Cisco IPS and packet capturing
I had to perform troubleshooting of management traffic exchanged between IPS module in ASA5525-X and management station. I had some communication problems resulting in denied traffic on firewall placed in between (and it’s not the ASA itself). The best option is always sniffing packet headers on either end, as I had no possibility to do it on management station IPS was the next option.
As much as IPS software is limited (and also not clear in configuration approach if you are used to IOS) there is easy option to capture the traffic. You can do it in two ways either by displaying traffic flow on terminal or saving to file. First option is probably best for quick analysis and if you don’t care about payload.
sensor# packet display GigabitEthernet0/1 Warning: This command will cause significant performance degradation tcpdump: listening on ge0_1, link-type EN10MB (Ethernet), capture size 65535 bytes 03:43:05.691883 IP (tos 0x10, ttl 64, id 55460, offset 0, flags [DF], length: 100) 10.89.147.31.22 > 10.89.147.50.41805: P [tcp sum ok] 4233955485:4233955533(48) ack 1495691730 win 8576 03:43:05.691975 IP (tos 0x10, ttl 64, id 55461, offset 0, flags [DF], length: 164) 10.89.147.31.22 > 10.89.147.50.41805: P [tcp sum ok] 48:160(112) ack 1 win 8576
This is easy way to filter just basing on interface but more complex filtering can be applied. Here is an example:
sensor# packet display Management0/0 snaplen 60 count 1000 expression host 10.0.0.1 && port 443
In example above length of captured data is 60 bytes so enough to capture IP headers, we stop capturing after 1000 packets and filter basing on criteria specified after ‘expression’ keyword. We can base on multiple criteria using logical operators.
To save capturing result into file we have to use command
sensor# packet capture Management0/0 count 1000
Sniffed data is stored in ‘packet-file’ that can be displayed directly on IPS using command
sensor# packet display packet-file
or send it to FTP servcer using ‘copy’ command.