In the usual Linux box, we capture network traffic using tcpdump like below
# tcpdump -i eth0
However, in the Sourcefire IDS box, it appears that the network interface are not configured. See below.
eth0 Link encap:Ethernet HWaddr 01:0A:0B:FB:CD:39
BROADCAST MULTICAST MTU:1518 Metric:1
RX packets:83477 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:614 (16.5 Mb) TX bytes:0 (0.0 b)
Memory:f2e20000-f2e40000
After checking on google, you cant dump on ethX. What you need to do is to dump from fpX instead, where eth0 will have the corresponding fp0, eth1 will have fp1 and so on.
Thats it.
Tuesday, September 17, 2013
How to capture network traffic using tcpdump on Sourcefire IDS box
Labels:
IDS
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment