Can you sniff traffic from

mk-brown · ‎03-12-2015

We're trying to get a new Sourcefire solution up and running. We're using the virtual servers rather than physical installed onto an ESXi 5.1 host.

We're running the 3DS in passive mode so we have 3 network adapters configured, 1 for management, 1 for internal traffic and 1 for external traffic (2 separate physical switches handle each).

I've configured the two physical switches to mirror from port X to port Y and connected 2 physical network ports on the ESXi host to each port Y on the physical switch.

I've created two separate vSwitches with each physical network port confgured in each, so vmnic2 is on vSwitch External and vmnic3 is on vSwitch Internal. vmnic2 is connected to Port Y on physical switch 1 and vmnic3 is connected to Port Y on physical switch2.

Each vSwitch and PortGroup has been configured to accept promiscuous accept MAC address changes and Accept Forged transmits.

With all this configured and from what I can find out this is how it needs to be configured, I'm not seeing any traffic on the 3DS. The Defence Center is showing no traffic and no connections.

Has anyone got any suggestions on what I've missed or how this is supposed to be configured?

adhogan · ‎03-12-2015

Can you sniff traffic from your sensing interfaces? See anything?

Then at least we can figure out if it's a policy issue or a network setup issue.

mk-brown · ‎03-12-2015

How do I check if I can sniff traffic? I'm not seeing anything when I do a show itraffic-statistics on the 3DS.

update: I found out how to do a tcpdump from the command line of the 3DS and it's definitely receiving traffic from the mirrored switch port, so it must be a configuration issue, so passing onto the contractor doing that to fix.

adhogan · ‎03-13-2015

http://www.cisco.com/c/en/us/support/docs/security/sourcefire-firepower-8000-series-appliances/117778-technote-sourcefire-00.html

Virtual 3DS on ESXi