Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
557
Views
0
Helpful
3
Replies

monitoring interface not shown

rcrowe
Level 1
Level 1

‎07-14-2001 12:59 AM - edited ‎03-08-2019 08:28 PM

I have a 4230, 4210 and CSPM. If I telnet to either sensor, and issue a "ifconfig -a", I do not see the monitoring nic. I think this causes the second issue I have, no signature events logged in database, only "route up/down".(From upgrading/updating sensors). I have checked the SPAN ports the nics are on and it does see traffic. I was told in a recent TAC case that you will never see the promiscuous nic, is this true? CSPM v2.3i, IDS v2.5(1)S3

Labels:
0 Helpful
3 Replies 3

marcabal
Cisco Employee
Cisco Employee

‎07-16-2001 06:49 PM

True, you should never see the sniffing interface when using the "ifconfig -a" command.

To see if the interface is seeing packets try executing the following commands:

On the 4210 as user root: "snoop -d iprb0"

On the 4230 as user root: "snoop -d spwr0"

You may also want to check the NameOfPacketDevice configuration in the /usr/nr/etc/packetd.conf file on the sensors:

On the 4210 in packetd.conf: "NameOfPacketDevice /dev/iprb0"

On the 4230 in packetd.conf: "NameOfPacketDevice /dev/spwr0"

If these interface names are incorrect they can be corrected in CSPM, and have the new configuration pushed to the sensor. Check to ensure that the configuration is now correct on the sensors. You may need to execute "nrstop" and "nrstart" to ensure that all of the IDS programs are started. Also run "nrvers" to ensure that all the IDS programs are responding to the query for the version information.

Once you have ensured that all of the programs are running, the correct configuration is being used, packets are being seen by the snoop command, then you should see any alarms being gernerated by the sensors.

I would recommend generating a specific alarm to see if it is being seen. Generally poeple create a custom signature to do this type of verification such as the string "Test Sensor" on a telnet connection.

0 Helpful

sboutchyard
Level 1
Level 1
In response to marcabal

‎07-17-2001 05:03 AM

Without seeing the interface, how do we configure the span port it is on? 100mbps full duplex, 100/half? Is it autosensing?

0 Helpful

marcabal
Cisco Employee
Cisco Employee
In response to sboutchyard

‎07-17-2001 08:28 AM

The sniffinng interface of the sensor is autosensing.

The switch should negotiatie to 100 Mbps Full Duplex, though I have heard of situations where the switch was auto negotiating to 10 Mbps but I haven't been able to reproduce the problem in our lab.

There should be a "show port" or similar command to see what the switch negotiates for the port.

If the switch is negotiating 10 Mbps then you should be able to set the port to 100 Mbps through the switch CLI.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents