cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
660
Views
0
Helpful
7
Replies

Viewing ip log files

vachonb
Level 1
Level 1

Hey all,

For the life of me I cannot figure out how to view the log files sent to the sensor when "ip log" is set for the action on the signatures. I know where they are in the sensor, they are raw data files tho. How do you read these ? I am assuming they are similar to a sniffer trace with all the packet info in them. Tried ftp'ing them and opening them with sniffer pro, didn't work tho. Can someone point me in the right direction ?

Thanks,

Brian

7 Replies 7

danrodri
Cisco Employee
Cisco Employee

IDS 2.X IP log files can be viewed using Ethereal (www.ethereal.org).

IDS 3.X IP log files are in tcpdump format.

Thanks, btw it's www.ethereal.com .org was some tarot card place ! LOL I'm running 3.0(4)s4 on the sensor already. You said it's in tcp dump format, how do I view those, again, it appears to be raw data. I tried sniffer pro, didn't work. I'll try the ethereal today if I get a chance.

Thanks,

Brian

IPLOGS from version 2.x sensors were in a proprietary binary format, and could only be read by ethereal and a special program called transcript that was on the 2.2.1 Unix Directors.

IPLOGS from version 3.x sensors are in standard tcpdump format, and can still be read by ethereal, and can now be read by any other tool able to read tcpdump formatted files.

(NOTE: transcript on the director can not read the new tcpdump format)

MARCOA,

Is the ip log feature in cspm not available with the IDSM 3.0(3)S10? I have enabled this for a few signatures but do not see any logs on the IDSM?

Thank,

Jeff

The IDS Module does not support IP Logging.

You have to have the IDS Appliance for IP Logging.

robert.mcclain
Level 1
Level 1

If you recieved the CD for the upgrade to 3.0 onthe sensor, Ethereal comes with it and iplogs can be viewed from the director. You can also put it on a Windows machine. I FTP the files down to my Win2k machine and view them with Ethereal there.

Excellent, Thanks Robert. I didn't even look on the 3.0 disk, figured it was straight unix/linux. Looked on the cspm disk, nada. I'll check out the 3.0 disk tommorow. Thanks again.

Brian

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: