Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Howto: Iplog all traffic from an address

I cannot snoop the /dev/spwr0 interface (*pout*) and wanted to turn my sensor in to a sniffer for a particular IP address.

My older Director implementation has long since been retired, and I remember ni the nrConfigure utility a 'tab' that allowed you to add IPLog entries for particular IP addresses.

I assume in the case of CSPM that I would add the appropriate command to the Epilogue of my sensor configuration, but the problem is, I can't remember what the command syntax should look like!

Does anyone remember? Or someone who is still using director, could you configure it and see what the format is? It would be much appreciated!

3 REPLIES
New Member

Re: Howto: Iplog all traffic from an address

I don't know about CSPM or anything like that but you can use the token RecordOfLogAddress in packetd.conf so the syntax would be

RecordOfLogAddress w.x.y.z

New Member

Re: Howto: Iplog all traffic from an address

Why cant you run tcpdump on spwr0? I do it all the time.

Cisco Employee

Re: Howto: Iplog all traffic from an address

You should be able to run "snoop -d spwr0" as user root (not user netrangr).

Or a program like tcpdump.

We do it quite often when diagnosing sensor issues.

But I do not recommend doing this for any length of time because it will slow down sensor performance.

If you are wanting to log the packets for a long period of time then the RecordOfLogAddress is the correct method to use.

But I do caution you that the IP Logging will slow down the sensor.

Usually the slow down is negligible when that particular ip is a remote ip address because there usually aren't too many packets being logged.

But if you try logging a local ip like your web server ip address then you could slow the sensor way down while it tries to write every packet to the sensor harddrive.

The token is easily configured using the new IDM web based configuration tool.

If you are using CSPM you might configure this through IDM initially to see the exact syntax of the configuration line produced.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids8/13876_01.htm#xtocid48

NOTE: If you are using IDM then you can also download the IP Log files through IDM to you desktop. This may or may not be easier then ftping or scping them yourself.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids8/13876_01.htm#xtocid59

Step 6

104
Views
0
Helpful
3
Replies
CreatePlease login to create content