Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
332
Views
0
Helpful
4
Replies

detecting network interfaces on IDS

ravik77
Level 1
Level 1

‎10-28-2003 11:21 AM - edited ‎03-09-2019 05:18 AM

Hi

We have cisco IDS(netranger) running on sol 2.8. I want to know why the interface that is capturing packets does not show when I do ifconfig -a on the terminal session on the server. Is there a way to see the packets the IDS is capturing using snoop

Please let me know

Ravi

Labels:
0 Helpful
4 Replies 4

marcabal
Cisco Employee
Cisco Employee

‎10-28-2003 11:44 AM

The interfaces only show up in ifconfig -a if they have been "plumbed". Interfaces are generally only "plumbed" when an IP Address has been assigned to it.

The sniffing interface of the sensor does not have an IP address and so we decided not to "plumb" it.

So do not expect to see the sniffing interface in the ifconfig -a output on a 3.x sensor.

If you know the sniffing interface then you can still snoop on it even though it doesn't show up in ifconfig -a.

If you don't know the name of the interface then let me know the model number for your sensor and I'll let you know the interface name.

This is documented in one of the 3.1 docs, but I can't remember where.

0 Helpful

ravik77
Level 1
Level 1
In response to marcabal

‎10-28-2003 11:51 AM

Marc..

Thanks for the reply. My IDS model is cisco IDS 4235. Can you please let me know the intrface I need to use in my snoop.

Thanks

Ravi

0 Helpful

marcabal
Cisco Employee
Cisco Employee
In response to ravik77

‎10-28-2003 12:05 PM

Try snoop -d e1000g0

As a side note for other users.

The IDS-4250-TX sniffing interface is also e1000g0.

The IDS-4250-SX sniffing interface is e1000g2.

0 Helpful

brhamon
Level 1
Level 1

‎10-28-2003 11:47 AM

In solpc-2.8, only plumbed interfaces appear in the output of the "ifconfig -a" command. You can snoop unplumbed interfaces with the "snoop -d (iface)" command. The trick is knowing the name of the interface.

One way is to guess, based on the platform. IDS-4220 and IDS-4230-FE sensors sniff on the "spwr0" interface. IDS-4210 sensors use "iprb0". I cannot say for sure what you'll see on IDS-4235 and IDS-4250; however, I think it is also "iprb0".

One way to find out without guessing is to examine the devices on the various system busses. Solpc-2.8 allows you to do this by issuing the following command (as root):

# find /devices -name '*spwr*' -o -name '*iprb*'

Here is example output (from an IDS-4210):

/devices/pci@0,0/pci8086,3000@c:iprb

/devices/pci@0,0/pci8086,3000@c:iprb0

/devices/pci@0,0/pci8086,3000@d:iprb1

This indicates that there are two Intel NICs in this system: iprb0 and iprb1. Try snooping on all the unplumbed interfaces (the ones that do _not_ appear in the "ifconfig -a" output).

# snoop -d iprb0

0 Helpful
Customers Also Viewed These Support Documents