Sensors (4230) are not working after upgrade to 4.1.1min

DSmirnov · ‎07-15-2003

I've updated few sensors from 4.0.2S47 to 4.1.1minS47 two days ago.

I can't get sensors working after update: they report no problem but don't see any traffic on monitoring interface.

I've tried to reset a root password and tried tcpdump from eth0 but no traces of traffic again...

Tried to disable/enable int0 in sensing interface, power-cycle, etc - nothing helps...

Any ideas or simular problems with 4.1.1?

PS: I saw new Linux drivers for e100 and e1000 in 4.1.1 update- may be it is a problem?

marcabal · ‎07-16-2003

A few bits of information for you:

1) There is a new driver for the e100 and e1000 drivers. The new driver was created to allow us to support multiple interfaces on the 4215, 4235, and 4250 chassis.

2) The new driver has a limitation. SensorApp and tcpdump can no longer both be used to sniff on the same interface. SensorApp is no longer opening the interface in a way that is compatible with tcpdump so trying to open the interface with both programs will cause problems for one or both of the programs.

3) With version 4.1 the sensorApp program can no longer be used to sniff off the command and control interface. SensorApp can only sniff off dedicated sniffing interfaces (because of the driver change mentioned above). If you were sniffing on the command and control with 4.0 then it won't work when you upgrade to 4.1.

SIDE NOTE: When you upgraded from 3.1 to 4.0 you would have swapped the command and control interface cable with the sniffing interface cable because the interfaces swapped roles when upgrading to 4.0.

4) The sniffing interface needs to be designated as part of the interface group. This should have stayed the same through the upgrade but you may want to check to be sure. You can execute "show interface group 0" and see if int0 is designated as a sniffing port.

sensor# show interface group 0

Group 0 is up

Sensing ports int0

...

5)Verify that you interface has been enabled (no shutdown). Execute "show interface sensing int0" to ensure that the interface is "up".

sensor# show interface sensing int0

Sensing int0 is up

Hardware is eth0, TX

Reset port

MAC statistics from the Fast Ethernet Interface int0

Missed Packet Percentage = 0

Link Status = Up

Total Packets Received = 451306504

Total Bytes Received = 1487556180

Total Receive Errors = 0

Total multicast packets received = 0

Total Receive Length Errors = 0

Total Receive Overrun Errors = 0

Total Receive CRC Errors = 0

Total Receive Frame Errors = 0

Total Receive FIFO Errors = 1302885

Total Receive Missed Errors = 0

Total Packets Transmitted = 0

Total Bytes Transmitted = 0

Total Transmit Errors = 0

Transmit drops due to lack of resources = 0

Total Transmit Packet Collisions = 0

Total Transmit Aborted Errors = 0

Total Transmit Carrier Errors = 0

Total Transmit FIFO Errors = 0

Total Transmit Heartbeat Errors = 0

Total Transmit Window Errors = 0

6) You will also want to look at the above output to ensure that the Link is "up" and that the Packet and Byte counts are increasing, and the Error counts are not increasing.

NOTE: You can also look at the packet counters in the "show interface group 0" command to ensure that they are increasing along with the packet counts for the "show interface sensing int0" command.

DSmirnov · ‎07-16-2003

Wow, thanks a lot!

Everything is working now!

It is very sad to lose the ability to sniff traffic using tcpdump - was very helpful to detect worms and unusual traffic patterns this way...

marcabal · ‎07-16-2003

Is iplogging a possible replacement for what you were doing with tcpdump.

If not, then can you provide me with what is missing from iplogging that you could get with tcpdump?

I am trying to find out the things that our customers have been doing through other system tools that our IDS does not do natively.

It provides possibilities for new requirements.