Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

monitoring interface not shown

I have a 4230, 4210 and CSPM. If I telnet to either sensor, and issue a "ifconfig -a", I do not see the monitoring nic. I think this causes the second issue I have, no signature events logged in database, only "route up/down".(From upgrading/updating sensors). I have checked the SPAN ports the nics are on and it does see traffic. I was told in a recent TAC case that you will never see the promiscuous nic, is this true? CSPM v2.3i, IDS v2.5(1)S3

Cisco Employee

Re: monitoring interface not shown

True, you should never see the sniffing interface when using the "ifconfig -a" command.

To see if the interface is seeing packets try executing the following commands:

On the 4210 as user root: "snoop -d iprb0"

On the 4230 as user root: "snoop -d spwr0"

You may also want to check the NameOfPacketDevice configuration in the /usr/nr/etc/packetd.conf file on the sensors:

On the 4210 in packetd.conf: "NameOfPacketDevice /dev/iprb0"

On the 4230 in packetd.conf: "NameOfPacketDevice /dev/spwr0"

If these interface names are incorrect they can be corrected in CSPM, and have the new configuration pushed to the sensor. Check to ensure that the configuration is now correct on the sensors. You may need to execute "nrstop" and "nrstart" to ensure that all of the IDS programs are started. Also run "nrvers" to ensure that all the IDS programs are responding to the query for the version information.

Once you have ensured that all of the programs are running, the correct configuration is being used, packets are being seen by the snoop command, then you should see any alarms being gernerated by the sensors.

I would recommend generating a specific alarm to see if it is being seen. Generally poeple create a custom signature to do this type of verification such as the string "Test Sensor" on a telnet connection.

New Member

Re: monitoring interface not shown

Without seeing the interface, how do we configure the span port it is on? 100mbps full duplex, 100/half? Is it autosensing?

Cisco Employee

Re: monitoring interface not shown

The sniffinng interface of the sensor is autosensing.

The switch should negotiatie to 100 Mbps Full Duplex, though I have heard of situations where the switch was auto negotiating to 10 Mbps but I haven't been able to reproduce the problem in our lab.

There should be a "show port" or similar command to see what the switch negotiates for the port.

If the switch is negotiating 10 Mbps then you should be able to set the port to 100 Mbps through the switch CLI.