I don't think that this can be a problem. The system is redhat and I can sniff packets on my redhat system without any problems on the same interface. May be it is not supported by IDS-4215?

You can sniff packets on your C&C interface; you just can't use the interface for IDS monitoring.

If you want to run tcpdump on that interface, for whatever reason, you can. You just need to do a few things first:

1) If you don't have one built, create the "service" account

2) Login to the "service" account and issue the command 'su -' to become "root"

3) As "root", run tcpdump using the interface 'eth1' (e.g. - tcpdump -i eth1 -tttt -nvSXs 1514 etc.)

I guess the confusion here was what exactly you meant when you asked about C&C and "sniffing" on the same interface.

I hope this helps,

Alex Arndt

Ahh, ok. I interpreted "sniffing" as "IDS sniffing"...a different thing altogether.

Alex;

Are you aware of any adverse effects of using tcpdump while the blade is also processing packets for signatures? Does it stop monitoring when issuing the tcpdump command or does it send the CPU over the top?

Thanks

Sorry for taking so long to reply to this...

No, I am not personally aware of any adverse effects of running tcpdump on a Cisco IDS/IPS appliance that is actively employed in the sensor role.

Originally, you couldn't use tcpdump on a v4.0 sensor without first stopping the IDS processes, but that was fixed in v4.1 and I believe it's the same for v5.0 too. Essentially, login to the service account and have at it...

My experience running tcpdump is wholly on the IDS/IPS-4200 appliances; I have yet to try running it on an IDSM-2. As a result, I cannot state with any authority that your results will be the same if you try running tcpdump on an IDSM-2, especially when it comes to the potential impact to the processor itself. In my experience though, it has had very little impact on the processor used in the IDS/IPS-4200 devices.

Perhaps someone from Cisco can advise us if there are any performance considerations/issues involving the use of tcpdump on an IDSM-2?

Alex Arndt

Running tcpdump (or the packet display/capture commands in version 5.0) will have a performance impact on the sensor.

If the sensor is only monitoring half it's rated bandwitdth (like only monitoring 125 Mbps with an IPS-4240 rated for 250Mbps), then you likely won't see much of an issue.

But if your sensor is monitoring closer to or at it's maximum rated bandwidth (like monitoring over 200Mbps wiht an IPS-4240 rated for 250Mbps), then yes you will probably see a performance degradation on the sensor and possibly see packet drops.

Tcpdump (and the packet command in version 5.0) run as a separate process and so consume both cpu and memory that would have otherwise been available for the sensorApp process to use for monitoring. If sensorApp is not monitoring near it's rated performance than this isn't a big issue because the cpu and memory are available for other processes. But when sensorApp is pushing the upper performance limits on the platform, sensorApp is consuming as much cpu and memory as exists on the sensor.

If you plan on using tcpdump (or the packet command) on a regular basis then you should plan on this impact when determining the sensor model you want to deploy.

If you need to monitor 250Mbps of traffic then don't purchase the IPS-4240 rated for 250Mbps, instead purchase the IPS-4255 rated for 600Mbps.

The extra cpu and memory on the IPS-4255 gives you plenty of headroom to run tcpdump (or the packet command) when you are monitoring 250Mbps.

Thanks Marcoa, that's awesome info, IMHO.

BTW, just want to go on record as say that, as per normal, my comments are centred on IDS v4.1, and not IPS 5.0 (I'm not running that code, yet...).

I have to remember to explicitly state that, don't I? =)

Alex Arndt