Enable monitor/promiscuous mode on Cisco Atheros AR5001X+

Similar Messages

• IDSM-2 - Promiscuous Mode

  I would like my IDSM-2 to run in a Promiscuous Mode ( and not INLINE mode)
  How can i configure it so that it works on the - " Block Nothing,Monitor Everything" principle.
  I need the blade to "Never" block the upstream devices like routers and Firewalls.
  By the way,how will the IDSM running in Promiscuous Mode even "know" of upstream routers and other network devices.
  Thanks !!!

  Hi,
  You can find how to configure IDSM-2 to run promiscuous mode here.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df92.html#wp1030752
  From there, you can find IOS vs. CatOS configuration as well as SPAN vs. VACL.
  Once that is done, you can find configuration guide here regarding IPS software. I will list both CLI and IDM in case you prefer one over the other...
  CLI -
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df7d.html#wp1033699
  IDM -
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00804cf4c2.html#wp1031960
  In promiscuous mode, unless you configure blocking with blocking device, it will never block anything by default. Even with blocking, you can configure never-block addresses.
  CLI -
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df77.html#wp1031471
  IDM -
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00804d1374.html#wp1037905
  IDSM will not know about which is what (upstream routers and other network devices) unless you specify them in 'never block' or 'blocking devices'
  Thank you.
  Edward

• Configuring IDSM-2 Promiscuous Mode with MLS IP IDS

  I am having a problem configuring promiscuous mode with an IDSM-2 running 5.0(3)S181.0 in a 6509 with Sup 720 running IOS 12.2(18)SXD4. I am running router interfaces without VLANs so I have created an extended access list with a 'permit ip any any' and configured this on my interfaces with 'mls ip ids access-list-name'. I configured 'intrusion-detection module x data-port 1 capture' and 'intrusion-detection module x data-port 2 capture', and because of the caution note on page 14-12 of 78-16127-01 I also configured 'intrusion-detection module x data-port 1 capture allowed-vlan 1-4094' and 'intrusion-detection module x data-port 2 capture allowed-vlan 1-4094'. After that I can see the output counters rising in 'show 'intrusion-detection module x data-port 1 traffic' and 'show 'intrusion-detection module x data-port 2 traffic'. I can configure the IDSM-2 using the VMS management center, and I added my sensor to security monitor and set the level down to informational, but I don't even see any events or even the start-up informational message. Anyone have any idea what I missed?

  Here is a document on Configuring the Catalyst Series 6500 Switch for IDSM-2 in Promiscuous Mode.
  http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_configuration_guide_chapter09186a0080459221.html#wp1030752

• Configuring 4255 sensor in promiscuous mode

  I have a 4255 with 3 interfaces that connect to a 6500 series switch. The IPS interfaces are set to promiscuous mode with a defualt vlan specified.
  On the switch side, I would like to send the traffic from more than one vlan to the sensor GE interfaces. What is the best way to do this?
  Do I set up a monitor session on the switch with a source of multiple vlans, then set the destination as one of the sensor ports?
  I also see the option to do a switchport capture.
  Any advice would be great

  You want to do a VACL capture on the 6500:
  http://www.cisco.com/c/en/us/support/docs/lan-switching/vlan-access-lists-vacls/89962-vacl-capture.html
  monitor session 50 source vlan 100 , 200
  monitor session 50 destination interface Fa3/30

• Does the Intel 82579LM NIC on the Portege R830 support Promiscuous mode?

  Hi,
  I've got a work laptop (Portege R830), which doesn't want to sniff packets. I've got it connected to a Netgear Hub (DS104), along with an older notebook, and then uplink to ADSL.
  Running a continuous ping to the default gateway and Wireshark on both devices and the other computer can see the pings from the Toshiba, but not vice-versa.
  The Toshiba is running as an Administrator account, has the Windows Firewall disabled, and my Symantec End Point Encryption disabled. I don't have any other AV to my knowledge.
  Does anyone have any ideas of services I should disable/enable, or knowledge of the features of this NIC?
  According to the Intel site "Yes, all currently marketed Intel PRO/100, Intel PRO/1000, Intel Gigabit, Intel PRO/10 Gigabit, and Intel 10 Gigabit adapters support Promiscuous mode. " But the Intel 82579 Gigabit Ethernet Controller is not in the list that follows on; http://www.intel.com/support/network/sb/CS-004185.htm?wapkw=%28promiscuous%29
  Thanks for your time.

  Usually the firewall or Internet Security software blocks pings so perhaps try uninstalling Symantec completely. Just disabling it may not disable everything.
  Another thing to try is use a Static IP Address instead of DHCP. Disabling IPv6 or installing a newer LAN driver from the Intel website may also help.

• Configuring IDSM in promiscuous mode?

  Hello,
  I have two switch catalyst 6500 in VSS each with a IDSM module, I want monitor four VLANs three of them are vlans of users and one of servers, I am planning use VACLs to capture the traffic.
  My first quetion is how to configure the data ports of IDSM in promiscuous mode, if in the configuration guide say that by default the data ports are in promiscuous mode, so that means that I don't have to make any configuration in the data ports of IDSM?
  Second, if I have two switches 6500 in vss each with a IDSM module, I have to consider other configurations for this situation?
  The configuration of VACL that I will put is:
  ip access-list extended ACL_IPS
    permit ip any any
  vlan access-map VACL_IPS 10
    match ip address ACL_IPS
    action forward
  vlan filter VACL_IPS vlan-list 30 , 40 , 50 , 100
  intrusion-detection switch 1 module 4 data-port 1 capture allowed-vlan 30,40,50,100
  intrusion-detection switch 1 module 4 data-port 1 capture
  intrusion-detection switch 1 module 4 data-port 1 autostate include
  intrusion-detection switch 2 module 4 data-port 1 capture allowed-vlan 30,40,50,100
  intrusion-detection switch 2 module 4 data-port 1 capture
  intrusion-detection switch 2 module 4 data-port 1 autostate include
  Thanks for the help.

  The IDSM doesn;t need any special commands to inspect traffic in Promiscious mode.
  You'll want to put your IDSM management interfaces on a VLAN to talk with them:
  intrusion-detection module 4 management-port access-vlan 99
  Use the "forward capture" switch:
  vlan access-map VACL_IPS 10
    match ip address ACL_IPS
    action forward capture
  Get rid of the spaces between your VLAN numbers
  vlan filter VACL_IPS vlan-list 30,40,50,100
  If you put two IDSMs in teh same chassis you'll need to decide how to split traffic between them. You can assign different VLANs to each IDSM.
  - Bob

• UCCX on VMWare needs ethernet promiscuous mode?

  Hello all,
  Just noticed something in the vmware host logs:
  2013-06-08T16:29:52.001Z cpu20:14694)etherswitch: L2Sec_EnforcePortCompliance:153: client ccx.eth0 requested promiscuous mode on port 0x4000024, disallowed by vswitch policy                
  And that's expected, because the default configuration of the vswitch denies ethernet promiscuous mode.
  Now the question is - does the virtual UCCX need promiscuous mode at all? I would expect to see it as a specific note in the documentation if it would. The docwici for UC on UCS is quite detailed and it get's bigger and bigger every day.
  I suppose the promiscuous mode is related somehow to call monitoring and recording, but is it really a requirement? I am using Desktop Based monitoring and recording. UCCX version 9.0.2.10000-71

  Hi,
  Please check your recording options.
  If it set not to spanless recording,you'll have allow promiscuous mode and rspan vlans.

• Ethernet Card in promiscuous mode

  Hello,
  I have a Powerbook G4 15p (1.25GHz) and I want to capture network trafic on a cisco trunk port.
  It works fine but I have no informations concerning vlan tags : is it possible to configure the Ethernet driver in promiscuous mode ?
  Best Regards,
  Guillaume
  Edit : same problem as describe here : http://support.intel.com/support/network/sb/cs-005897.htm

  I was thinking of a network driver option : How can I know what sort of network chipset is on my powerbook ?
  If I look to /System/Library/Extensions/IONetworkingFamily.kext/Contents/PlugIns, I can see this :
  Apple3Com3C90x.kext AppleDP83816Ethernet.kext AppleRTL8139Ethernet.kext
  AppleBCM440XEthernet.kext AppleGMACEthernet.kext AppleRTL8169Ethernet.kext
  AppleBCM5701Ethernet.kext AppleIntel8254XEthernet.kext Apple_DEC21x4Ethernet.kext
  AppleBMacEthernet.kext AppleIntel8255x.kext
  and there is the possibility to update an xml config file on some driver modules
  Here is the result of my kextstat :
  34 3 0x2dd90000 0x1f000 0x1e000 com.apple.iokit.IONetworkingFamily (1.5.0) <6 5 4 3 2>
    Mac OS X (10.4.3)  

• AuthZ Policy "Monitor Only" mode

  I have a question about the AuthZ Policy “Monitor Only” or "Audit" mode.  I want to test a new AuthZ policy by using “Monitor Only” mode, but I am not seeing any indication that my Test device is hitting the rule while in Monitor only mode… It ends up hitting our last default rule which is currently permit any.  If I actually enable the rule, I can see the device hitting the rule and getting denied in the Authentication log window.
  So I know the rule works, but I want to only monitor the rule for now to see what would get denied, so that we can assess how we want to handle auth for said devices.  According some info I found, I should be seeing an indication in the Auth log window that a rule was matched, if it is Monitor only mode.
  I am currently running ISE 1.3.0.876.
  Any help is appreciated

  I have had the same experience.  If you look at the AuthZ details for the connection, you will see under Other Attributes a special attribute returned named "RadiusAuthorizationPolicyMatchedMonitorRules," but as far as I know there is no way to run a report on it. Maybe someone else has a suggestion on it.
  What I do as a workaround is create a rule matching the conditions and create a special Authorization Profile for the rule that just has ACCESS_ACCEPT (not to break any traffic), then run a RADIUS Authentication report matching that Authorization Profile.

• How to Set HyperV NIC in Promiscuous Mode

  Is there any way to set up a NIC on a virtual HyperV guest in promiscuous mode?
  I want to try and run a web filtering product on a VM. Wireshark does not indicate that it is capturing all traffic.
  I have my switch port mirrored already and it works with a regular box but not with the VM.
  Any help would be appreciated.
  Thanks,
  Andy

  I was able to make wireshark capture all the packets.
  I followed this post:
     http://fixmyitsystem.com/2013/08/Remote-Wireshark.html
  The only diference is that use and Internal Virtual Network  to connect from the
  guest to the host.
  My hyper-v host IP, for this network is 169.254.107.1 (check yours by doing ipconfig)
  and the Guest is 169.254.107.20
  Steps:
    - Just get rpcapd (http://nmap.org/dist/nmap-6.40-win32.zip).
    - Unzip it and install it on the hyper-v host
      Open PowerShell
      Enter-pssession Coremachine    
      Silently install: winpcap-nmap-4.02.exe /S
    - Next up you will have to create a firewall exception for
      this to be reachable from the management machine.
      netsh advfirewall firewall add rule name="Remote WinPcap" dir=in action=allow protocol=TCP localport=any remoteip=169.254.107.20
      (to turn on  the rule) netsh advfirewall firewall set rule name="Remote WinPcap" new enable=yes
      (to turn off the rule) netsh advfirewall firewall set rule name="Remote WinPcap" new enable=no
    - Navigate to C:\Program Files\WinPcap
      To start to packet capture service use
          .\rpcapd.exe -p 2002 -n
    - Get the GUID of the network card you want to use in WireShark  
        wmic nic where PhysicalAdapter="TRUE" get Description,GUID,MACAddress,Name,NetConnectionID
    - on wireshark
      Select Capture Options
      Click Manage Interfaces
      Select Local Interfaces tab and check the Hide box next to all of them
      Select remote Interfaces tab
      Click add button
      For the host specify the hostname or IP Address  
          (I use an internal network to conect to the host)
           My host IP is 169.254.107.1 and the Guest is 169.254.107.20
      The port default is 2002 (set with the -p switch earlier)
      Null authentication as set with the -n switch earlier
      OK
      You should now see a number of interfaces added
      Click Close
    - There will be a buffer size warning but it can be ignored, and hey presto,
      you are capturing packets from a remote  non GUI machine.  
      The process from here on in is the same as you would use WireShark with
      local traffic capture.

• Macbook pro (june 2010) airport promiscuous mode

  Hi all,
  For my network security course, I have to sniff a wireless network.
  Is it possible to put the airport extreme in promiscuous mode? When I use wireshark and select the "capture packets in promiscuous mode" I can only see my own traffic...Although when I check my "en1" status in ifconfig, I see that the "promisc" flag is set..strange
  I've put the wpa/psk password in wireshark so that's not the problem.
  So my final question is, does the promiscuous mode on airport extreme work on a 2010 macbook pro?

  flawlessnyc wrote:
  Of course it's my network and devices. And I'm interested in email accounts. As a parent . . . . well ya gotta be diligent.
  Look at the devices - how are they accessing the email?
  If it is via webmail in the browser (or a 'browser based' app) look for account setting to only use https. Some providers will only allow login via https which is secure, http is not secure, these can usually be 'forced' with account settings.
  When logged in does the website remain on https, if it goes to http instead the email content could be visible on that network. Bookmark the https url for the child, and remove any http urls for the same site so they are less likely to use http by accident. Explain to the kids why the 'green lock' in the address bar (indicates https) is important for reading email or any other 'private' data.
  Do the same with search engines (so their searches may be 'invisible' to the local network).
  If they are using an email client like Apple Mail check the settings again for each mail server, there are options to only use the specific server, and only use secure protocols (SSL,TLS…). That should prevent the mail being sent in plain text across the network, however email is inherently insecure as a service (it bounces from mail server to mail server with to & from addresses visible) so the kids may be better off using iMessage or another chat service that has some level of encryption / privacy.
  You can try viewing the network traffic to find passwords for these services, but it is very involved…
  Monitor in promiscous mode on the same wifi channel as the network.
  Decrypt the wifi traffic (you need the network key for this since wifi itself is encrypted (WEP, WPA, WPA2 etc)
  Look for the email traffic & recombine the packets to follow the conversation, but you still cannot read https traffic.
  All you will be able to find is passwords or form values for websites that do not use https.
  There are other things they should be careful with - like avoiding unknown/ open/ free wifi networks. Even cellular towers can be malicious nowadays, so disabling cellular data could help them be a little more secure. They should also avoid accepting certificates or 'profiles' to connect to any network.
  I'm not sure that watching packets in the air will get you better results any quicker that learning how to secure the settings on each device, pass on the info to the kids & eventually they will start to get it
  P.S
  You may be able to lock settings via parental controls. iOS has 'restrictions' within the Settings app. Just use them carefully otherwise they will nag you about being unable to take a photo or use maps etc!

• Sun Cluster 3.2 - WARNING: Cannot enable monitoring on resource-group

  clrg online -emM ora-1line-rg(C348385) WARNING: Cannot enable monitoring on resource ora-1line-rs because it already has monitoring enabled. To force the monitor to restart, disable monitoring using 'clresource unmonitor ora-1line-rs' and re-enable monitoring using 'clresource monitor ora-1line-rs'.
  (logical host reference)
  (C348385) WARNING: Cannot enable monitoring on resource ora-hastp-rs because it already has monitoring enabled. To force the monitor to restart, disable monitoring using 'clresource unmonitor ora-hastp-rs' and re-enable monitoring using 'clresource monitor ora-hastp-rs'.
  (hastorageplus reference)
  I am able to unmonitor and monitor the resources manually. What is the cause of these WARNING messages? This from Oracle and we have yet to complete the installation of HA-Oracle. Oracle is not installed and tnsnames.ora and listener.ora is not configured. Is this the reason? If so, could someone explain why you cannot online the resource group until after the application has been installed.
  Thanks in advance,
  Ryan

  As the manual says for clrs create:
  By default, resources are created in the  enabled  state with  monitoring enabled. so when you issue the clrg online -emM it is just simply warning you that these other resources weren't disable. Note they wouldn't have been started because the RG would have been offline.
  Does that explain it? If not, ask more questions.
  Tim
  ---

• Does the apple thunderbolt to ethernet dongle support promiscuous mode ?

  Does the apple thunderbolt to ethernet dongle support promiscuous mode ?
  I need to use the new Retina MBP as a professional laptop for work, and I need to use Etherreal. Etherreal needs the Ethernet card/dongle/chip to run in Promiscuous mode. I have heard that unblivably the thunderbolt Ethernet dongle does not support this, if so then the laptop will not pick all the packets on the wire... is this true ?
  Regs Mark.

  Hi Clinton,
  Thanks for your reply, However the promiscuous mode function that I am after is a function of the Ethernet NIC hardware and driver not just the OS.
  Wireshark allows the user to put network interface controllers that support promiscuous mode into that mode, in order to see all traffic visible on that interface, not just traffic addressed to one of the interface's configured addresses and broadcast/multicast traffic.
  Anyone out there actually used/tested the thunderbolt Ethernet adapter to sniff traffic with wireshark (Ethereal), can you please  if it can run in promiscuous mode ?
  Thanks.

• Enabled monitor through override not visible in custom management pack

  Hello Everyone,
  I've this requirement to enable a monitor which is disabled by default in its source sealed management pack. Using following article; via override; I enable the monitor and place it into a custom unsealed management pack.
  https://technet.microsoft.com/en-au/library/hh212818.aspx
  Now when I try creating subscription based on that monitor; and select the custom unsealed management pack; that monitor is not listed/available. However, this same monitor which is turned enabled by override; is listed; if its parent sealed management pack
  is selected. 
  Questions:
  1) Would selecting this monitor from its sealed management pack; safe to assume this monitor is now enabled? 
  2) Is this default behavior for monitors turned enabled via override? 
  Please provide input to this, how an enabled monitor through override can be referenced to be used? Thank you.

  1) If the override is done properly, yes, it is enabled. You can check that it is actually enabled by opening the health explorer of an object targeted by this monitor : it should be green/yellow/red instead of blank when it was disabled
  2) It is the default behavior. What happens is that you store the override (just a parameter that says "ok, the monitor is now enabled") in the unsealed management pack, not a copy of the actual monitor.

• How to enable single window mode?

  *how to enable single window mode in the latest version of Safari?*
  browser opens up some links in new windows and it is very inconvenient
  Message was edited by: wolfxr

  All that you describe is the standard setting them I have long found, but they do not bring any results. What is interesting - parameter "TargetedClicksCreateTabs" in a state of "true" which is processed in the Mac version, broken in the Windows-based version if it is to register the file C: \ Program Files \ Safari \ Safari.resources \ Defaults.plist a file stored in the folder C: \ Documents and Settings \ Admin \ Application Data \ Apple Computer \ Preferences \ com.apple.Safari.plist scrambled to change it theoretically impossible, but if you replace it with THIS file, then it can be set, but the parameter "TargetedClicksCreateTabs" still not working