capture packet / ip logging

5creedus · ‎11-10-2005

What is the best way to capture packets as well as display them for signatures.

I need to see the packets that cuase the ICMP hard DoS sig 2157 to fire. From the Cisco IDS Install and Configuration guide version 4.x it talks about enabling packet capture to true as well as Event action, but no clear instructions on which to use or if both need to be configured.

vkapoor5 · ‎11-16-2005

If you want to capture the packets that caused the signature to fire, then you must enable the "log" option as the EventAction in the signature. When the IDS detects an attack based on this signature, it creates an IP log.

There is also an "IP logging" feature in the IDS that is used to capture the packets for a duration of time. This capture is time or size (bytes) based and is not based on signature.

5creedus · ‎11-16-2005

Thank you for the reply. I had opened a case with Cisco and they gave me the same information as well as additional info on packet capture, i.e. how to copy and read the files.

svondandamo · ‎12-21-2005

Could you, please, share the additional info with us?

Thanks,

shadow.cipher · ‎01-03-2006

You should be able to scp from a linux/unix box to get the files off the IDS. Would require scp'ing with the service account and knowing the directory where the files are stored. Not sure if that is a supported feature or not.