PIX 501 Packet Capture

[OWCUIT]

After reading the Cisco PIX Firewall Release Notes, Version 6.2(1), i found that the PIX version 6.2(1) supported packet capture. I'm running a 501 Version 6.3(1). I've been looking for some kindof guide to show how to capture packets but havn't had any luck. SNMP is already enabled, and we're using it to graph bandwidth use at our other office, and also alert us if that office goes down for some reason. What would i need to do to set up packet capture?

I'd appreciate any help!

As always, thanks!

 

[speedingwolf]

Hi,

Have you looked into using open source software (ethereal) to do packet capture? or network tap hardware device for this solution?

 

[OWCUIT]

We actually considered using ethereal, however there are about 3 switches, 2 firewalls, a couple routers, and a VPN between us.

I actually found the PIX Firewall and VPN Config guide for Version 6.3(1), and it explains Packet Capture in it, so i think i can guess my way through it.

If anyone knows where a guide is, i'd be happy to look at it.

I appreciate your help!

 

[mbilgrav]

The PIX command CAPTURE is a very valuable tool, especially in throubleshooting.
What you do is this:
1. Create an ACL of - let's say an inside host you what to track - like this:
access-list cap1 permit ip any host INSIDEHOSTRACKED
access-list cap1 permit ip host INSIDEHOSTRACKED any

2. Simply type in capture and hit enter - observe the help syntax.
Enable capture like this:
capture CAPNAME access-lsit cap1 interface inside packet-length 1500

verify with show cap CAPNAME

When you are done, and you have downloaded etherreal and installed this, issue a copy capture command like this:
copy capture:CAPNAME tftp://10.10.10.10/insidehost.cap pcap

Remember the pcap !

goto you tftp folder and click on the cap-file, so it opens in etherreal.
vola ...

HTH
Martin

 

[OWCUIT]

Thanks Martin.. i worked on it using Cisco's fairly vague "configuration guide" for the better part of the day and couldn't get anywhere. I knew i was missing something, but i wasn't sure what. I noticed nowhere in there do they give acceptable variables for "Interface" although, i assumed it had to be along the "inside/outside" lines.

I appreciate you spelling it out for me. If it was tomorrow i probably woulda figured it out, but today was kindof a long day.. thanks for the extra help

 

[OWCUIT]

Ok, i've got it setup so that i'm capturing all the traffic that comes through. Let me explain the situation. We run 2 terminal servers using RDP for everyone to connect to our servers. The issue we're running into is that people at a certain office (one of 3 of them) has figured out they can minimize the remote desktop session and use Internet Explorer without "getting caught" or so they think. The problem is, we have SNMP set up to graph all traffic to and from our offices, and when traffic spikes don't match, we know they're doing it.
What we're wanting to do is to NOT capture the VPN traffic, but JUST the port 80 (HTTP) traffic. I'm a little bit rough when it comes to PIX commands. If anyone could help me with the access-list commands to do this, i'd appreciate it. I'll try and figure it out, but if anyone knows, any help would be much appreciated.. thanks!

 

[sla07]

i know someone mentioned open sourced items and i am on the same boat as that person...why not use some open source software like ethereal or snort?....an IDS is very simple to implement and snort is relativley easy to setup in a network...will allow you to capture all sortsa traffic and a separate box so no need to worry about different rules on the ACL of that pix...just a thought....

 

[OWCUIT]

We actually considered ethereal, but the office is 200 miles away, and we've got a ton of equipment keeping us from doing so. Even if we had a good switch that'd allow us to echo the packets to a different port, we still wouldn't be able to do it because of the equipment and distance between us.

We've got an office 17 miles away from here that i'll just have to try my guess work with on the access lists and we'll go from there. I appreciate everyone's help though!

 

[SynAckAck]

CAPTURE can be a great troubleshooting tool but, you want to be careful running it all the time on a PIX. If the device is already very busy you can push it over the edge running CAPTURE.

 

[OWCUIT]

Thanks for the tip SynAckAck... We don't push too much traffic through them. We run everything off 2003 Terminal server, so everything that gets run through the vpn on RDP is fairly "thin".. pun intended.

I appreciate the tip though. We log all the traffig using STG so we can see who's passing how much traffic and we typically don't go over 15% of our bandwidth unless someone's breaking the rules. I think i've got the access-lists set up to filter out the ISAKMP traffic. I appreciate all the help and tips.. they really help, especially since i'm pretty new at this..