cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
688
Views
0
Helpful
6
Replies

TCPdump support on sensing interfaces for IDSM2

msmitha
Level 1
Level 1

When we deploy new IDSM2 blades in various locations, we need to verify that the sensing interface(s) have sufficient visibility into the protected nets. In order to do this, we (security group) rely on network admins to setup SPAN, RSPAN, VACLs, etc. Sometimes, the initial config is done right but when major changes are done on the switch, the SPAN/VACL config is lost due to human error. So, tcpdump is very necessary to make sure that SPAN/RSPAN/VACLs etc as the case maybe is setup correctly. Another reason I can think of is when uni-directional traffic is spanned to the IDSM2 sensing interface, not bi-directional.

We can use tcpdump on the appliances by stopping CIDS "/etc/init.d/cids stop" first. Is there some workaround to run tcpdump on the IDSM2? What linux interface eth? does int7 and int8 correspond to?

Please let me know, Thanks.

1 Accepted Solution

Accepted Solutions