Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
682
Views
0
Helpful
4
Replies

NetRanger packet capture interface question

croberts
Level 1
Level 1

‎08-24-2001 02:50 PM - edited ‎03-08-2019 08:38 PM

i am trying to a get a sensor working properly. It is unclear from the Cisco docs whether the packet capture interface is supposed to be configured with an IP. The sensors configured by my predecessor are all have their packet capture interfaces configured with an IP that sits on the web server VLAN. The Cisco docs imply that this is unnecessary. Anyone have any experience with this?

Labels:
0 Helpful
4 Replies 4

bkubesh
Level 1
Level 1

‎09-04-2001 08:28 AM

The packet capture interface is not configured with an IP, nor is it bound to a protocol stack. This is done so that an attacker can not detect or access the interface.

The command and control interface is the only interface that should be accessible (bound to protocol stack and IP number assigned). We also recommend that the cmd and control interface be secured and not be on the same network as the sniffing interface.

0 Helpful

rkodicek
Level 1
Level 1
In response to bkubesh

‎09-12-2001 09:35 AM

Hi,

... and wath's the name of the packet capture interface which can I use in the snoop command?

In 2.2 it was /dev/spwr.

Thanks

Rene

0 Helpful

marcabal
Cisco Employee
Cisco Employee
In response to rkodicek

‎09-12-2001 09:35 AM

In the IDS-4230 (and older NRS sensors) the sniffing interface is /dev/spwr0 and the command and control interface is /dev/iprb0.

On the slim blue IDS-4210 sensors the sniffing interface is /dev/iprb0 and the command and control interface is /dev/iprb1.

In packetd.conf you can set the NameOfPacketDevice (ie. the sniffing interface) to the keyword "auto" and packetd will detect the type of hardware and automatically set itself to monitor the correct interface.

However, if you place an ip address on /dev/spwr0 as your predecessor has done then you can not use the "auto" detect feature, you will have to enter /dev/spwr0 for the NameOfPacketDevice.

It is recommended and standard procedure not place an addree on the /dev/spwr0 interface, except in rare circumstances where diagnostic information needs to be gathered.

It is possible that he placed on ip on the interfaces for diagnostic purposes and then left them as is, and forgot to remove the ip address.

0 Helpful

rkodicek
Level 1
Level 1
In response to marcabal

‎12-12-2016 05:32 AM

The device name for FDDI interface is ptpci. I have to create a link (ln -s /dev/ptpci /dev/ptpci0) to work with tcpdump.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents