03 Jul

Cisco IPS and packet capturing

I had to perform troubleshooting of management traffic exchanged between IPS module in ASA5525-X and management station. I had some communication problems resulting in denied traffic on firewall placed in between (and it’s not the ASA itself). The best option is always sniffing packet headers on either end, as I had no possibility to do it on management station IPS was the next option.

As much as IPS software is limited (and also not clear in configuration approach if you are used to IOS) there is easy option to capture the traffic. You can do it in two ways either by displaying traffic flow on terminal or saving to file. First option is probably best for quick analysis and if you don’t care about payload.

sensor# packet display GigabitEthernet0/1 
Warning: This command will cause significant performance degradation
tcpdump: listening on ge0_1, link-type EN10MB (Ethernet), capture size 65535 bytes

03:43:05.691883 IP (tos 0x10, ttl  64, id 55460, offset 0, flags [DF], length: 100) > P [tcp sum ok] 4233955485:4233955533(48) ack 
1495691730 win 8576 

03:43:05.691975 IP (tos 0x10, ttl  64, id 55461, offset 0, flags [DF], length: 164) > P [tcp sum ok] 48:160(112) ack 1 win 8576 

This is easy way to filter just basing on interface but more complex filtering can be applied. Here is an example:

sensor# packet display Management0/0 snaplen 60 count 1000 expression host && port 443

In example above length of captured data is 60 bytes so enough to capture IP headers, we stop capturing after 1000 packets and filter basing on criteria specified after ‘expression’ keyword. We can base on multiple criteria using logical operators.

To save capturing result into file we have to use command

sensor# packet capture Management0/0 count 1000

Sniffed data is stored in ‘packet-file’ that can be displayed directly on IPS using command

sensor# packet display packet-file

or send it to FTP servcer using ‘copy’ command.

Leave a Reply

%d bloggers like this: