packet capture

zaferberber — Mon, 07 Nov 2016 14:13:54 GMT

Hi,

Firepower 8000 series sensor deployed inline mode and i want capture spesific ip address from sensor, i got answer from support they say it is not possible.

for example ip address: 1.1.1.1

src: 1.1.1.1 dst any and connection logging enabled.

traffic match the ip adress and sensor bypass this ip address on hardware level. it is ok

my question is how can i see connection information or packet capture about this ip address?

version is 5.4.x

zafer

Re: packet capture

Veronika Klauzova — Mon, 12 Dec 2016 18:26:36 GMT

Hello Zafer,

how are you doing? I will try to answer your question, but not sure if I understand all details that are required from your side, so feel free to ask additional questions.

In case that you want to capture on sensor's CLI only traffic that matches specific IP address, you can apply following filter to the capturing tool:

> system support capture-traffic

Please choose domain to capture traffic from:

0 - eth0

1 - in (Interfaces s1p1, s1p2)

Selection? 1

NOTE: These changes will be lost the next time detection is reconfigured!

Please specify tcpdump options desired.

(or enter '?' for a list of supported options)

Options: src host 10.10.10.102

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on nfe0.1.22:nfe1.1.22:nfe2.1.22:nfe3.1.22, link-type EN10MB (Ethernet), capture size 96 bytes

18:02:00.868597 IP 10.10.10.102 > 10.10.10.1: ICMP echo request, id 62476, seq 101, length 64

18:02:01.869797 IP 10.10.10.102 > 10.10.10.1: ICMP echo request, id 62476, seq 102, length 64

...

--note this filter will match only against the traffic that is initiated from the source IP address 10.10.10.102, if you don't care where the host IP address is seen SRC or DST packet header field, then you can simply use filter "host 10.10.10.102" and that would match traffic bi-directionally.

You can also write the matching filter output to the packet capture (.pcap) file. Here are some good examples of the packet capturing tool on Firepower devices:

http://www.cisco.com/c/en/us/support/docs/security/sourcefire-firepower-8000-series-appliances/117778-technote-sourcefire-00.html

But basically you can do much more, just look through the tcpdump BPF syntax and you can apply the same to the system support capture-traffic as on the background the tcpdump would be running.

If you want to see connection information, you can login to the FireSIGHT Management Center and review Analysis -> Connection Events table where you can edit search and filter logs by Initiator IP address.

If I misunderstood your question anyhow please provide more details.

Best regards,

Veronika Klauzova

Re: packet capture

zaferberber — Tue, 10 Jan 2017 19:12:38 GMT

Hi Veronika,

my problem is the trust rule.

support said it is not possible logging connection or take packet capture trusted traffic.

zafer

topic Re: packet capture in Network Security

packet capture

Re: packet capture

Re: packet capture