Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
517
Views
0
Helpful
5
Replies

Capture troubleshooting

teperjesi
Level 1
Level 1

‎11-20-2001 07:53 AM - edited ‎03-08-2019 09:13 PM

My new Sensor(4210) doesn't notice any alarms! Which commands should I use to troubleshoot the problem? What could be the problem?

Any advice?

Thanks!

Labels:
0 Helpful
5 Replies 5

chilukurir
Level 1
Level 1

‎11-20-2001 08:04 AM

Check your cable connections...

check the monitoring port settings(spanning) on the switch..

check for the traffic on spwr0:

snoop -d spwr0

Ramesh

0 Helpful

brhamon
Level 1
Level 1
In response to chilukurir

‎11-20-2001 08:36 AM

The IDS-4210's sensing interface is iprb0 (that's the lower RJ-45 connector). To test whether the sensor's sniffing interface is seeing traffic, connect iprb0 to a shared hub (or a spanned port on a switched hub) that has some activity. Then (as root) enter at the shell prompt:

# snoop -d iprb0

As packets are seen on the interface, they will be displayed on the screen. Hit ctrl-C to stop the display.

If you are unable to see traffic, contact the TAC. You may have a bad sensor.

If you see traffic, then enter:

# grep -v '^#' /usr/nr/etc/packetd.conf | grep NameOfPacketDevice

If nothing is displayed, then the sensor has not been configured. Follow the instructions for configuring the sensor using sysconfig-sensor choice 6 (or if you are using CSPM or IDS Director, follow those instructions instead). The correct value for NameOfPacketDevice should be "/dev/iprb0".

0 Helpful

teperjesi
Level 1
Level 1
In response to brhamon

‎11-21-2001 12:13 AM

Thanks for the help!

Unfortunately, it has activity on the iprb0 interface and the value for NameOfPacketDevice is /dev/iprb0. But! The snoop shows the following traffic!(193.68.36.141 is my CSPM kshsensor is the sensor) It is strange, that only this traffic can the Sensor notice. The sniffing and the comman&controll interface is in the same LAN segment! (Just for testing).

kshsensor -> 193.68.36.141 TCP D=1042 S=22 Ack=85865 Seq=2485443791 Len=428 Win=24820

193.68.36.141 -> kshsensor TCP D=22 S=1042 Ack=2485444219 Seq=85865 Len=0 Win=8760

192.168.10.249 -> 224.0.0.10 IP D=224.0.0.10 S=192.168.10.249 LEN=60, ID=0

? -> * ETHER Type=9000 (Loopback), size = 60 bytes

? -> (multicast) ETHER Type=2000 (Unknown), size = 313 bytes

? -> (multicast) ETHER Type=2000 (Unknown), size = 308 bytes

? -> * ETHER Type=9000 (Loopback), size = 60 bytes

? -> (multicast) ETHER Type=0000 (LLC/802.3), size = 52 bytes

????

Thanks!

0 Helpful

kleem
Cisco Employee
Cisco Employee
In response to teperjesi

‎11-26-2001 09:56 AM

Is the packetd daemon running? (You can use nrstatus to determine this.) If not, then use your management application to enable it. Verify that the traffic you are generating on the segment (I assume that the Sensor and Director are plugged into the same hub) will trigger an alarm, that the signature is enabled and that its alarm level is greater than the minimum log level.

0 Helpful

mvine
Level 1
Level 1

‎01-14-2002 03:15 PM

IDS Informer www.blade-software.com

0 Helpful
Customers Also Viewed These Support Documents