IPS 4255 - Network Sniffer?

Unanswered Question
Feb 12th, 2007

one of my network engineers has asked if I can use our IPS device as a sniffer to identify specific host to host traffic via a specific port. I am somewhat new to IPS and am looking for some direction

Thanks,

Dave

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mhellman Fri, 02/16/2007 - 13:21

Yes, but there are some limitations. Probably the best way to do this is via the CLI. Login with a normal account on the sensor (not a service account). Use the packet capture command:

sensor# packet capture gigabitEthernet0/0 expression

where is a tcpdump expression. So:

sensor# packet capture gigabitEthernet0/0 expression host 192.168.1.1 and port 80

To get the capture off the sensor, use the "copy packet-file" command. The biggest limitation is the size. I think it's something like 15MB, which isn't always big enough.

Actions

This Discussion