IDSM-2 - Promiscuous Mode

Similar Messages

• Configuring IDSM in promiscuous mode?

  Hello,
  I have two switch catalyst 6500 in VSS each with a IDSM module, I want monitor four VLANs three of them are vlans of users and one of servers, I am planning use VACLs to capture the traffic.
  My first quetion is how to configure the data ports of IDSM in promiscuous mode, if in the configuration guide say that by default the data ports are in promiscuous mode, so that means that I don't have to make any configuration in the data ports of IDSM?
  Second, if I have two switches 6500 in vss each with a IDSM module, I have to consider other configurations for this situation?
  The configuration of VACL that I will put is:
  ip access-list extended ACL_IPS
    permit ip any any
  vlan access-map VACL_IPS 10
    match ip address ACL_IPS
    action forward
  vlan filter VACL_IPS vlan-list 30 , 40 , 50 , 100
  intrusion-detection switch 1 module 4 data-port 1 capture allowed-vlan 30,40,50,100
  intrusion-detection switch 1 module 4 data-port 1 capture
  intrusion-detection switch 1 module 4 data-port 1 autostate include
  intrusion-detection switch 2 module 4 data-port 1 capture allowed-vlan 30,40,50,100
  intrusion-detection switch 2 module 4 data-port 1 capture
  intrusion-detection switch 2 module 4 data-port 1 autostate include
  Thanks for the help.

  The IDSM doesn;t need any special commands to inspect traffic in Promiscious mode.
  You'll want to put your IDSM management interfaces on a VLAN to talk with them:
  intrusion-detection module 4 management-port access-vlan 99
  Use the "forward capture" switch:
  vlan access-map VACL_IPS 10
    match ip address ACL_IPS
    action forward capture
  Get rid of the spaces between your VLAN numbers
  vlan filter VACL_IPS vlan-list 30,40,50,100
  If you put two IDSMs in teh same chassis you'll need to decide how to split traffic between them. You can assign different VLANs to each IDSM.
  - Bob

• Configuring IDSM-2 Promiscuous Mode with MLS IP IDS

  I am having a problem configuring promiscuous mode with an IDSM-2 running 5.0(3)S181.0 in a 6509 with Sup 720 running IOS 12.2(18)SXD4. I am running router interfaces without VLANs so I have created an extended access list with a 'permit ip any any' and configured this on my interfaces with 'mls ip ids access-list-name'. I configured 'intrusion-detection module x data-port 1 capture' and 'intrusion-detection module x data-port 2 capture', and because of the caution note on page 14-12 of 78-16127-01 I also configured 'intrusion-detection module x data-port 1 capture allowed-vlan 1-4094' and 'intrusion-detection module x data-port 2 capture allowed-vlan 1-4094'. After that I can see the output counters rising in 'show 'intrusion-detection module x data-port 1 traffic' and 'show 'intrusion-detection module x data-port 2 traffic'. I can configure the IDSM-2 using the VMS management center, and I added my sensor to security monitor and set the level down to informational, but I don't even see any events or even the start-up informational message. Anyone have any idea what I missed?

  Here is a document on Configuring the Catalyst Series 6500 Switch for IDSM-2 in Promiscuous Mode.
  http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_configuration_guide_chapter09186a0080459221.html#wp1030752

• How to best use IDSM in promiscuous mode?

  Hi folks
  I need some input and ideas how to best set up my IDSM2 module.
  Today I have the module set up to capture traffic from the 6513 using SPAN in both directions and two different firewalled VLANs as sources. The destination is data-port 1 on the IDSM. This setup is working fine but I'm curious as how to best use the second data-port. Our 6513 runs IOS 12.2(18)SXF3 and has a limit of only one SPAN session set up to capture an entire VLAN in both directions.
  My idea was to use the second data-port as SPAN destination for our external/non-firewalled VLAN, but this isn't allowed.
  Does anyone have or had a similar problem? Would using a VLAN access list with data-port 2 as destination be an option or are the dual IDSM interfaces mainly used for inline mode?
  Regards
  Fredrik Hofgren

  Fredrik,
  I am using VACLs in the switch that has the IDSM. This will preserve your SPAN sessions.
  You can specify which vlans go to which port on the IDSM.
  We actually have our external vlan set up as an inline vlan pair on data port 2.

• Does the apple thunderbolt to ethernet dongle support promiscuous mode ?

  Does the apple thunderbolt to ethernet dongle support promiscuous mode ?
  I need to use the new Retina MBP as a professional laptop for work, and I need to use Etherreal. Etherreal needs the Ethernet card/dongle/chip to run in Promiscuous mode. I have heard that unblivably the thunderbolt Ethernet dongle does not support this, if so then the laptop will not pick all the packets on the wire... is this true ?
  Regs Mark.

  Hi Clinton,
  Thanks for your reply, However the promiscuous mode function that I am after is a function of the Ethernet NIC hardware and driver not just the OS.
  Wireshark allows the user to put network interface controllers that support promiscuous mode into that mode, in order to see all traffic visible on that interface, not just traffic addressed to one of the interface's configured addresses and broadcast/multicast traffic.
  Anyone out there actually used/tested the thunderbolt Ethernet adapter to sniff traffic with wireshark (Ethereal), can you please  if it can run in promiscuous mode ?
  Thanks.

• Does the Intel 82579LM NIC on the Portege R830 support Promiscuous mode?

  Hi,
  I've got a work laptop (Portege R830), which doesn't want to sniff packets. I've got it connected to a Netgear Hub (DS104), along with an older notebook, and then uplink to ADSL.
  Running a continuous ping to the default gateway and Wireshark on both devices and the other computer can see the pings from the Toshiba, but not vice-versa.
  The Toshiba is running as an Administrator account, has the Windows Firewall disabled, and my Symantec End Point Encryption disabled. I don't have any other AV to my knowledge.
  Does anyone have any ideas of services I should disable/enable, or knowledge of the features of this NIC?
  According to the Intel site "Yes, all currently marketed Intel PRO/100, Intel PRO/1000, Intel Gigabit, Intel PRO/10 Gigabit, and Intel 10 Gigabit adapters support Promiscuous mode. " But the Intel 82579 Gigabit Ethernet Controller is not in the list that follows on; http://www.intel.com/support/network/sb/CS-004185.htm?wapkw=%28promiscuous%29
  Thanks for your time.

  Usually the firewall or Internet Security software blocks pings so perhaps try uninstalling Symantec completely. Just disabling it may not disable everything.
  Another thing to try is use a Static IP Address instead of DHCP. Disabling IPv6 or installing a newer LAN driver from the Intel website may also help.

• UCCX on VMWare needs ethernet promiscuous mode?

  Hello all,
  Just noticed something in the vmware host logs:
  2013-06-08T16:29:52.001Z cpu20:14694)etherswitch: L2Sec_EnforcePortCompliance:153: client ccx.eth0 requested promiscuous mode on port 0x4000024, disallowed by vswitch policy                
  And that's expected, because the default configuration of the vswitch denies ethernet promiscuous mode.
  Now the question is - does the virtual UCCX need promiscuous mode at all? I would expect to see it as a specific note in the documentation if it would. The docwici for UC on UCS is quite detailed and it get's bigger and bigger every day.
  I suppose the promiscuous mode is related somehow to call monitoring and recording, but is it really a requirement? I am using Desktop Based monitoring and recording. UCCX version 9.0.2.10000-71

  Hi,
  Please check your recording options.
  If it set not to spanless recording,you'll have allow promiscuous mode and rspan vlans.

• Ethernet Card in promiscuous mode

  Hello,
  I have a Powerbook G4 15p (1.25GHz) and I want to capture network trafic on a cisco trunk port.
  It works fine but I have no informations concerning vlan tags : is it possible to configure the Ethernet driver in promiscuous mode ?
  Best Regards,
  Guillaume
  Edit : same problem as describe here : http://support.intel.com/support/network/sb/cs-005897.htm

  I was thinking of a network driver option : How can I know what sort of network chipset is on my powerbook ?
  If I look to /System/Library/Extensions/IONetworkingFamily.kext/Contents/PlugIns, I can see this :
  Apple3Com3C90x.kext AppleDP83816Ethernet.kext AppleRTL8139Ethernet.kext
  AppleBCM440XEthernet.kext AppleGMACEthernet.kext AppleRTL8169Ethernet.kext
  AppleBCM5701Ethernet.kext AppleIntel8254XEthernet.kext Apple_DEC21x4Ethernet.kext
  AppleBMacEthernet.kext AppleIntel8255x.kext
  and there is the possibility to update an xml config file on some driver modules
  Here is the result of my kextstat :
  34 3 0x2dd90000 0x1f000 0x1e000 com.apple.iokit.IONetworkingFamily (1.5.0) <6 5 4 3 2>
    Mac OS X (10.4.3)  

• Using promiscuous mode to collect UDP data

  Is it possible to set a NIC in promiscuous mode and to pull all UDP data?
  I have created a VI to listen to data coming across a specific UDP port, this work perfect for one device when I specify the NIC IP address.
  My challenge is I have multiple devices with different IP addresses/networks, that I have to switch between. Every time I switch I need to reconfigure my NIC IP address to capture the data. I would like all data to pass through regardless of IP address. Does LabView support this?
  Thanks

  No, LabVIEW does not natively support a way to put a network interface into promiscuous mode and capture all traffic. You'll either need to use a packet sniffer like Wireshark to capture to a file, and then process it later, or use other libraries. A starting point might be http://zone.ni.com/devzone/cda/epd/p/id/2660

• How to Set HyperV NIC in Promiscuous Mode

  Is there any way to set up a NIC on a virtual HyperV guest in promiscuous mode?
  I want to try and run a web filtering product on a VM. Wireshark does not indicate that it is capturing all traffic.
  I have my switch port mirrored already and it works with a regular box but not with the VM.
  Any help would be appreciated.
  Thanks,
  Andy

  I was able to make wireshark capture all the packets.
  I followed this post:
     http://fixmyitsystem.com/2013/08/Remote-Wireshark.html
  The only diference is that use and Internal Virtual Network  to connect from the
  guest to the host.
  My hyper-v host IP, for this network is 169.254.107.1 (check yours by doing ipconfig)
  and the Guest is 169.254.107.20
  Steps:
    - Just get rpcapd (http://nmap.org/dist/nmap-6.40-win32.zip).
    - Unzip it and install it on the hyper-v host
      Open PowerShell
      Enter-pssession Coremachine    
      Silently install: winpcap-nmap-4.02.exe /S
    - Next up you will have to create a firewall exception for
      this to be reachable from the management machine.
      netsh advfirewall firewall add rule name="Remote WinPcap" dir=in action=allow protocol=TCP localport=any remoteip=169.254.107.20
      (to turn on  the rule) netsh advfirewall firewall set rule name="Remote WinPcap" new enable=yes
      (to turn off the rule) netsh advfirewall firewall set rule name="Remote WinPcap" new enable=no
    - Navigate to C:\Program Files\WinPcap
      To start to packet capture service use
          .\rpcapd.exe -p 2002 -n
    - Get the GUID of the network card you want to use in WireShark  
        wmic nic where PhysicalAdapter="TRUE" get Description,GUID,MACAddress,Name,NetConnectionID
    - on wireshark
      Select Capture Options
      Click Manage Interfaces
      Select Local Interfaces tab and check the Hide box next to all of them
      Select remote Interfaces tab
      Click add button
      For the host specify the hostname or IP Address  
          (I use an internal network to conect to the host)
           My host IP is 169.254.107.1 and the Guest is 169.254.107.20
      The port default is 2002 (set with the -p switch earlier)
      Null authentication as set with the -n switch earlier
      OK
      You should now see a number of interfaces added
      Click Close
    - There will be a buffer size warning but it can be ignored, and hey presto,
      you are capturing packets from a remote  non GUI machine.  
      The process from here on in is the same as you would use WireShark with
      local traffic capture.

• Macbook pro (june 2010) airport promiscuous mode

  Hi all,
  For my network security course, I have to sniff a wireless network.
  Is it possible to put the airport extreme in promiscuous mode? When I use wireshark and select the "capture packets in promiscuous mode" I can only see my own traffic...Although when I check my "en1" status in ifconfig, I see that the "promisc" flag is set..strange
  I've put the wpa/psk password in wireshark so that's not the problem.
  So my final question is, does the promiscuous mode on airport extreme work on a 2010 macbook pro?

  flawlessnyc wrote:
  Of course it's my network and devices. And I'm interested in email accounts. As a parent . . . . well ya gotta be diligent.
  Look at the devices - how are they accessing the email?
  If it is via webmail in the browser (or a 'browser based' app) look for account setting to only use https. Some providers will only allow login via https which is secure, http is not secure, these can usually be 'forced' with account settings.
  When logged in does the website remain on https, if it goes to http instead the email content could be visible on that network. Bookmark the https url for the child, and remove any http urls for the same site so they are less likely to use http by accident. Explain to the kids why the 'green lock' in the address bar (indicates https) is important for reading email or any other 'private' data.
  Do the same with search engines (so their searches may be 'invisible' to the local network).
  If they are using an email client like Apple Mail check the settings again for each mail server, there are options to only use the specific server, and only use secure protocols (SSL,TLS…). That should prevent the mail being sent in plain text across the network, however email is inherently insecure as a service (it bounces from mail server to mail server with to & from addresses visible) so the kids may be better off using iMessage or another chat service that has some level of encryption / privacy.
  You can try viewing the network traffic to find passwords for these services, but it is very involved…
  Monitor in promiscous mode on the same wifi channel as the network.
  Decrypt the wifi traffic (you need the network key for this since wifi itself is encrypted (WEP, WPA, WPA2 etc)
  Look for the email traffic & recombine the packets to follow the conversation, but you still cannot read https traffic.
  All you will be able to find is passwords or form values for websites that do not use https.
  There are other things they should be careful with - like avoiding unknown/ open/ free wifi networks. Even cellular towers can be malicious nowadays, so disabling cellular data could help them be a little more secure. They should also avoid accepting certificates or 'profiles' to connect to any network.
  I'm not sure that watching packets in the air will get you better results any quicker that learning how to secure the settings on each device, pass on the info to the kids & eventually they will start to get it
  P.S
  You may be able to lock settings via parental controls. iOS has 'restrictions' within the Settings app. Just use them carefully otherwise they will nag you about being unable to take a photo or use maps etc!

• Enable monitor/promiscuous mode on Cisco Atheros AR5001X+

  I have a Cisco Aironet Atheros AR5001X+ wireless card installed on an HP laptop running Ubuntu 8.10. The card is working and I would like to know how to enable monitor/promiscuous mode on it so that I can use wireshark to capture network traffic at work. I would also like to know if I can enable the card in monitor/promiscuous mode in Windows XP and how? Any help would be appreciated, thanks.

  in a console window:
  sudo ifconfig ath0 PROMISC
  password:
  it should be ath0 for an atheros chip, but may be wlan0 or something else
  you will need to install Winpcap for windows
  http://www.winpcap.org/')">http://www.winpcap.org/

• Configuring 4255 sensor in promiscuous mode

  I have a 4255 with 3 interfaces that connect to a 6500 series switch. The IPS interfaces are set to promiscuous mode with a defualt vlan specified.
  On the switch side, I would like to send the traffic from more than one vlan to the sensor GE interfaces. What is the best way to do this?
  Do I set up a monitor session on the switch with a source of multiple vlans, then set the destination as one of the sensor ports?
  I also see the option to do a switchport capture.
  Any advice would be great

  You want to do a VACL capture on the 6500:
  http://www.cisco.com/c/en/us/support/docs/lan-switching/vlan-access-lists-vacls/89962-vacl-capture.html
  monitor session 50 source vlan 100 , 200
  monitor session 50 destination interface Fa3/30

• IDSM-2 Inline mode

  Hi,
  I am working with the IDSM-2, We have Cisco 6509 with CSM & FWSM, We are planning IDSM-2 in Inline mode and now i want to monitor the traffic which is coming through Outside Interface of the FW context ( Which is nothing but a VLAN A, VLAN B, Vlan C. on MSFC )
  Data flow :-- ISP RTR---INternal RTR---FWSM---IDSM---MSFC---CSM---
  IDSM version is 5.1(4)S257.0,
  This will support only Two VLAN (IN and OUT) on access mode.
  My problem is I don't know how to scan the traffic of 3 numbers of VLAN (A,B,C).
  Cisco 6509 --- Version 12.2(18)SXF7,

  Hi Udaya,
  I am not able to find out any subinterface.
  I think it is available from IPS 5.1 and this one is IPS5.0(2)
  IDSM2CORE2(config-int)# show settin
  physical-interfaces (min: 0, max: 999999999, current: 3)
  name: GigabitEthernet0/2
  media-type: backplane
  description:
  admin-state: enabled
  duplex: auto
  speed: auto
  alt-tcp-reset-interface
  none
  name: GigabitEthernet0/7
  media-type: backplane
  description:
  admin-state: enabled
  duplex: auto
  speed: auto
  alt-tcp-reset-interface
  interface-name: System0/1
  name: GigabitEthernet0/8
  media-type: backplane
  description:
  admin-state: enabled
  duplex: auto
  speed: auto
  alt-tcp-reset-interface
  interface-name: System0/1
  command-control: GigabitEthernet0/2
  inline-interfaces (min: 0, max: 999999999, current: 0)
  bypass-mode: auto
  interface-notifications
  missed-percentage-threshold: 0 percent
  notification-interval: 30 seconds
  idle-interface-delay: 30 seconds

• IDSM-2 Inline mode operation - cat6000 Hybrid

  Hello, is the inline mode operation on the IDSM-2 IPS 5.1 only supported with catos 8.4(1)?
  Thanks!

  I agree, the IPS 5.1 release notes http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps4077/prod_release_note09186a0080574954.html#wp1068104 says it requires 8.5(1) go figure.