11-07-2016 06:13 AM
Hi,
Firepower 8000 series sensor deployed inline mode and i want capture spesific ip address from sensor, i got answer from support they say it is not possible.
for example ip address: 1.1.1.1
src: 1.1.1.1 dst any and connection logging enabled.
traffic match the ip adress and sensor bypass this ip address on hardware level. it is ok
my question is how can i see connection information or packet capture about this ip address?
version is 5.4.x
zafer
12-12-2016 10:26 AM
Hello Zafer,
how are you doing? I will try to answer your question, but not sure if I understand all details that are required from your side, so feel free to ask additional questions.
In case that you want to capture on sensor's CLI only traffic that matches specific IP address, you can apply following filter to the capturing tool:
> system support capture-traffic
Please choose domain to capture traffic from:
0 - eth0
1 - in (Interfaces s1p1, s1p2)
Selection? 1
NOTE: These changes will be lost the next time detection is reconfigured!
Please specify tcpdump options desired.
(or enter '?' for a list of supported options)
Options: src host 10.10.10.102
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on nfe0.1.22:nfe1.1.22:nfe2.1.22:nfe3.1.22, link-type EN10MB (Ethernet), capture size 96 bytes
18:02:00.868597 IP 10.10.10.102 > 10.10.10.1: ICMP echo request, id 62476, seq 101, length 64
18:02:01.869797 IP 10.10.10.102 > 10.10.10.1: ICMP echo request, id 62476, seq 102, length 64
...
--note this filter will match only against the traffic that is initiated from the source IP address 10.10.10.102, if you don't care where the host IP address is seen SRC or DST packet header field, then you can simply use filter "host 10.10.10.102" and that would match traffic bi-directionally.
You can also write the matching filter output to the packet capture (.pcap) file. Here are some good examples of the packet capturing tool on Firepower devices:
But basically you can do much more, just look through the tcpdump BPF syntax and you can apply the same to the system support capture-traffic as on the background the tcpdump would be running.
If you want to see connection information, you can login to the FireSIGHT Management Center and review Analysis -> Connection Events table where you can edit search and filter logs by Initiator IP address.
If I misunderstood your question anyhow please provide more details.
Best regards,
Veronika Klauzova
01-10-2017 11:12 AM
Hi Veronika,
my problem is the trust rule.
support said it is not possible logging connection or take packet capture trusted traffic.
zafer
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide