Configuring 4255 sensor in promiscuous mode

Similar Messages

• Configuring IDSM-2 Promiscuous Mode with MLS IP IDS

  I am having a problem configuring promiscuous mode with an IDSM-2 running 5.0(3)S181.0 in a 6509 with Sup 720 running IOS 12.2(18)SXD4. I am running router interfaces without VLANs so I have created an extended access list with a 'permit ip any any' and configured this on my interfaces with 'mls ip ids access-list-name'. I configured 'intrusion-detection module x data-port 1 capture' and 'intrusion-detection module x data-port 2 capture', and because of the caution note on page 14-12 of 78-16127-01 I also configured 'intrusion-detection module x data-port 1 capture allowed-vlan 1-4094' and 'intrusion-detection module x data-port 2 capture allowed-vlan 1-4094'. After that I can see the output counters rising in 'show 'intrusion-detection module x data-port 1 traffic' and 'show 'intrusion-detection module x data-port 2 traffic'. I can configure the IDSM-2 using the VMS management center, and I added my sensor to security monitor and set the level down to informational, but I don't even see any events or even the start-up informational message. Anyone have any idea what I missed?

  Here is a document on Configuring the Catalyst Series 6500 Switch for IDSM-2 in Promiscuous Mode.
  http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_configuration_guide_chapter09186a0080459221.html#wp1030752

• Configuring IDSM in promiscuous mode?

  Hello,
  I have two switch catalyst 6500 in VSS each with a IDSM module, I want monitor four VLANs three of them are vlans of users and one of servers, I am planning use VACLs to capture the traffic.
  My first quetion is how to configure the data ports of IDSM in promiscuous mode, if in the configuration guide say that by default the data ports are in promiscuous mode, so that means that I don't have to make any configuration in the data ports of IDSM?
  Second, if I have two switches 6500 in vss each with a IDSM module, I have to consider other configurations for this situation?
  The configuration of VACL that I will put is:
  ip access-list extended ACL_IPS
    permit ip any any
  vlan access-map VACL_IPS 10
    match ip address ACL_IPS
    action forward
  vlan filter VACL_IPS vlan-list 30 , 40 , 50 , 100
  intrusion-detection switch 1 module 4 data-port 1 capture allowed-vlan 30,40,50,100
  intrusion-detection switch 1 module 4 data-port 1 capture
  intrusion-detection switch 1 module 4 data-port 1 autostate include
  intrusion-detection switch 2 module 4 data-port 1 capture allowed-vlan 30,40,50,100
  intrusion-detection switch 2 module 4 data-port 1 capture
  intrusion-detection switch 2 module 4 data-port 1 autostate include
  Thanks for the help.

  The IDSM doesn;t need any special commands to inspect traffic in Promiscious mode.
  You'll want to put your IDSM management interfaces on a VLAN to talk with them:
  intrusion-detection module 4 management-port access-vlan 99
  Use the "forward capture" switch:
  vlan access-map VACL_IPS 10
    match ip address ACL_IPS
    action forward capture
  Get rid of the spaces between your VLAN numbers
  vlan filter VACL_IPS vlan-list 30,40,50,100
  If you put two IDSMs in teh same chassis you'll need to decide how to split traffic between them. You can assign different VLANs to each IDSM.
  - Bob

• Does the apple thunderbolt to ethernet dongle support promiscuous mode ?

  Does the apple thunderbolt to ethernet dongle support promiscuous mode ?
  I need to use the new Retina MBP as a professional laptop for work, and I need to use Etherreal. Etherreal needs the Ethernet card/dongle/chip to run in Promiscuous mode. I have heard that unblivably the thunderbolt Ethernet dongle does not support this, if so then the laptop will not pick all the packets on the wire... is this true ?
  Regs Mark.

  Hi Clinton,
  Thanks for your reply, However the promiscuous mode function that I am after is a function of the Ethernet NIC hardware and driver not just the OS.
  Wireshark allows the user to put network interface controllers that support promiscuous mode into that mode, in order to see all traffic visible on that interface, not just traffic addressed to one of the interface's configured addresses and broadcast/multicast traffic.
  Anyone out there actually used/tested the thunderbolt Ethernet adapter to sniff traffic with wireshark (Ethereal), can you please  if it can run in promiscuous mode ?
  Thanks.

• UCCX on VMWare needs ethernet promiscuous mode?

  Hello all,
  Just noticed something in the vmware host logs:
  2013-06-08T16:29:52.001Z cpu20:14694)etherswitch: L2Sec_EnforcePortCompliance:153: client ccx.eth0 requested promiscuous mode on port 0x4000024, disallowed by vswitch policy                
  And that's expected, because the default configuration of the vswitch denies ethernet promiscuous mode.
  Now the question is - does the virtual UCCX need promiscuous mode at all? I would expect to see it as a specific note in the documentation if it would. The docwici for UC on UCS is quite detailed and it get's bigger and bigger every day.
  I suppose the promiscuous mode is related somehow to call monitoring and recording, but is it really a requirement? I am using Desktop Based monitoring and recording. UCCX version 9.0.2.10000-71

  Hi,
  Please check your recording options.
  If it set not to spanless recording,you'll have allow promiscuous mode and rspan vlans.

• Ethernet Card in promiscuous mode

  Hello,
  I have a Powerbook G4 15p (1.25GHz) and I want to capture network trafic on a cisco trunk port.
  It works fine but I have no informations concerning vlan tags : is it possible to configure the Ethernet driver in promiscuous mode ?
  Best Regards,
  Guillaume
  Edit : same problem as describe here : http://support.intel.com/support/network/sb/cs-005897.htm

  I was thinking of a network driver option : How can I know what sort of network chipset is on my powerbook ?
  If I look to /System/Library/Extensions/IONetworkingFamily.kext/Contents/PlugIns, I can see this :
  Apple3Com3C90x.kext AppleDP83816Ethernet.kext AppleRTL8139Ethernet.kext
  AppleBCM440XEthernet.kext AppleGMACEthernet.kext AppleRTL8169Ethernet.kext
  AppleBCM5701Ethernet.kext AppleIntel8254XEthernet.kext Apple_DEC21x4Ethernet.kext
  AppleBMacEthernet.kext AppleIntel8255x.kext
  and there is the possibility to update an xml config file on some driver modules
  Here is the result of my kextstat :
  34 3 0x2dd90000 0x1f000 0x1e000 com.apple.iokit.IONetworkingFamily (1.5.0) <6 5 4 3 2>
    Mac OS X (10.4.3)  

• IDSM-2 - Promiscuous Mode

  I would like my IDSM-2 to run in a Promiscuous Mode ( and not INLINE mode)
  How can i configure it so that it works on the - " Block Nothing,Monitor Everything" principle.
  I need the blade to "Never" block the upstream devices like routers and Firewalls.
  By the way,how will the IDSM running in Promiscuous Mode even "know" of upstream routers and other network devices.
  Thanks !!!

  Hi,
  You can find how to configure IDSM-2 to run promiscuous mode here.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df92.html#wp1030752
  From there, you can find IOS vs. CatOS configuration as well as SPAN vs. VACL.
  Once that is done, you can find configuration guide here regarding IPS software. I will list both CLI and IDM in case you prefer one over the other...
  CLI -
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df7d.html#wp1033699
  IDM -
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00804cf4c2.html#wp1031960
  In promiscuous mode, unless you configure blocking with blocking device, it will never block anything by default. Even with blocking, you can configure never-block addresses.
  CLI -
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df77.html#wp1031471
  IDM -
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00804d1374.html#wp1037905
  IDSM will not know about which is what (upstream routers and other network devices) unless you specify them in 'never block' or 'blocking devices'
  Thank you.
  Edward

• Configuring Weblogic Domain in Offline Mode

  Hi,
  I wrote a java code which invoke wlst command required for configuring weblogic domain in offline mode.
  please give any idea even i do not know exactly what are the required jar file but i have used weblogic.jar,wlfullclient.jar,jython.jar,and some jar files from modules folder which has given in someone post
  i am getting the following error
  java.lang.reflect.InvocationTargetException
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at weblogic.management.scripting.utils.WLSTUtil.initOfflineContext(WLSTUtil.java:291)
  at weblogic.management.scripting.utils.WLSTUtil.setupOfflineInternal(WLSTUtil.java:267)
  at weblogic.management.scripting.utils.WLSTUtil.setupOffline(WLSTUtil.java:234)
  at weblogic.management.scripting.utils.WLSTInterpreter.<init>(WLSTInterpreter.java:134)
  at weblogic.management.scripting.utils.WLSTInterpreter.<init>(WLSTInterpreter.java:76)
  at DomainConfiguration.<init>(DomainConfiguration.java:15)
  at DomainConfiguration.main(DomainConfiguration.java:61)
  Caused by: java.lang.NoClassDefFoundError: com/oracle/cie/wizard/ControllerProxy
  at java.lang.Class.getDeclaredMethods0(Native Method)
  at java.lang.Class.privateGetDeclaredMethods(Class.java:2427)
  at java.lang.Class.getMethod0(Class.java:2670)
  at java.lang.Class.getMethod(Class.java:1603)
  at com.oracle.cie.domain.AbstractManager.getInstanceObject(AbstractManager.java:88)
  at com.oracle.cie.domain.AbstractManager.load(AbstractManager.java:46)
  at com.oracle.cie.domain.ConfigManager.<clinit>(ConfigManager.java:37)
  at com.oracle.cie.domain.DomainConstants.<clinit>(DomainConstants.java:20)
  at com.oracle.cie.domain.script.jython.WLScriptContext.init(WLScriptContext.java:220)
  at com.oracle.cie.domain.script.jython.WLScriptContext.setup(WLScriptContext.java:162)
  at com.oracle.cie.domain.script.jython.WLST_offline.setupContext(WLST_offline.java:105)
  ... 11 more
  thanks in advance

  Hi,
  Make sure that you have weblogic.jar and jython-modules.jar
  You will find weblogic.jar under %BEA_Home% / server / lib
  and you will find jython-modules.jar under %BEA_Home% / common / wlst/modules
  Regards,
  Kal

• INST-07408: Unable to install or configure the product on a 32-bit JVM on a 64-bit machine. Make sure to install and configure the product in supported modes.

  Hi there, i have an issue installing oracle forms and reports. its throwing this error"INST-07408: Unable to install or configure the product on a 32-bit JVM on a 64-bit machine. Make sure to install and configure the product in supported modes." on step 5. I have jdk 64bit installed, weblogic server was installed successfully but iam getting stuck somehow.
  Below are details of my pc.
  OS Name    Microsoft Windows 7 Professional
  Version    6.1.7601 Service Pack 1 Build 7601
  Other OS Description     Not Available
  OS Manufacturer    Microsoft Corporation
  System Name   ...........-HP
  System Manufacturer    Hewlett-Packard
  System Model    HP ProBook 4530s
  System Type    x64-based PC
  Processor    Intel(R) Core(TM) i5-2450M CPU @ 2.50GHz, 2501 Mhz, 2 Core(s), 4 Logical Processor(s)
  BIOS Version/Date    Hewlett-Packard 68SRR Ver. F.23, 09/03/2012
  SMBIOS Version    2.6
  Windows Directory    C:\windows
  System Directory    C:\windows\system32
  Boot Device    \Device\HarddiskVolume1
  Locale    United Kingdom
  Hardware Abstraction Layer    Version = "6.1.7601.17514"
  User Name    ...........-HP\................
  Time Zone    South Africa Standard Time
  Installed Physical Memory (RAM)    4.00 GB
  Total Physical Memory    3.94 GB
  Available Physical Memory    1.00 GB
  Total Virtual Memory    7.87 GB
  Available Virtual Memory    1.25 GB
  Page File Space    3.94 GB
  Page File    C:\pagefile.sys

  To clarify further....  It is important to note that Forms/Repors 11.1.2.x software (including WLS and JDK) must be of the same archetecture as the machine.  In other words, you cannot use the 32bit Forms/Reports 11.1.2 software on 64bit Windows.  If you are using a 64bit OS, you must install the 64bit software.  Again, this would include Forms/Reports, WLS, and JDK

• Does the Intel 82579LM NIC on the Portege R830 support Promiscuous mode?

  Hi,
  I've got a work laptop (Portege R830), which doesn't want to sniff packets. I've got it connected to a Netgear Hub (DS104), along with an older notebook, and then uplink to ADSL.
  Running a continuous ping to the default gateway and Wireshark on both devices and the other computer can see the pings from the Toshiba, but not vice-versa.
  The Toshiba is running as an Administrator account, has the Windows Firewall disabled, and my Symantec End Point Encryption disabled. I don't have any other AV to my knowledge.
  Does anyone have any ideas of services I should disable/enable, or knowledge of the features of this NIC?
  According to the Intel site "Yes, all currently marketed Intel PRO/100, Intel PRO/1000, Intel Gigabit, Intel PRO/10 Gigabit, and Intel 10 Gigabit adapters support Promiscuous mode. " But the Intel 82579 Gigabit Ethernet Controller is not in the list that follows on; http://www.intel.com/support/network/sb/CS-004185.htm?wapkw=%28promiscuous%29
  Thanks for your time.

  Usually the firewall or Internet Security software blocks pings so perhaps try uninstalling Symantec completely. Just disabling it may not disable everything.
  Another thing to try is use a Static IP Address instead of DHCP. Disabling IPv6 or installing a newer LAN driver from the Intel website may also help.

• Using promiscuous mode to collect UDP data

  Is it possible to set a NIC in promiscuous mode and to pull all UDP data?
  I have created a VI to listen to data coming across a specific UDP port, this work perfect for one device when I specify the NIC IP address.
  My challenge is I have multiple devices with different IP addresses/networks, that I have to switch between. Every time I switch I need to reconfigure my NIC IP address to capture the data. I would like all data to pass through regardless of IP address. Does LabView support this?
  Thanks

  No, LabVIEW does not natively support a way to put a network interface into promiscuous mode and capture all traffic. You'll either need to use a packet sniffer like Wireshark to capture to a file, and then process it later, or use other libraries. A starting point might be http://zone.ni.com/devzone/cda/epd/p/id/2660

• I don't Configuring Access Manager in SSL Mode

  i only install am7.1 and ws7.0 in windows2003 pack 1.
  then, i read "Sun Java SystemAccess Manager 7.1 Postinstallation Guide" .
  it said that "Login to theWeb Server console.The default port is 8888." but i can't find the default port .
  i think my web server console's default port is 8989.

  Hi,
  As a part of my requirement, I need to Configure Access Manager in SSL Mode. For that, I followed all the steps(Change http to https in web server instance in Access Manager, Install Certificate, Modify AMConfig.properties) mentioned in the PostInstallation Guide of Sun Access Manager to configure the SSL using Selfsigned certificate. so, after doing all these steps, as soon as the hit the Access Manager URL httsp://machinename:portno/amserver/UI/Login, it shows "page cannot be displayed" error. I have checked the web server with SSL enabled in it and its running fine.
  On one of forum post, I read that you need to set this property to true "com.sun.am.jssproxy.trustAllServerCerts" if you are not installing the ROOTCA certificate however this is not listed in the AM documentation.
  Any help on this would be highly appreciated. Let me know if am missing any steps.

• How to Set HyperV NIC in Promiscuous Mode

  Is there any way to set up a NIC on a virtual HyperV guest in promiscuous mode?
  I want to try and run a web filtering product on a VM. Wireshark does not indicate that it is capturing all traffic.
  I have my switch port mirrored already and it works with a regular box but not with the VM.
  Any help would be appreciated.
  Thanks,
  Andy

  I was able to make wireshark capture all the packets.
  I followed this post:
     http://fixmyitsystem.com/2013/08/Remote-Wireshark.html
  The only diference is that use and Internal Virtual Network  to connect from the
  guest to the host.
  My hyper-v host IP, for this network is 169.254.107.1 (check yours by doing ipconfig)
  and the Guest is 169.254.107.20
  Steps:
    - Just get rpcapd (http://nmap.org/dist/nmap-6.40-win32.zip).
    - Unzip it and install it on the hyper-v host
      Open PowerShell
      Enter-pssession Coremachine    
      Silently install: winpcap-nmap-4.02.exe /S
    - Next up you will have to create a firewall exception for
      this to be reachable from the management machine.
      netsh advfirewall firewall add rule name="Remote WinPcap" dir=in action=allow protocol=TCP localport=any remoteip=169.254.107.20
      (to turn on  the rule) netsh advfirewall firewall set rule name="Remote WinPcap" new enable=yes
      (to turn off the rule) netsh advfirewall firewall set rule name="Remote WinPcap" new enable=no
    - Navigate to C:\Program Files\WinPcap
      To start to packet capture service use
          .\rpcapd.exe -p 2002 -n
    - Get the GUID of the network card you want to use in WireShark  
        wmic nic where PhysicalAdapter="TRUE" get Description,GUID,MACAddress,Name,NetConnectionID
    - on wireshark
      Select Capture Options
      Click Manage Interfaces
      Select Local Interfaces tab and check the Hide box next to all of them
      Select remote Interfaces tab
      Click add button
      For the host specify the hostname or IP Address  
          (I use an internal network to conect to the host)
           My host IP is 169.254.107.1 and the Guest is 169.254.107.20
      The port default is 2002 (set with the -p switch earlier)
      Null authentication as set with the -n switch earlier
      OK
      You should now see a number of interfaces added
      Click Close
    - There will be a buffer size warning but it can be ignored, and hey presto,
      you are capturing packets from a remote  non GUI machine.  
      The process from here on in is the same as you would use WireShark with
      local traffic capture.

• Macbook pro (june 2010) airport promiscuous mode

  Hi all,
  For my network security course, I have to sniff a wireless network.
  Is it possible to put the airport extreme in promiscuous mode? When I use wireshark and select the "capture packets in promiscuous mode" I can only see my own traffic...Although when I check my "en1" status in ifconfig, I see that the "promisc" flag is set..strange
  I've put the wpa/psk password in wireshark so that's not the problem.
  So my final question is, does the promiscuous mode on airport extreme work on a 2010 macbook pro?

  flawlessnyc wrote:
  Of course it's my network and devices. And I'm interested in email accounts. As a parent . . . . well ya gotta be diligent.
  Look at the devices - how are they accessing the email?
  If it is via webmail in the browser (or a 'browser based' app) look for account setting to only use https. Some providers will only allow login via https which is secure, http is not secure, these can usually be 'forced' with account settings.
  When logged in does the website remain on https, if it goes to http instead the email content could be visible on that network. Bookmark the https url for the child, and remove any http urls for the same site so they are less likely to use http by accident. Explain to the kids why the 'green lock' in the address bar (indicates https) is important for reading email or any other 'private' data.
  Do the same with search engines (so their searches may be 'invisible' to the local network).
  If they are using an email client like Apple Mail check the settings again for each mail server, there are options to only use the specific server, and only use secure protocols (SSL,TLS…). That should prevent the mail being sent in plain text across the network, however email is inherently insecure as a service (it bounces from mail server to mail server with to & from addresses visible) so the kids may be better off using iMessage or another chat service that has some level of encryption / privacy.
  You can try viewing the network traffic to find passwords for these services, but it is very involved…
  Monitor in promiscous mode on the same wifi channel as the network.
  Decrypt the wifi traffic (you need the network key for this since wifi itself is encrypted (WEP, WPA, WPA2 etc)
  Look for the email traffic & recombine the packets to follow the conversation, but you still cannot read https traffic.
  All you will be able to find is passwords or form values for websites that do not use https.
  There are other things they should be careful with - like avoiding unknown/ open/ free wifi networks. Even cellular towers can be malicious nowadays, so disabling cellular data could help them be a little more secure. They should also avoid accepting certificates or 'profiles' to connect to any network.
  I'm not sure that watching packets in the air will get you better results any quicker that learning how to secure the settings on each device, pass on the info to the kids & eventually they will start to get it
  P.S
  You may be able to lock settings via parental controls. iOS has 'restrictions' within the Settings app. Just use them carefully otherwise they will nag you about being unable to take a photo or use maps etc!

• Enable monitor/promiscuous mode on Cisco Atheros AR5001X+

  I have a Cisco Aironet Atheros AR5001X+ wireless card installed on an HP laptop running Ubuntu 8.10. The card is working and I would like to know how to enable monitor/promiscuous mode on it so that I can use wireshark to capture network traffic at work. I would also like to know if I can enable the card in monitor/promiscuous mode in Windows XP and how? Any help would be appreciated, thanks.

  in a console window:
  sudo ifconfig ath0 PROMISC
  password:
  it should be ath0 for an atheros chip, but may be wlan0 or something else
  you will need to install Winpcap for windows
  http://www.winpcap.org/')">http://www.winpcap.org/