Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Capture troubleshooting

My new Sensor(4210) doesn't notice any alarms! Which commands should I use to troubleshoot the problem? What could be the problem?

Any advice?

Thanks!

5 REPLIES
Community Member

Re: Capture troubleshooting

Check your cable connections...

check the monitoring port settings(spanning) on the switch..

check for the traffic on spwr0:

snoop -d spwr0

Ramesh

Community Member

Re: Capture troubleshooting

The IDS-4210's sensing interface is iprb0 (that's the lower RJ-45 connector). To test whether the sensor's sniffing interface is seeing traffic, connect iprb0 to a shared hub (or a spanned port on a switched hub) that has some activity. Then (as root) enter at the shell prompt:

# snoop -d iprb0

As packets are seen on the interface, they will be displayed on the screen. Hit ctrl-C to stop the display.

If you are unable to see traffic, contact the TAC. You may have a bad sensor.

If you see traffic, then enter:

# grep -v '^#' /usr/nr/etc/packetd.conf | grep NameOfPacketDevice

If nothing is displayed, then the sensor has not been configured. Follow the instructions for configuring the sensor using sysconfig-sensor choice 6 (or if you are using CSPM or IDS Director, follow those instructions instead). The correct value for NameOfPacketDevice should be "/dev/iprb0".

Community Member

Re: Capture troubleshooting

Thanks for the help!

Unfortunately, it has activity on the iprb0 interface and the value for NameOfPacketDevice is /dev/iprb0. But! The snoop shows the following traffic!(193.68.36.141 is my CSPM kshsensor is the sensor) It is strange, that only this traffic can the Sensor notice. The sniffing and the comman&controll interface is in the same LAN segment! (Just for testing).

kshsensor -> 193.68.36.141 TCP D=1042 S=22 Ack=85865 Seq=2485443791 Len=428 Win=24820

193.68.36.141 -> kshsensor TCP D=22 S=1042 Ack=2485444219 Seq=85865 Len=0 Win=8760

192.168.10.249 -> 224.0.0.10 IP D=224.0.0.10 S=192.168.10.249 LEN=60, ID=0

? -> * ETHER Type=9000 (Loopback), size = 60 bytes

? -> (multicast) ETHER Type=2000 (Unknown), size = 313 bytes

? -> (multicast) ETHER Type=2000 (Unknown), size = 308 bytes

? -> * ETHER Type=9000 (Loopback), size = 60 bytes

? -> (multicast) ETHER Type=0000 (LLC/802.3), size = 52 bytes

????

Thanks!

Cisco Employee

Re: Capture troubleshooting

Is the packetd daemon running? (You can use nrstatus to determine this.) If not, then use your management application to enable it. Verify that the traffic you are generating on the segment (I assume that the Sensor and Director are plugged into the same hub) will trigger an alarm, that the signature is enabled and that its alarm level is greater than the minimum log level.

Community Member

Re: Capture troubleshooting

IDS Informer www.blade-software.com

101
Views
0
Helpful
5
Replies
CreatePlease to create content