cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1906
Views
0
Helpful
2
Replies
Highlighted
Enthusiast

packet capture

Hi,

Firepower 8000 series sensor deployed inline mode and i want capture spesific ip address from sensor, i got answer from support they say it is not possible.

for example ip address: 1.1.1.1

src: 1.1.1.1 dst any and connection logging enabled.

traffic match the ip adress and sensor bypass this ip address on hardware level. it is ok

my question is how can i see connection information or packet capture about this ip address?

version is 5.4.x

zafer

2 REPLIES 2
Highlighted
Cisco Employee

Hello Zafer,

how are you doing? I will try to answer your question, but not sure if I understand all details that are required from your side, so feel free to ask additional questions.

In case that you want to capture on sensor's CLI only traffic that matches specific IP address, you can apply following filter to the capturing tool:

> system support capture-traffic

Please choose domain to capture traffic from:

  0 - eth0

  1 - in  (Interfaces s1p1, s1p2)

Selection? 1

NOTE: These changes will be lost the next time detection is reconfigured!

Please specify tcpdump options desired.

(or enter '?' for a list of supported options)

Options: src host 10.10.10.102

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on nfe0.1.22:nfe1.1.22:nfe2.1.22:nfe3.1.22, link-type EN10MB (Ethernet), capture size 96 bytes

18:02:00.868597 IP 10.10.10.102 > 10.10.10.1: ICMP echo request, id 62476, seq 101, length 64

18:02:01.869797 IP 10.10.10.102 > 10.10.10.1: ICMP echo request, id 62476, seq 102, length 64

...

--note this filter will match only against the traffic that is initiated from the source IP address 10.10.10.102, if you don't care where the host IP address is seen SRC or DST packet header field, then you can simply use filter "host 10.10.10.102" and that would match traffic bi-directionally.

You can also write the matching filter output to the packet capture (.pcap) file. Here are some good examples of the packet capturing tool on Firepower devices:

http://www.cisco.com/c/en/us/support/docs/security/sourcefire-firepower-8000-series-appliances/117778-technote-sourcefire-00.html

But basically you can do much more, just look through the tcpdump BPF syntax and you can apply the same to the system support capture-traffic as on the background the tcpdump would be running.

If you want to see connection information, you can login to the FireSIGHT Management Center and review Analysis -> Connection Events table where you can edit search and filter logs by Initiator IP address.

If I misunderstood your question anyhow please provide more details.

Best regards,

Veronika Klauzova

Highlighted

Hi Veronika,

my problem is the trust rule.

support said it is not possible logging connection or  take packet capture trusted traffic.

zafer

Content for Community-Ad