Tuesday, February 22, 2011

Packet Capture on ISS IPS

We can measure how much traffic is going through the appliance.
Here is the instruction to get the packet capture.
To log all packets on a Next-gen (1.2 or later firmware) Proventia G, you will need to use tcpdump on the command line. The command is below.

# tcpdump –s 0 -i ProvG_1 -n -w /tmp/capture.enc

Below is an explanation of the parameters in the command above.

       The –s 0 parameter is used to capture all traffic on the wire. Usually, tcpdump will only capture approximately the first 68 bytes.
       The –i ProvG_1  is used to capture all the traffic on all monitoring interfaces. A single interface can not be specified. 
       The -n option is used to disable reverse dns lookup.
       The -w /tmp/capture.enc parameter instructs tcpdump to write the contents to a file on the disk. This file will be in raw format and can be analyzed in ethereal or by running the capture back through tcpdump for a text dump of the headers.
The tcpdump will gather captures before the packets reach PAM or the firewall. Therefore, all traffic, including traffic that the Proventia G would normally block, will be seen in the packet capture