4250-XL fiber monitoring interface config questions

roxanne.tsui · ‎12-08-2004

Hi, I need help with configuring the monitoring interfaces.

1) we are using 1 fiber monitoring port only. In the interface sensing group 0, it automatically detected int2 and int3. Do I need to remove 1 of them?

2) CLI shows both int2 and int3 are up, but link status is down. What could be the problem? The switch port shows it is in monitoring status.

3) how to determine the interface name? ifconfig -a and dmesg only shows eth0 and eth1. If I try tcpdump -i int2 or tcpdump -i falcon1, it returns no such device.

Any suggestions will be appreciated. Thanks.

marcabal · ‎12-08-2004

1) we are using 1 fiber monitoring port only. In the interface sensing group 0, it automatically detected int2 and int3. Do I need to remove 1 of them?

If you only want to monitor int2, then it becomes a question of what is being seen on int3. If int3 is not plugged in, then leaving it in the group presents no problems. If int3 is plugged into the switch and getting packets, then the extra packets will be monitored and could cause additional alarms to happen. In this case it is best to go ahead and remove int3 from the group so you don't get extra alarms you don't want.

2) CLI shows both int2 and int3 are up, but link status is down. What could be the problem? The switch port shows it is in monitoring status.

Haven't seen this problem before.

If the Span or VACL Capture is removed from the port, does the link show as Up?

Are the interfaces enabled (no shutdown) on the sensor as well as being in group 0?

Are the packet counts increasing on the 2 interfaces (if packet counts increase then the link must be up)

3) how to determine the interface name? ifconfig -a and dmesg only shows eth0 and eth1. If I try tcpdump -i int2 or tcpdump -i falcon1, it returns no such device.

Any suggestions will be appreciated. Thanks.

tcpdump can not be used to monitor the XL interfaces.

A special falcondump executable must be used, but it requires stopping cids (directions for using falcondump were posted in this Forum some time in the past).

This is changing for the next major version.

You could try using Iplogging for a particular IP Address to see if the sensor is seeing packets.

An easy way to see if an interface is getting packets is to look at the interface statistics and see if the packet counts are increasing for the intersaces.

roxanne.tsui · ‎12-08-2004

Thanks for your response.

2) group 0, int2 and int3 are enabled and up. Will try removing the span tomorrow. The statistics and packet counts are not increasing, mostly zeros.

3) I can't find any info on falcondump besides -h. I tried ./falcomdump, and got Error opening /dev/falcon: Resource temporarily unavailable. What is the proper way to use the tool?

4) Is there anything else I need to configure?

Sensing int2 is up

Hardware is falcon1, XL

MAC statistics from the XL Interface int2

Link Status = Down

Thanks again.

marcabal · ‎12-09-2004

These are the steps:

1. Login as servuce account

2. 'su -' to root

3. run '/etc/init.d/cids stop'.

4. Run '/etc/init.d/falcon start'

5. Run falcondump -o packets.file

6. scp the packets.file to your desktop and analyze with a sniffer program like ethereal or tcpdump

However, I have been informed there is a bug: CSCee85525

This is causing a segmentation fault in falcondump.

So until that bug is fixed you can't do a falcondump on the interfaces.

As an alternative:

If you know the IP Address you want to monitor, then you can use the iplog command to capture all packets to and from that IP Address into an iplog file.

And then download and analyze the log file with ethereal or tcpdump.

roxanne.tsui · ‎12-09-2004

The problem was resolved, with help from Cisco and IBM TAC support engineers - enabled negotiation on the span port (was nonnegotiable).

Thanks for the falcondump instructions - will use it when bug is fixed. I also tried the iplog command. Before problem solved, it did not log any packets.

Thank you for helping and for all the useful info!