Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IDS 4210 sniffing interface

I have converted one IDS 4210 from version (3.0) to (4.0), and then added it successfully to the IDS MC, and Security Monitor. For some reason I didn’t receive any alarms on the security monitor.

I used the service account to log on to the IDS device to check the sniffing interface [./tcpdump –I eth0] then I received the following error message

[tcpdump: WARNING: eth0: no IPv4 address assigned].

Any Idea what this mean?

9 REPLIES
Cisco Employee

Re: IDS 4210 sniffing interface

The Warming message is benign, all sniffing interfaces are not assigned ip addresses.

In order to successfully run tcpdump from a sniffing interface, you need to make sure the IDS is not using that interface. In the CLI do a, conf t, int sen int0, shut

Then in the service shell account:

ifconfig eth0 up

tcpdump -i eth0

ifconfig eth0 down

When you are done, make sure to ifconfig eth0 down. Otherwise the IDS will not be able to open the device.

New Member

Re: IDS 4210 sniffing interface

from the CLI [Config T > Int sen > Shutdown

and From the service account > /usr/sbin I have ran this command

./ifconfig eth0 up > it reboot the IDS device. when it came back up, I have ran the other command [./tcpdump -i eth0]> I recieved this message

TCPDUMP:WARNING: ETH0: NO IPV4 ADDRESS ASSIGNED

TCPDUMP: LISTENING ON ETH0

0 PACKETS RECIEVED BY FILTER

0 PACKETS DROPPED BY KERNEL

now I am trying to ran the third command [./ifconfig eth0 down]> and I recieved (no such file or directory)

ANY IDEA??!

Cisco Employee

Re: IDS 4210 sniffing interface

Which sensor version are you running?

What is output from:

> sh ver

New Member

Re: IDS 4210 sniffing interface

ver S58, and I am currently updating it to the newer version which IDS-sig-4.1-3-S65.

Cisco Employee

Re: IDS 4210 sniffing interface

The fact that the machine rebooted tells me you did not perform the steps I gave you earlier correctly. Try these.

In the CLI:

1) a) conf t

b) int sen int0

c) shutdown

d) exit

e) exit

2) Now login to the shell service account

a) su - (login as root)

b) ifconfig eth0

(make sure the device is DOWN, stop here if UP, go back to step #1)

c) ifconfig eth0 up

d) tcpdump -i eth0

e) ifconfig eth0 down (after you are done with tcpdump, make sure you leave the interface down)

Pleate note: Using tcpdump is not supported on a running sensor with version 4.1. You do so at your own risk.

New Member

Re: IDS 4210 sniffing interface

Okay, two things, fisrt, where is the [ifconfig] file is located at. second, regarding your note, if it is risky to run tcpdump, how I can check if there is a traffic on the sniffing interface.

thank you

Cisco Employee

Re: IDS 4210 sniffing interface

ifconfig is a command located in /sbin/ifconfig

Following the steps I gave you in previous post, you will be able to see the tcpdump traffic on a sniffing interface. The caveat is the sensor cannot be actively sniffing from it.

You run into problems, if you do not properly turn the interface off in the cli. The sensor cannot be using it as a sniffing interface when you try to do a tcpdump.

Cisco Employee

Re: IDS 4210 sniffing interface

Perhaps a better way to see if you have traffic, is to look at the interface statistics in the cli.

> sh int

You should see the packet counts increasing.

New Member

Re: IDS 4210 sniffing interface

sh int just shows you that there is traffic, but how I can figure out what kind of traffic. For instance in version 3.0 I use the command (snoop -d iprb0), so what is the equivalent in version 4.0

147
Views
0
Helpful
9
Replies