Managing Lawful Interception with IOS-XR

mleske · ‎05-30-2014

This blog is intended to provide guidance for Lawful Intercept verification during software validations or proof of concepts.

Lawful intercept is the process by which law enforcement agencies conduct electronic surveillance of circuit and packet-mode communications, authorized by judicial or administrative order. Service providers worldwide are legally required to assist law enforcement agencies in conducting electronic surveillance in both circuit-switched and packet-mode networks.

Further reading: Cisco Documentation

Preparation

In order to prepare the IOS-XR router 2 pre-requisites need to be fulfilled:

1. Install the LI package, e.g. asr9k-li-px.pie

2. SNMPv3 credentials need to be set.

Example SNMP:

snmp-server user LI-user LI-group v3 auth md5 <password>
snmp-server view LI-view interfaces included
snmp-server view LI-view ciscoTap2MIB included
snmp-server view LI-view ciscoIpTapMIB included
snmp-server group LI-group v3 auth read LI-view write LI-view

Provisioning and Managing SNMP-based Lawful Intercept

To avoid modifying long SNMP SET Messages PyLawful may be used. PyLawful is a small tool written in Python that is converting user inputs into SNMP messages to activate and manage Lawful Intercept Mediation Device and Tap configuration in routers.

The implementation is well proven to work against Cisco IOS-XR routers. It may also work against Cisco IOS, IOS-XE routers or even other vendors. (MIB implementation may vary.)

PyLawful integrates the pysnmp package to build and parse SNMP messages.

This tool allows:

Setting the Target router IP address
Setting the SNMPv3 credentials
Walk the ciscoTap2MIB and ciscoIpTapMIB MIBs
Configure LI MD
Configure v4 and v6 unidirectional Taps
List configured Taps
Check cTap2StreamInterceptedPackets stats for configured Taps
Remove LI Taps and MDs

Installation

1. Install PyLawful from PyPI. This will automatically install other mandatory Python packages.

If your default Python installation is v3.x:

pip install PyLawful

If your default Python installation is v2.x:

pip3 install PyLawful

2. Download the PyLawful.py file here.

3. Starting PyLawful:

python3 PyLawful.py

Execution

PyLawful offers a text-based menu.
The first options should always be setting the target router's IP and the SNMPv3 credentials
In the current version of the tool provisioning LI always includes setting a Mediation Device (MD) and multiple uni-directional taps to specify what traffic should be replicated to which MD.
A single MD can be used for multiple uni-directional taps. They must use different CCCid's though.
CCCid's for uni-directional taps can be chosen freely.
The target router needs a route to the Mediation Device, Null0 is not allowed.
The MD timeout must not be more than 24 days + 1 hour in the future.
The traffic to be intercepted must not enter the target router mpls encapsulated (ingress replication).

Example

In this example we:

Intercept packets from target router 10.49.224.50
Use SNMPv3 AuthNoPriv with User LI-user and password testing1
Walk the LI MIBs to verify active taps
Select added a bi-directional v4 tap
1. Adding Mediation Device 10.23.89.2
2. Add uni-directional tap2 to
  1. Intercept traffic to 192.168.23.1/32 from 0.0.0.0/0
  2. Intercept traffic to 0.0.0.0/9 from 192.168.23.1/32
Walk the LI MIBs.
Check which Taps are set.
Verify the counter for intercepted packets.
De-provision MD/Tap 5000/10, MD/Tap 5000/11 and MD 5000
Walk the LI MIBs to verify the Taps and MD have been removed.

####################################################

Target router: 0.0.0.0

Select operation:
----------------------------------------------------
    1. Set target router
    2. Set SNMP Security
    3. Walk LI MIBs
    ------------------------------------------------
    4. Create and set Mediation Device
    5. Delete Mediation Device
    ------------------------------------------------
    6. Add and activate new LI Stream TAP(s)
    7. Delete LI Stream TAP
    ------------------------------------------------
    8. Show configured TAPs
    9. Show Intercept Counters
    ------------------------------------------------
    0. Exit

Select option: 1

Enter IP          : 10.49.224.50

####################################################

Target router: 10.49.224.50

Select operation:
----------------------------------------------------
    1. Set target router
    2. Set SNMP Security
    3. Walk LI MIBs
    ------------------------------------------------
    4. Create and set Mediation Device
    5. Delete Mediation Device
    ------------------------------------------------
    6. Add and activate new LI Stream TAP(s)
    7. Delete LI Stream TAP
    ------------------------------------------------
    8. Show configured TAPs
    9. Show Intercept Counters
    ------------------------------------------------
    0. Exit

Select option: 2

####################################################
    1. AuthNoPriv: MD5
    2. AuthNoPriv: SHA
    3. AuthPriv  : MD5, DES
    4. AuthPriv  : MD5, 3DES
    5. AuthPriv  : MD5, AES
    6. AuthPriv  : SHA, DES
    7. AuthPriv  : SHA, 3DES
    8. AuthPriv  : SHA, AES
    0. Exit

Select option: 1

Username    : LI-user
MD5 Password: <password>

####################################################

Target router: 10.49.224.50

Select operation:
----------------------------------------------------
    1. Set target router
    2. Set SNMP Security
    3. Walk LI MIBs
    ------------------------------------------------
    4. Create and set Mediation Device
    5. Delete Mediation Device
    ------------------------------------------------
    6. Add and activate new LI Stream TAP(s)
    7. Delete LI Stream TAP
    ------------------------------------------------
    8. Show configured TAPs
    9. Show Intercept Counters
    ------------------------------------------------
    0. Exit

Select option: 3

Polling: ciscoTap2MIB

RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.1.1.0 = 1
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.1.3.0 = 0xe0
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.3.1.0 = 600
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.3.2.0 = 10

Polling: ciscoIpTapMIB

RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.1.0 = 0xfc

####################################################

Target router: 10.49.224.50

Select operation:
----------------------------------------------------
    1. Set target router
    2. Set SNMP Security
    3. Walk LI MIBs
    ------------------------------------------------
    4. Create and set Mediation Device
    5. Delete Mediation Device
    ------------------------------------------------
    6. Add and activate new LI Stream TAP(s)
    7. Delete LI Stream TAP
    ------------------------------------------------
    8. Show configured TAPs
    9. Show Intercept Counters
    ------------------------------------------------
    0. Exit

Select option: 4

cTap2MediationContentId      : 5000
cTap2MediationDestAddress    : 10.23.89.2
cTap2MediationDestPort       : 26001
cTap2MediationSrcInterface   : 0
cTap2MediationDscp           : 56
Mediation Timeout (Max 24 days + 1 hour) :
   MD Year     : 2015
   MD Month    : 2
   MD Day      : 10

MD Timeout will be set to: 2015-2-10 23:59

TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.399.1.1.2.1.2.5000', Integer(1))
TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.399.1.1.2.1.3.5000', OctetString(hexValue='0a175902'))
TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.399.1.1.2.1.4.5000', Unsigned32(26001))
TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.399.1.1.2.1.5.5000', Integer(0))
TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.399.1.1.2.1.7.5000', Integer(56))
TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.399.1.1.2.1.10.5000', OctetString(hexValue='07df020a173b0000'))
TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.399.1.1.2.1.11.5000', Integer(1))
TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.399.1.1.2.1.13.5000', Integer(4))

RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.1.2.1.2.5000 = 1
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.1.2.1.3.5000 = 0x0a175902
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.1.2.1.4.5000 = 26001
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.1.2.1.5.5000 = 0
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.1.2.1.7.5000 = 56
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.1.2.1.10.5000 = 0x07df020a173b0000
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.1.2.1.11.5000 = 1
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.1.2.1.13.5000 = 4

####################################################

Target router: 10.49.224.50

Select operation:
----------------------------------------------------
    1. Set target router
    2. Set SNMP Security
    3. Walk LI MIBs
    ------------------------------------------------
    4. Create and set Mediation Device
    5. Delete Mediation Device
    ------------------------------------------------
    6. Add and activate new LI Stream TAP(s)
    7. Delete LI Stream TAP
    ------------------------------------------------
    8. Show configured TAPs
    9. Show Intercept Counters
    ------------------------------------------------
    0. Exit

Select option: 6

cTap2MediationContentId : 5000
cTap2StreamIndex        : 10
Dest. Prefix            : 192.168.23.1
Dest. Prefix Length     : 32
Source Prefix           : 0.0.0.0
Source Prefix Length    : 0

TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.394.1.1.2.1.1.5000.10', Integer(0))
TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.394.1.1.2.1.2.5000.10', Integer(1))
TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.394.1.1.2.1.3.5000.10', OctetString(hexValue='c0a81701'))
TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.394.1.1.2.1.4.5000.10', Unsigned32(32))
TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.394.1.1.2.1.5.5000.10', OctetString(hexValue='00000000'))
TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.394.1.1.2.1.6.5000.10', Unsigned32(0))
TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.394.1.1.2.1.7.5000.10', Integer(0))
TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.394.1.1.2.1.8.5000.10', Integer(0))
TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.394.1.1.2.1.16.5000.10', Integer(4))

RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.1.5000.10 = 0
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.2.5000.10 = 1
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.3.5000.10 = 0xc0a81701
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.4.5000.10 = 32
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.5.5000.10 = 0x00000000
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.6.5000.10 = 0
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.7.5000.10 = 0
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.8.5000.10 = 0
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.16.5000.10 = 4

TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.399.1.2.1.1.2.5000.10', Integer(1))
TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.399.1.2.1.1.3.5000.10', Integer(1))
TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.399.1.2.1.1.6.5000.10', Integer(4))

RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.2.1.1.2.5000.10 = 1
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.2.1.1.3.5000.10 = 1
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.2.1.1.6.5000.10 = 4

####################################################

Target router: 10.49.224.50

Select operation:
----------------------------------------------------
    1. Set target router
    2. Set SNMP Security
    3. Walk LI MIBs
    ------------------------------------------------
    4. Create and set Mediation Device
    5. Delete Mediation Device
    ------------------------------------------------
    6. Add and activate new LI Stream TAP(s)
    7. Delete LI Stream TAP
    ------------------------------------------------
    8. Show configured TAPs
    9. Show Intercept Counters
    ------------------------------------------------
    0. Exit

Select option: 6

cTap2MediationContentId : 5000
cTap2StreamIndex        : 11
Dest. Prefix            : 0.0.0.0
Dest. Prefix Length     : 0
Source Prefix           : 192.168.23.1
Source Prefix Length    : 32

TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.394.1.1.2.1.1.5000.11', Integer(0))
TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.394.1.1.2.1.2.5000.11', Integer(1))
TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.394.1.1.2.1.3.5000.11', OctetString(hexValue='00000000'))
TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.394.1.1.2.1.4.5000.11', Unsigned32(0))
TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.394.1.1.2.1.5.5000.11', OctetString(hexValue='c0a81701'))
TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.394.1.1.2.1.6.5000.11', Unsigned32(32))
TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.394.1.1.2.1.7.5000.11', Integer(0))
TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.394.1.1.2.1.8.5000.11', Integer(0))
TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.394.1.1.2.1.16.5000.11', Integer(4))

RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.1.5000.11 = 0
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.2.5000.11 = 1
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.3.5000.11 = 0x00000000
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.4.5000.11 = 0
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.5.5000.11 = 0xc0a81701
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.6.5000.11 = 32
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.7.5000.11 = 0
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.8.5000.11 = 0
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.16.5000.11 = 4

TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.399.1.2.1.1.2.5000.11', Integer(1))
TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.399.1.2.1.1.3.5000.11', Integer(1))
TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.399.1.2.1.1.6.5000.11', Integer(4))

RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.2.1.1.2.5000.11 = 1
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.2.1.1.3.5000.11 = 1
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.2.1.1.6.5000.11 = 4

####################################################

Target router: 10.49.224.50

Select operation:
----------------------------------------------------
    1. Set target router
    2. Set SNMP Security
    3. Walk LI MIBs
    ------------------------------------------------
    4. Create and set Mediation Device
    5. Delete Mediation Device
    ------------------------------------------------
    6. Add and activate new LI Stream TAP(s)
    7. Delete LI Stream TAP
    ------------------------------------------------
    8. Show configured TAPs
    9. Show Intercept Counters
    ------------------------------------------------
    0. Exit

Select option: 3

Polling: ciscoTap2MIB

RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.1.1.0 = 9
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.1.2.1.2.5000 = 1
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.1.2.1.3.5000 = 0x0a175902
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.1.2.1.4.5000 = 26001
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.1.2.1.5.5000 = 0
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.1.2.1.7.5000 = 56
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.1.2.1.10.5000 = 0x07df020a173b0000
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.1.2.1.11.5000 = 1
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.1.2.1.12.5000 = 1
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.1.2.1.13.5000 = 1
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.1.3.0 = 0xe0
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.2.1.1.2.5000.10 = 1
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.2.1.1.2.5000.11 = 1
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.2.1.1.3.5000.10 = 1
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.2.1.1.3.5000.11 = 1
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.2.1.1.4.5000.10 = 0
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.2.1.1.4.5000.11 = 0
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.2.1.1.5.5000.10 = 0
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.2.1.1.5.5000.11 = 0
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.2.1.1.6.5000.10 = 1
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.2.1.1.6.5000.11 = 1
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.3.1.0 = 600
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.3.2.0 = 10

Polling: ciscoIpTapMIB

RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.1.0 = 0xfc
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.1.5000.10 = 0
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.1.5000.11 = 0
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.2.5000.10 = 1
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.2.5000.11 = 1
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.3.5000.10 = 0xc0a81701
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.3.5000.11 = 0x00000000
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.4.5000.10 = 32
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.4.5000.11 = 0
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.5.5000.10 = 0x00000000
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.5.5000.11 = 0xc0a81701
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.6.5000.10 = 0
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.6.5000.11 = 32
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.7.5000.10 = 0
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.7.5000.11 = 0
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.8.5000.10 = 0
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.8.5000.11 = 0
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.9.5000.10 = -1
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.9.5000.11 = -1
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.10.5000.10 = -1
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.10.5000.11 = -1
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.11.5000.10 = 0
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.11.5000.11 = 0
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.12.5000.10 = 65535
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.12.5000.11 = 65535
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.13.5000.10 = 0
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.13.5000.11 = 0
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.14.5000.10 = 65535
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.14.5000.11 = 65535
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.15.5000.10 = b''
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.15.5000.11 = b''
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.16.5000.10 = 1
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.16.5000.11 = 1

####################################################

Target router: 10.49.224.50

Select operation:
----------------------------------------------------
    1. Set target router
    2. Set SNMP Security
    3. Walk LI MIBs
    ------------------------------------------------
    4. Create and set Mediation Device
    5. Delete Mediation Device
    ------------------------------------------------
    6. Add and activate new LI Stream TAP(s)
    7. Delete LI Stream TAP
    ------------------------------------------------
    8. Show configured TAPs
    9. Show Intercept Counters
    ------------------------------------------------
    0. Exit

Select option: 8

The following TAP's are set:
5000.10
5000.11

####################################################

Target router: 10.49.224.50

Select operation:
----------------------------------------------------
    1. Set target router
    2. Set SNMP Security
    3. Walk LI MIBs
    ------------------------------------------------
    4. Create and set Mediation Device
    5. Delete Mediation Device
    ------------------------------------------------
    6. Add and activate new LI Stream TAP(s)
    7. Delete LI Stream TAP
    ------------------------------------------------
    8. Show configured TAPs
    9. Show Intercept Counters
    ------------------------------------------------
    0. Exit

Select option: 9

RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.2.1.1.4.5000.10 = 0
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.2.1.1.4.5000.11 = 0

####################################################

Target router: 10.49.224.50

Select operation:
----------------------------------------------------
    1. Set target router
    2. Set SNMP Security
    3. Walk LI MIBs
    ------------------------------------------------
    4. Create and set Mediation Device
    5. Delete Mediation Device
    ------------------------------------------------
    6. Add and activate new LI Stream TAP(s)
    7. Delete LI Stream TAP
    ------------------------------------------------
    8. Show configured TAPs
    9. Show Intercept Counters
    ------------------------------------------------
    0. Exit

Select option: 7

cTap2MediationContentId : 5000
cTap2StreamIndex        : 11

TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.399.1.2.1.1.6.5000.11', Integer(6))

RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.2.1.1.6.5000.11 = 6

TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.394.1.1.2.1.16.5000.11', Integer(6))

RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.16.5000.11 = 6

####################################################

Target router: 10.49.224.50

Select operation:
----------------------------------------------------
    1. Set target router
    2. Set SNMP Security
    3. Walk LI MIBs
    ------------------------------------------------
    4. Create and set Mediation Device
    5. Delete Mediation Device
    ------------------------------------------------
    6. Add and activate new LI Stream TAP(s)
    7. Delete LI Stream TAP
    ------------------------------------------------
    8. Show configured TAPs
    9. Show Intercept Counters
    ------------------------------------------------
    0. Exit

Select option: 7

cTap2MediationContentId : 5000
cTap2StreamIndex        : 10

TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.399.1.2.1.1.6.5000.10', Integer(6))

RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.2.1.1.6.5000.10 = 6

TX (10.49.224.50) : ('1.3.6.1.4.1.9.9.394.1.1.2.1.16.5000.10', Integer(6))

RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.2.1.16.5000.10 = 6

####################################################

Target router: 10.49.224.50

Select operation:
----------------------------------------------------
    1. Set target router
    2. Set SNMP Security
    3. Walk LI MIBs
    ------------------------------------------------
    4. Create and set Mediation Device
    5. Delete Mediation Device
    ------------------------------------------------
    6. Add and activate new LI Stream TAP(s)
    7. Delete LI Stream TAP
    ------------------------------------------------
    8. Show configured TAPs
    9. Show Intercept Counters
    ------------------------------------------------
    0. Exit

Select option: 5

cTap2MediationContentId : 5000

TX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.1.2.1.13.5000
TX (10.49.224.50) : 6

RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.1.2.1.13.5000 = 6

####################################################

Target router: 10.49.224.50

Select operation:
----------------------------------------------------
    1. Set target router
    2. Set SNMP Security
    3. Walk LI MIBs
    ------------------------------------------------
    4. Create and set Mediation Device
    5. Delete Mediation Device
    ------------------------------------------------
    6. Add and activate new LI Stream TAP(s)
    7. Delete LI Stream TAP
    ------------------------------------------------
    8. Show configured TAPs
    9. Show Intercept Counters
    ------------------------------------------------
    0. Exit

Select option: 3

Polling: ciscoTap2MIB

RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.1.1.0 = 11
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.1.3.0 = 0xe0
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.3.1.0 = 600
RX (10.49.224.50) : 1.3.6.1.4.1.9.9.399.1.3.2.0 = 10

Polling: ciscoIpTapMIB

RX (10.49.224.50) : 1.3.6.1.4.1.9.9.394.1.1.1.0 = 0xfc

####################################################

Target router: 10.49.224.50

Select operation:
----------------------------------------------------
    1. Set target router
    2. Set SNMP Security
    3. Walk LI MIBs
    ------------------------------------------------
    4. Create and set Mediation Device
    5. Delete Mediation Device
    ------------------------------------------------
    6. Add and activate new LI Stream TAP(s)
    7. Delete LI Stream TAP
    ------------------------------------------------
    8. Show configured TAPs
    9. Show Intercept Counters
    ------------------------------------------------
    0. Exit

Select option: 0

jalor · ‎09-04-2014

Hi. I need to set up lawful intercept on a Cisco CMTS. I am trying to use your python script to as a proof-of-concept, since the CMTS uses CISCO-802-TAP-MIB and not CISCO-IP-TAP-MIB. But otherwise the cTap2MediationTable and cTap2StreamTable should be identical as well. So I should be able to do some things...

at least "Walk the LI MIBs" and "Show Intercept Counters". However, I get

(ip-of-my-cmts): errorIndication = wrongDigest

when I try that. With net-snmp utilities, I can:

snmptable -m ALL -v 3 -l authNoPriv -a MD5 -u jlo_sec -A ***** ip.of.my.cmts cTap2MediationTable

[...]

CISCO-TAP2-MIB::cTap2MediationTable: No entries

So I wonder what the *** I am doing wrong when I try to walk the li mibs with your script?

Update: It seems to be working if I use authNoPriv.

Thanks for your python script, I'll definitely use it as a starting point!

mleske · ‎10-08-2014

Hey, please apologise my late reply. I must have missed the notification for the comment. The "wrongDigest" message is the SNMP error code the tool receives from the DUT and would indicate wrong security settings have been set; in your case I would assume a wrong MD5 passphrase.

Glad, you were able to help yourself and found the script useful.

Mike

Managing Lawful Interception with IOS-XR

Chalk Talk: Troubleshooting DTMF-Relay over MGCP

Configuring and Troubleshooting Basic MPLS Layer3 VPN

Upgrading to 6.3.2 plus releases coming from 43x 51x 52x need to knows!