Cisco Support Community
Community Member

Checking sniffing interface

In version 3.0 I use the command (snoop -d iprb0) to check the sniffing interface and see which subnet I am capture traffic from. And in version 4.0 I use the commands (tcpdump –I eth0), so my question is what is the equivalent command in version 4.1?

Any Idea!! thank you

Community Member

Re: Checking sniffing interface

The tcpdump command is the equivalent to the snoop command. The 3.x sensors ran on a sunOS platform which supports the snoop command. The 4.x sensors run on a linux OS that does not support the snoop command. Tcpdump is the linux equivalent to the SunSparc snoop command. You need to make sure that the 4.x sensor is not running the cids processes in order to run the tcpdump command however. Typically what we do is log into the 4.x sensor with the service account and "su -" to root. The root password is the same as the service account password. We then "cd /etc/init.d" and run "./cids stop", this stops the cids process and shuts down eth0. Then run "ifconfig eth0 up", which brings up the eth0 interface so you can sniff it. Run "tcpdump -i eth0" and this will start the snoop-like capture that you are familiar with. Ctrl C will kill the tcpdump session. When you are done you will need to "ifconfig eth0 down" to shut down the eth0 interface again and then run "/etc/init.d/cids start" to start the cids processes again so your sensor will process the traffic.

CreatePlease to create content