Solved: TCPdump support on sensing interfaces for IDSM2

msmitha · ‎11-20-2003

When we deploy new IDSM2 blades in various locations, we need to verify that the sensing interface(s) have sufficient visibility into the protected nets. In order to do this, we (security group) rely on network admins to setup SPAN, RSPAN, VACLs, etc. Sometimes, the initial config is done right but when major changes are done on the switch, the SPAN/VACL config is lost due to human error. So, tcpdump is very necessary to make sure that SPAN/RSPAN/VACLs etc as the case maybe is setup correctly. Another reason I can think of is when uni-directional traffic is spanned to the IDSM2 sensing interface, not bi-directional.

We can use tcpdump on the appliances by stopping CIDS "/etc/init.d/cids stop" first. Is there some workaround to run tcpdump on the IDSM2? What linux interface eth? does int7 and int8 correspond to?

Please let me know, Thanks.

scothrel · ‎11-20-2003

Try using "tcpdump -r " where is the name of the file output from falcondump. -r is a "read from file" option for tcpdump.

Falcondump should produce a "falcondump.pcap" file by default; you would feed this file into tcpdump with the -r option.

For detailed analysis, we use ethereal on another workstation.

SC

View solution in original post

bkubesh · ‎11-20-2003

After you stop cids. Run the "falcondump" utility in ~cids/idsRoot/bin.

msmitha · ‎11-20-2003

Could you pls tell me how to use falcondump? Any examples.

Thanks,

scothrel · ‎11-20-2003

See my other reply for the extra step(s). Falcondump -? will give a usage. Some terminology:

A "superblock" is a 64KByte block of packets.

By default it will recieve 1600 superblocks of data and parse the packets into pcap format and save to a file (falcondump.pcap). -r skips the formatting and

just dumps raw to file. The -m memory option is one I'm not familiar with (this is a developer tool that has had many incarnations)...I believe it means to do a "in-memory" recieve, for speed and well loaded networks, then parse and dump...thus it has to buffer all the incoming data in memory (the lots-o-memory reference). You'll probably just want the defaults, perhaps with the memory option. If needed, I can get a developer on this and dump their brain.

Scott

msmitha · ‎11-20-2003

Thanks for the information. I have two questions:

1. I did generate a falcondump.pcap file but how would I view it? I mean, how to view PCAP format.

2. How can I get falcondump to generate a file which tcpdump can parse? I'd like to use tcpdump to view contents of the capture on the IDSM2 itself rather than downloading it and using some other application to parse it.

Thanks,

scothrel · ‎11-20-2003

Try using "tcpdump -r " where is the name of the file output from falcondump. -r is a "read from file" option for tcpdump.

Falcondump should produce a "falcondump.pcap" file by default; you would feed this file into tcpdump with the -r option.

For detailed analysis, we use ethereal on another workstation.

SC

scothrel · ‎11-20-2003

after you issue the "/etc/init.d/cids stop" command,

you have to issue "/etc/init.d/falcon start" before you run falcondump. The cids stop command unloads the falcon drivers...falcon start will reload the drivers without starting the cids software. When finished with falcondump, just issue a "/etc/init.d/falcon stop" followed by the "/etc/init.d/cids start" to restart the sensor software. If I remember correctly, the output of falcondump is pcap format.

Scott C.