Pulling packet capture from IPS device

I work for a MSP (Managed Services Provider), we currently are evaluating CSM for mgt of 50 IPS/IDSM devices. To make analysis more effective, want to be able to pull the packet capture from the device. We have our own correlation engine, so we do not need MARS. We want to grab the packet and then put a copy into our ticketing system so the analyst has the data right in front of them.
Is the IP Log directory where the packet capture data is kept? Has anyone ever tried this before? What are the performance/health concerns with enabling packet captures for just high signatures? Does the IP log directory really "clean" itself out after a certain period of time?

There are 4 event actions that can be used to capture packets.
The produce-verbose-alert event action will encode the trigger packet as part of the alert itself. So with this event action the packet is already included in the alerts you are already pulling off the sensor. You just need to modify your tool to strip off this packet, decode it, and then add it to your ticketing system at the same time as you add the alert.
This is where I would start.
Using the produceVerboseAlert uses very little additional sensor resources. It has only a very small affect on sensor performance. Because each alert will be larger than normal it will reduce the total number of alerts that can be stored in the sensor's eventstore. But if your application is actively subscribing for these events, then the reduction in total number of alerts stored on the sensor should not cause you any issues. So adding this for all High alerts woulc be a good practice.
The other 3 event actions are log-attacker-packets, log-pair-packets, and log-victim-packets. These event actions will trigger an IP Log (packet log) to be created (or increase the time for capture on an existing IP Log.
The IP Log system is a collection of numbered files on the sensor. As event actions trigger new IP Logs to be created the sensor will pick one of those numbered files and begin writing packets to that file. The sensor retains an internal mapping of what packets are being written to each file. If no empty files exist, then the sensor will automatically overwrite the oldest IP Log file with the new IP Log file. Larger platforms have up to 512 of these numbered files, and smaller platforms may have as few as 128 or even 64 of these numbered files. Each file is 1 Megabyte in size and usually stored in RAM memory. With the limited number of files, the storage of these logs on the sensor is very short term. And so should be pulled off the sensor as soon as possible (just like what you are planning to implement). The sensor also has a usual limit of only writing 20 IP Log files at any one time.
With these limitations on the IP Log files they shoudl be used sparingly. Configuring too many signatures or signatures that trigger often with these event actions can lead to problems. The IP Logs could easily be overwritten by newer IP Logs being triggered, and/or more than 20 could be requested at any one time which means some alerts won't be able to have an IP Log created.
So IP Logging event actions should be limited to only those alerts where the additional data is manditory.
Also understand that IP Logging can have a negative impact on sensor performance. If you plan on using IP Logging often, then consider using a sensor rated for higher speeds than what you will be monitoring.

Similar Messages

  • Method to periodically transfer packet captures from ASA?

    Investigating an intermittent issue we have with one of our systems, I have set-up a packet capture to look at the traffic going through the firewall.  The problem is, because we have no way of knowing when the issue is going to occur, the buffer can fill up before the relevant traffic is captured.  Likewise, if I use "circular-buffer" to overwrite the buffer from the beginning when full, I have still ended up missing the traffic I'm interested in because it's been overwritten by the time I go to look at it!
    So, does anyone have a method whereby I could regularly copy off the packet captures to a TFTP server whenever the capture is full?  (or at least on a regular basis so I can hopefully have as much of the traffic as possible captured and available to look back at?)
    It can sometimes be weeks before the problem we are looking into becomes apparent so I don't want to have to manually transfer the packet captures each time.
    Any suggestions would be appreciated!
    Thanks.

    I don't know of an easy way to do it since ASA doesn't have Kron. I can think of a couple not-so-easy ways though:
    From a NMS platform (CiscoWorks/LMS, Rancid maybe??) schedule a job to run every x minutes to dump the cap and redirect it to a tftp server or a local file
    Even more ghetto, if you use a terminal app like SecureCRT that can run VBScripts, create a vbscript to do the same thing (periodically log in and dump the cap with a redirect)
    There's probably an easier way, I tend to over-think simple issues ><
    good luck!

  • Packet capture on IPS 5x

    In CLI mode version 5.x, we run "packet capture" command to capture xx packets of an x.x.x.x IP address. Logon to service, searching thought directories but could not find the file that packet
    capture created. Please advise file name and directory this command created.
    TIA.
    Simone

    You will find the capture file here:
    /usr/cids/idsRoot/var/packet-file

  • Log and Capturing from USB device?

    I have a VHS connected to my G5 using an InterView RCA to USB device. Is it possible to log and capture into FCP5? I seem to be getting the sound okay, but can't get the video.

    You can't capture to FCP without timecode.<<</div>
    Not true. You can easily capture non-timecoded footage from any number of sources, including VHS. Set FCP's device control to "Non-Controlable Device" and use "Capture Now." The source player will need to be connected to your DV device (camcorder, VTR or converter).
    VHS decks don't generate timecode<<</div>
    Also not true. Most pro VHS and S-VHS VTRs have both VITC and LTC capability.
    -DH

  • Capture from Sony HVR-Z1U

    I have recently purchased a Sony Z1U and was unable to capture in FCE4. I later found out that FCE4 will only capture from the Z1U in DV mode and NOT in HDV. Why is this? Is all my HDV media useless now that I have FCE4? Should I only shoot in DV mode from now on? I also have a small Sony HRD-CX7. Will FCE4 capture from this device?
    Any help for this newbie would be appreciated!

    "do not connect to the computer. Connect it to the hard drive so they are on a single FireWire chain. The computer will have difficulty passing information back and forth on FW when there are multiple devices on multiple ports but on a single bus"
    In theory this may be true, however my external drive only has (2) 1394b ports. My camera has (1) four pin 1394a port that converts to a six pin 1394a through the cable assembly. There is no way to chain these components together (via my external drive anyways) as far as I can see. Is this a critical issue? Should I invest in a different drive? I guess I could connect to my ED via esata using an express card. Would this approach lessen the load on the FW bus during capture and delegate a separate bus for ED control?
    Any thoughts on this?
    Message was edited by: Chad Clemens

  • Cisco Prime and WLC packet capture error - Request Timed Out

    Hello,
    We have a Cisco Prime installation (2.2.0) and a WLC (Cisco 5508)
    I’ve been trying to test the wireless packet capture function, but have now run into problems, a quick rundown of my actions so far:
    Selected a wireless access point in Prime and clicked ‘Packet Capture’
    Did a packet capture saving to the PI, the capture worked fine
    Could not find any way to delete the packet capture
    Selected a wireless access point in Prime and clicked ‘Packet Capture’
    Did a packet capture saving to an FTP server, the capture worked fine
    The 1st capture had finished (10 minute capture) before testing the second
    The 2nd capture has also finished and saved the files to the FTP server as specified
    Now though I cannot capture from any access point as when I click ‘Packet Capture’ I get the error:
    “Request Timed out. Error in getting data from server.”
    The error is ‘instant’ as in no delay indicating something actually timing out.
    So the 2 problems I have are:
    How do I fix the ‘request timed out’ error above
    How do I delete old packet captures from the PI
    I hope someone can help as I can’t find any info on either of the problems.
    Cheers
    Adrian

    I think I've solved (2) by deleting the files from the FTP directory on the prime box through SSH.
    So I'm now just stuck on the timed out error.

  • How to display date for each packet in a Cisco ASA packet capture

    Hello,
    Quick question...On a Cisco ASA (v8.2) how does one show the date of each packet in a packet capture?
    When performing a packet capture from CLI you can do a "show capture testcapture" command and you can see that the time is at the beginning of each packet but how does one view the date as well as the time for each packet?  I know you can export the packet capture and it will show the date & time in wireshark but sometimes for just quick and dirty capture I'd like to view the capture from the CLI on the ASA itself without doing an export. 
    Sample capture below.  Time is displayed but not the date of the packet capture.  Issuing command "sh cap test detail" doesn't show the date either.  I checked on an ASA running v9 and it also doesn't show the date in the packet capture.
    ASA5505# sh cap test
       1: 08:51:56.112085 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x:  udp 404
       2: 08:52:18.111871 802.1Q vlan#12 P0 10.150.40.240.29082 > x.x.x.x.53:  udp 37
       3: 08:52:18.165366 802.1Q vlan#12 P0 y.y.y.y.53 > 10.150.40.240.29082:  udp 53
       4: 08:52:32.129235 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x4.500:  udp 404
       5: 08:52:37.111627 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x.500:  udp 404
       6: 08:52:49.111490 802.1Q vlan#12 P0 10.150.40.240.500 > x.x.x.x.500:  udp 404
    Thanks for any help.
    Joe

    Hi,
    I would suggest copying the capture from the ASA to some local host and opening the capture file with Wireshark to view the information
    For example
    copy /pcap capture:test tftp://x.x.x.x/test.pcap
    This should copy the current data in the capture to the mentioned location with the mentioned filename.
    I personally view the captures on the ASA CLI only if I am just confirming that some traffic comes to the firewall or when I am checking what happens to a TCP connection that can not be formed. Its a lot easier to go through bigger captures by copying them from the ASA and viewing them with an actual software meant for that purpose.
    Hope this helps :)
    - Jouni

  • How do I import a video to QT PRO from my device!?

    How do I import a video to QT PRO from my device? All I see under "file" is "new audio recording" there is no option for "new video recording". this is driving me crazy. i just want to edit my video from my miniDV player. Any help would be great thanks for your time.
    Paul

    Robert, welcome to these discussions.
    Most modern digital video cameras ship with their own capture software.
    You'll still find QuickTime Pro a very useful conversion tool to resize, edit and transport your final product.
    The "One Click" recording feature of video (Mac only) to QuickTime movie format is in response to the ease of video capture from these devices. Most of these files need some further editing anyway.
    Now that you own QT Pro you can export your camera files to DV Stream formats (preserving the original quality) and edit them in your favorite Windows software.
    I doubt that many Mac users use QuickTime Pro just to export their videos directly to the .mov file format.
    QuickTime Pro is a new tool that will now help you convert your captures to Web friendly formats you can share with friends and family.

  • IPS packet captures-disk space

    I have been doing packet captures on High and Medium events and in the IME there is no obvious way to delete old captures. They don't take up alot space but I wanted to know if there is a way to view the disk capacity on the IPS and how I can delete old capture files from the IPS.

    Hi Jason,
         The ip logging functionality stores the logs in a circular buffer, so there is no need (and no supported way) to delete/manage the old log files - they will be overwritten then new logs necessitate it. 
    All of the information on ip logging can be found here:
    http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_ip_logging.html#wp1030704
    Also, unless you have a specific need for full stream captures for all high/medium events, you can use the "Produce Verbose Alert" action instead of the ip logging actions to capture the offending packet with significantly less resource utilization per alert.
    -JT

  • Capture audio from separate device

    Is it possible to capture from a camera, but record the audio at the same time from a different audio device, e.g. soundcard?
    (My camera does not have a separate audio input with reasonable quality, so one could save from having 2 separate files by recording video from camera plus audio from soundcard. I'm not sure if that would really work due to latency problems, but I'd like to give it a try if possible.)
    Thanks!

    My practice is to capture sound separately using an hard disc recorder,from two to twenty-four tracks, and to combine this with the video in Premiere Pro. I use the sound track on the tape to achieve synchronization (which is very easy in Premiere Pro). If the room is small (<100 feet) I can use an on-camera microphone. For best results I use a wireless feed from the recorder to the camera.
    It's important to use a digital recorder, preferably at 48KHz sampling speed (you can convert from 44.1 or something else, but the speed may slip). An analog source, like a cassette deck, varies too much in speed, often more than 5%, to be useful. The sync slip is usually less than 3 frames per hour of recording. Most digital recorders have a digital output which can be captured directly by the computer through firewire or USB. If your only choice is an analog sound card, don't bother - too noisy and bad timing.

  • Image capture from avi vfw device can't find video modes

    Hello
    Here my issu, i have implemented image capture from a video device using jmf 2.1.1e performancepack, using a webcam everything is fine but when i use the video capture source i want to use i can only work with format 720x480 pal and i require 720x576 pal.
    jmf seem not to reconize video format from this source, but the video is correcty displayed and image correctly captured. I'm surprised it is half working:decoding&render is ok to but not format choice.
    I have check it is not because i'm in ntsc mode (ntsc is 720x480) because my analogic source is pal and color are correct (if with device software i change to ntsc mode i have a black&with but using jmf i'm in color so i'm in pal mode)
    Difference bettween the webcam and my device is that my device is an avi encoder so in jmf webcam is javax.media.format.YUVFormat and my device com.sun.media.format.AviVideoFormat
    i have tried many thing:
    install codec pack (divx6, another codec pack)
    try to use Fobs4JMF
    register in JMStudio IBMdecoder, jffmpeg
    Tanks for any help
    the device support many configuration UYVY 235x288 352x576 .... 720x576 but JMF offer only 1 video mode for this device.
    here in jmf my capture device info:
    Name = vfw:Microsoft WDM Image Capture (Win32):0
    Locator = vfw://0
    Output Formats---->
    0. com.sun.media.format.AviVideoFormat
    UYVY, 720x480, Length=691200 0 extra bytes
    and with a web cam:
    Name = vfw:Microsoft WDM Image Capture (Win32):0
    Locator = vfw://0
    Output Formats---->
    0. javax.media.format.YUVFormat
    YUV Video Format: Size = java.awt.Dimension[width=640,height=480] MaxDataLength = 460800 DataType = class [B yuvType = 2 StrideY = 640 StrideUV = 320 OffsetY = 0 OffsetU = 307200 OffsetV = 384000
    1. javax.media.format.RGBFormat
      RGB, 160x120, Length=57600, 24-bit, Masks=3:2:1, PixelStride=3, LineStride=480, Flipped
    2. javax.media.format.RGBFormat
      RGB, 176x144, Length=76032, 24-bit, Masks=3:2:1, PixelStride=3, LineStride=528, Flipped
    3. javax.media.format.RGBFormat
      RGB, 320x240, Length=230400, 24-bit, Masks=3:2:1, PixelStride=3, LineStride=960, Flipped
    4. javax.media.format.RGBFormat
      RGB, 352x288, Length=304128, 24-bit, Masks=3:2:1, PixelStride=3, LineStride=1056, Flipped
    5. javax.media.format.RGBFormat
      RGB, 640x480, Length=921600, 24-bit, Masks=3:2:1, PixelStride=3, LineStride=1920, Flipped
    6. javax.media.format.YUVFormat
      YUV Video Format: Size = java.awt.Dimension[width=160,height=120] MaxDataLength = 28800 DataType = class [B yuvType = 2 StrideY = 160 StrideUV = 80 OffsetY = 0 OffsetU = 19200 OffsetV = 24000
    7. javax.media.format.YUVFormat
      YUV Video Format: Size = java.awt.Dimension[width=176,height=144] MaxDataLength = 38016 DataType = class [B yuvType = 2 StrideY = 176 StrideUV = 88 OffsetY = 0 OffsetU = 25344 OffsetV = 31680
    8. javax.media.format.YUVFormat
      YUV Video Format: Size = java.awt.Dimension[width=320,height=240] MaxDataLength = 115200 DataType = class [B yuvType = 2 StrideY = 320 StrideUV = 160 OffsetY = 0 OffsetU = 76800 OffsetV = 96000
    9. javax.media.format.YUVFormat
      YUV Video Format: Size = java.awt.Dimension[width=352,height=288] MaxDataLength = 152064 DataType = class [B yuvType = 2 StrideY = 352 StrideUV = 176 OffsetY = 0 OffsetU = 101376 OffsetV = 126720[/i]

    I have find some information at l'article http://archives.java.sun.com/cgi-bin/wa?A2=ind0111&L=jmf-interest&P=22779
    but i didn't find "sample programs on the JMF Solutions page" which is about VFWDeviceQuery
    so i have trouble with point 2 so this article.
    I have try to rewrite VFWDeviceQuery:
    i just have add dimension 720x576 and "UYVY" in the variable declaration, then compile and replace VFWDeviceQuery .java in jmf.jar in but it is not working)
    I miss information on what to do on VFWDeviceQuery to try more
    About jmf soucre file, i have used the source file jmf-2_1_1e-scsl-src but i have some package missing such as com.ibm.media.codec.audio.BufferedEncoder ...
    so i can't use debugger on all jmf package and check how VFWDeviceQuery is working.
    if someone have information about please help me:
    - "sample programs on the JMF Solutions page" about VFWDeviceQuery
    - how to rewrite VFWDeviceQuery to support UYVY
    - how to compile entier jmf source files
    V.

  • Device Control Capture from Beta SP Deck into a G-4, Using Firewire ???

    Hello,
    I have been told by many people that it is possible to capture video with device control from a Beta SP deck, if you have the correct setup. But no one seems to be able to tell me exactly how using a G-4 Dual 1.25, or G-5 single processor computer. What I'm hoping to do is establish a serial interface that will allow for device control from a RS-422 circumstance. I'm hoping that I can do this, and still capture using DV- I don't want to have to resort to using a video capture card, for an assortment of reasons that I won't get into.
    Question: Is there anyone out there converting video from a beta sp deck to firewire in FCP, using device control, and if so, what is your set up?
    Thanks!
    Stuart Baker

    ProAppTips is your friend:
    How to get BetaSP footage into FCP without a capture card
    Patrick

  • Audio Not Syncing After Offline Conversion/Batch Capture from OfflineRT-DV

    WORKFLOW:
    1. Shooting HDV on a Sony HDR-V1U (DF/NDF Timecode setting is AUTO on the camera)
    2. Using the camera to downconvert to DV as I import into FCP 7 (final product will be NTSC DVD).
    3. I first capture and log using the OfflineRT NTSC (Photo JPEG) preset
    4. I make my Edits, and then use Media Manager to create new project and create offline media referenced by duplicated items. (Set sequences to: DV NTSC 48 kHz)
    5. The clips I need are then batch captured using Capture Preset: DV NTSC 48 kHz
    PROBLEMS:
    A. As I'm initiating my batch capture in step #5 above, the following warning is generated:
    WARNING: You are about to capture Drop Frame media from a device currently detecting or configured for Non-Drop Frame media. If you proceed, you may experience changes in logged in and out points, problems relinking media, or removal of master clip relationships.
    B. When I playback my sequence, the in/out points are off by several seconds. (like the media within the clip slid ahead several seconds--to fix it, I would have to slide each clip back)
    QUESTIONS:
    Q1: How can I properly execute my workflow while avoiding the WARNING above and the problem with the in/out points?
    NOTE: The OfflineRT clips in the original project (#3 above) are shown as DF (semicolon in timecode), but the duplicated clips in the DV project (#4 above) are NDF (colon in timecode). I have already tried changing my capture preset to Firewire NTSC NDF, recapturing the clips, and the result is the same.
    Q2: Should the capture preset be the same or different when logging the first (OfflineRT) and second (DV NTSC 48kHz) times?

    Wish I had a simple answer for you, stay tuned, some folks who actually use those cameras will drop by sooner or later.
    TrevorRawson wrote:
    After importing through log and capture I continue to get a pop up when it's done saying that the audio and video frame rates do not line up.
    I'll bet you're shooting with a Canon.
    TrevorRawson wrote:
    I am using a Canon xl2 and a Panasonic DVX100A,
    Ah-HA!
    TrevorRawson wrote:I'm shooting in 24p Advanced with a 2:3:3:2 pull down. The capture settings are set up for FCP's default DV NTSC 24p with Advanced Pulldown, same with my sequence settings. This is my first time shooting in 24pa so I'm a little lost at what to do. Does anyone know the correct settings I should be using?
    so neither camera captures properly? that's odd. We know the Canon is going to give you trouble but the Pani should work.
    Try searching the forum for your camera models, see what comes up. Many different cameras shoot their own versions of various image,frame, and pulldown formats.
    bogiesan

  • Trouble Capturing Packets with Embedded Packet Capture

    Hi All,
    I am trying to capture packets originating from a server to a host device across three switches:
    server -- 6513 -- 3850 -- 3550 -- host A
    I am doing a ping from the server to host A. The packet capture is being done on the 3850. This is my configuration:
    access-list 100 permit icmp host 192.168.101.6 host 192.168.100.188
    access-list 100 permit icmp host 192.168.100.188 host 192.168.101.6
    end
    monitor capture buffer TRACE
    monitor capture buffer TRACE filter access-list 100
    monitor capture point ip cef CAP g1/1/1 both
    montior capture point associate CAP TRACE
    monitor capture point start CAP
    I then issue a ping from the server to host A. Interface g1/1/1 is where the 6513 connects to the 3850. When I issue a show monitor capture buffer all parameters, there are no packets. If I remove the filter from the buffer I still do not see the packets.
    Does anyone have any advice here?

    I tried recreating the packet capture with no access-list filtering.
    show mon cap buff all para
    Capture buffer cap (circular buffer)
    Buffer Size : 1048576 bytes, Max Element Size : 68 bytes, Packets : 0
    Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
    Associated Capture Points:
    Name : cap, Status : Active
    Configuration:
    monitor capture buffer cap circular
    monitor capture point associate cap cap
    interface GigabitEthernet1/1/1
     description UPLINK TO 6513
     switchport mode trunk
    end

  • ASDM Packet Capture

    Hello,
    I am new to the ASA world so if there is a better way to do the following I would appreciate any suggestions. I need to capture what type of traffic is leaving our network on a daily basis, this should include source and destination ports. I will be capturing traffic for a weeks time in order to better our rules. I have gone into tools and preferences and under the packet capture wizard I put in Wireshark. In setting up the capture, I did the following for the ingress interface I selected the inside interface and I choose to specify packet parameters. For the source host/Network and destination host/network I am leaving them both at all zeros to capture everything. Same goes for the egress interface settings and I choose the outside interface. I am leaving the protocol defaulted to IP. From there I'm changing the buffer to be the max size and then starting the capture. Once it's running for a little bit I save that capture and clear the buffer and then repeat this process. This doesn't seem to be very efficient and I'm hoping there's a better way? ASDM version 6.6(1) and ASA Version 8.6(1)2 device type is ASA5525
    Thanks,

    Hi,
    I think much easier way of doing this would be to use some monitoring tools like Netflow , SNMP etc.
    There are some freeware also available for these tools.If you want you can also check for Threat detection statistics grah on the ASDM.
    https://supportforums.cisco.com/document/30471/netflow-asa
    http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html
    EDIT:- Also , applying captures with IP ANY ANY might have some performance impact.
    Thanks and Regards,
    Vibhor Amrodia

Maybe you are looking for