Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : Intrusion Detection System : Capturing Network Traffic

Capturing Network Traffic

Nov 26,2008 by admin

small font medium font large font
image

Capturing Network Traffic

Introduction

Capturing traffic is one of the most basic configuration skills needed for a successful IDS deployment. Capturing traffic is also one of the most misunderstood processes of deploying an IDS sensor. The axiom "if the switch port can't see the traffic, then neither can the IDS sensor" must be followed. A successful IDS sensor deployment requires that the sensor see all the traffic of interest wherever it has been placed on the network. To add to the fun of capturing traffic are virtual LANs (VLANs). And to kick up the anxiety level a notch, there are VPNs, SSL, and IP version 6. All of this must be accounted for when trying to roll out the IDS sensors. In the old days of networks, there were hubs or what is called "transparent bridges." These were very simple devices and it was easy to sniff or capture traffic since the traffic went everywhere. With the advent of switching, however, life became more difficult. The switch is nothing more than single-port transparent bridges tied to together in a common chassis. So the collision domain has been broken up but not the broadcast domain. This is why on a switched network you can capture broadcast traffic till the cows come home but not much else. We will show you in this chapter how to get around this troublesome improvement in network design. Of course, there are VLANs which thankfully many IDS sensors can work with, but this is not true of encryption. It's almost impossible to use an IDS sensor on encrypted traffic. And encryption comes in a lot of flavors nowadays. We have SSL, VPNs, IPSec, SSH, and many others. To effectively capture traffic, we must be aware of these limitations and how to get around them. One of the newest kinks in the world of IDS sensors capturing traffic is the deployment of IP version 6. While it's still not a very mainstream issue, it will be in the coming years and we need to be aware of it now.


Note 

To verify that the monitoring interface actually sees traffic, use the Solaris snoop command:

snoop –d [name of interface]

For a 4230 IDS sensor, the Ethernet interface name is spwrX, as shown in the following example:

snoop –d spwr0 ; where spwr0 is the monitor interface, and
snoop –d spwr1 ; where spwr1 is the control interface
For Token Ring, the interface name is mtok36, and for FDDI, the interface name is ptpci.

For a 4210 IDS appliance sensor, the Ethernet interface name is different, as shown next:

snoop -d iprb0 ; where iprb0 is the monitor interface, and
snoop –d iprb1; where iprb1 is the control interface Use ctrl-c to break out of snoop.


143 times read

Related news
» What Is the root User?
by admin posted on Nov 24,2008
» Capturing with One Sensor and a Single VLAN
by admin posted on Nov 26,2008
» Identifying the Sensor
by admin posted on Nov 24,2008
» Capturing with Multiple Sensors and Multiple VLANs
by admin posted on Nov 26,2008
» The IDS MC and Sensors
by admin posted on Nov 26,2008
Did you enjoy this article?
1 2 3 4 5
(total 0 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

alperen

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.