cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
442
Views
0
Helpful
3
Replies

Howto: Iplog all traffic from an address

pbobby
Level 1
Level 1

I cannot snoop the /dev/spwr0 interface (*pout*) and wanted to turn my sensor in to a sniffer for a particular IP address.

My older Director implementation has long since been retired, and I remember ni the nrConfigure utility a 'tab' that allowed you to add IPLog entries for particular IP addresses.

I assume in the case of CSPM that I would add the appropriate command to the Epilogue of my sensor configuration, but the problem is, I can't remember what the command syntax should look like!

Does anyone remember? Or someone who is still using director, could you configure it and see what the format is? It would be much appreciated!

3 Replies 3

ktimm
Level 1
Level 1

I don't know about CSPM or anything like that but you can use the token RecordOfLogAddress in packetd.conf so the syntax would be

RecordOfLogAddress w.x.y.z

brok3n
Level 1
Level 1

Why cant you run tcpdump on spwr0? I do it all the time.

You should be able to run "snoop -d spwr0" as user root (not user netrangr).

Or a program like tcpdump.

We do it quite often when diagnosing sensor issues.

But I do not recommend doing this for any length of time because it will slow down sensor performance.

If you are wanting to log the packets for a long period of time then the RecordOfLogAddress is the correct method to use.

But I do caution you that the IP Logging will slow down the sensor.

Usually the slow down is negligible when that particular ip is a remote ip address because there usually aren't too many packets being logged.

But if you try logging a local ip like your web server ip address then you could slow the sensor way down while it tries to write every packet to the sensor harddrive.

The token is easily configured using the new IDM web based configuration tool.

If you are using CSPM you might configure this through IDM initially to see the exact syntax of the configuration line produced.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids8/13876_01.htm#xtocid48

NOTE: If you are using IDM then you can also download the IP Log files through IDM to you desktop. This may or may not be easier then ftping or scping them yourself.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids8/13876_01.htm#xtocid59

Step 6

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: