Will be sent via CLI
2 Login to ASA Log into the ASA, authenticate, send CLI, and get CLI feedback
3 Retrieve results Parse the data back from the firewall
4 Format and display results Copy the packet capture off the firewall and display it locally

User interaction and design

Still in development


Below is a list of questions to be addressed as a result of this requirements document:

How do we build the parameters
How do we login with expect and python
What errors do we have to worry about
How to access the Cisco lab for vASA

Not Doing