Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1179
Views
5
Helpful
7
Replies

tcpdump

Go to solution
emusican
Level 1
Level 1

‎05-18-2004 07:28 AM - edited ‎03-09-2019 07:25 AM

On the cisco 4250XL's it shows 2 sniffing interfaces...int2 and int3. THe hardwar is falcon1 and falcon2.

I want to be able to view the traffic coming off of these interfaces.

On the old 3.x sensors I could use snoop, and specify the spwr interface to view this.

What is the 4.0 counterpart?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mlhall
Cisco Employee
Cisco Employee
In response to emusican

‎05-18-2004 09:26 PM

In v5.0 you will be able to run tcpdump from the command line on all data interfaces including the XL/falcon ports. At this time, the driver for XL ports only allows the one consumer of packets at a time. So you get IDS or falcondump but not both.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
pbobby
Level 1
Level 1

‎05-18-2004 09:27 AM

Not having a falcon card myself.

But you can log in as root, and do an ifconfig -a. This will list all your interfaces.

And if you have 4.1.4 of the IDS software you can tcpdump whilst the IDS sensor is still running.

0 Helpful

Go to solution
emusican
Level 1
Level 1
In response to pbobby

‎05-18-2004 10:37 AM

Those interfaces dont show up on ifconfig.

0 Helpful

Go to solution
mcerha
Level 3
Level 3
In response to emusican

‎05-18-2004 11:11 AM

The interfaces will not show up. To capture packets, you need to:

1) Log into the service account and su to root.

2) Run /etc/init.d/cids stop

3) Run /etc/init.d/falcon start

4) Run the falcondump command like this:

/usr/cids/idsRoot/bin/falcondump -o

5) Reboot the sensor when done.

This will result in a PCAP formatted output file that you can load into ethereal.

Go to solution
vianet0
Level 1
Level 1
In response to mcerha

‎05-18-2004 03:22 PM

is there not a way or other alternative of sniffing int0 ?

0 Helpful

Go to solution
emusican
Level 1
Level 1
In response to mcerha

‎05-18-2004 06:08 PM

Do I HAVE to stop cids to use falcondump? What if I wanted to do an extended grep for a specific port (all traffic). Would I have to actully have to shut the IDS part off to do this?

0 Helpful

Go to solution
mlhall
Cisco Employee
Cisco Employee
In response to emusican

‎05-18-2004 09:26 PM

In v5.0 you will be able to run tcpdump from the command line on all data interfaces including the XL/falcon ports. At this time, the driver for XL ports only allows the one consumer of packets at a time. So you get IDS or falcondump but not both.

0 Helpful

Go to solution
emusican
Level 1
Level 1
In response to mlhall

‎05-19-2004 03:58 AM

Then I will wait anxiously for v5.0 to arrive!

..any idea when its coming out?

Thank for the workaround.

0 Helpful
Customers Also Viewed These Support Documents