I have converted one IDS 4210 from version (3.0) to (4.0), and then added it successfully to the IDS MC, and Security Monitor. For some reason I didnt receive any alarms on the security monitor.
I used the service account to log on to the IDS device to check the sniffing interface [./tcpdump I eth0] then I received the following error message
[tcpdump: WARNING: eth0: no IPv4 address assigned].
Any Idea what this mean?
The Warming message is benign, all sniffing interfaces are not assigned ip addresses.
In order to successfully run tcpdump from a sniffing interface, you need to make sure the IDS is not using that interface. In the CLI do a, conf t, int sen int0, shut
Then in the service shell account:
ifconfig eth0 up
tcpdump -i eth0
ifconfig eth0 down
When you are done, make sure to ifconfig eth0 down. Otherwise the IDS will not be able to open the device.
from the CLI [Config T > Int sen > Shutdown
and From the service account > /usr/sbin I have ran this command
./ifconfig eth0 up > it reboot the IDS device. when it came back up, I have ran the other command [./tcpdump -i eth0]> I recieved this message
TCPDUMP:WARNING: ETH0: NO IPV4 ADDRESS ASSIGNED
TCPDUMP: LISTENING ON ETH0
0 PACKETS RECIEVED BY FILTER
0 PACKETS DROPPED BY KERNEL
now I am trying to ran the third command [./ifconfig eth0 down]> and I recieved (no such file or directory)
The fact that the machine rebooted tells me you did not perform the steps I gave you earlier correctly. Try these.
In the CLI:
1) a) conf t
b) int sen int0
2) Now login to the shell service account
a) su - (login as root)
b) ifconfig eth0
(make sure the device is DOWN, stop here if UP, go back to step #1)
c) ifconfig eth0 up
d) tcpdump -i eth0
e) ifconfig eth0 down (after you are done with tcpdump, make sure you leave the interface down)
Pleate note: Using tcpdump is not supported on a running sensor with version 4.1. You do so at your own risk.
Okay, two things, fisrt, where is the [ifconfig] file is located at. second, regarding your note, if it is risky to run tcpdump, how I can check if there is a traffic on the sniffing interface.
ifconfig is a command located in /sbin/ifconfig
Following the steps I gave you in previous post, you will be able to see the tcpdump traffic on a sniffing interface. The caveat is the sensor cannot be actively sniffing from it.
You run into problems, if you do not properly turn the interface off in the cli. The sensor cannot be using it as a sniffing interface when you try to do a tcpdump.
Perhaps a better way to see if you have traffic, is to look at the interface statistics in the cli.
> sh int
You should see the packet counts increasing.
sh int just shows you that there is traffic, but how I can figure out what kind of traffic. For instance in version 3.0 I use the command (snoop -d iprb0), so what is the equivalent in version 4.0