display of packets on WS-SVC-IDS2-BUN-K9 module

Hi all!

I try to use CLI command 'package display' WS-SVC-IDS2-BUN-K9 module.

If I put only the name of the interface as an argument to the command:

display packages gigabitEthernet0/7

I'm having a lot of packages. It is ok.

But if I add expression argument I get nothing even with necessary traffic on the wire:

package display expression gigabitEthernet0/7 ip proto \icmp

package display gigabitEthernet0/7 expression verbose dst host IP

package display gigabitEthernet0/7 expression verbose dst port SOME PORT

I tested the problem on 5.0 (2) and 1.0000 E3. Results were almost the same.

On IPS-4255. all mentioned above command produces the expected results.

I searched Cisco bug-tool and found nothing.

Can someone check to reproduce? Has anyone seen it?

Or maybe it is not a bug, but a feature. But I wasn't able to find his description.

Wait for a response.

Kind regards

Maxim

The order of packages use tpcdump under the covers. Thus, the expression must be a valid expression for that tcpdump will understand.

If packets are standard IP packets, then the expression can be applied directly (which is probably what you see on your IPS-4255).

BUT if the packages have a 802. 1 q header (header of vlan), then a special statement should be added in the expression for tcpdump to find out how to apply the rest of the expression. With the JOINT-2 he found in most JOINT-2 deployment packages will have 802. 1 q headers. The same problem will be seen on devices running inline vlan pair configurations.

The key word "vlan" must be added to the expression, so he knows he has to analyze the 802. 1 q header before seeking the rest of the expression.

If you want to try something like:

package display gigabitethernet0/7 expression vlan ip proto \icmp

NOTE: Several VLANs can also be added after the key word of VLANs to restrict the output of tcpdump for traffic to a single VLAN.

Tags: Cisco Security

Similar Questions

  • How to display the size of the file in the library module

    I must be missing something simple, but I can't find any way to display the size of the file in the library.  This beginner assistance would be much appreciated; Thank you!

    Hi VickiC_Georgia,

    Expand it please the metadata Panel in the library module

    Then select Exif and IPTC rather than leave default

    You could then view the file size.

    Kind regards

    Assani

  • Abuse of Smarnet in Afghanistan

    I wan to know if CON-SU2-IDSBNK9 for WS-SVC-IDS2-BUN-K9 can be served in Kabul, in Afghanistan? Because it offers 8 x 5 x 4 hours Smartnet Services.

    Hi John,.

    You can validate the availability of existing services to the tool below:

    http://Tools.Cisco.com/apidc/Sam/search.do

    Please note that the Afghanistan is mapped under Europe Middle East Africa & theatre.

    If you can't find the place or the product you want to search on, please raise a case with Administration of SAM. Please indicate the location or the product missing in your application.

    Best regards

    Sandra

  • Problem with IDS in 6509

    Hello world.

    I have a problem with a module IDS.

    That's the problem, the ID module is in slot 5, status "turn off" when I run the command "activate mod 5" its status is changed to "other"

    Information:

    Cisco 6509

    iOS: 12.2 (18) SXF1

    ID of module information:

    HW:5.0

    WS-SVC-IDS2-BUN-K9

    Thnks.

    Jorge;

    First of all, you can move this thread to the security > Community Intrusion Prevention Systems/IDS which deals with questions about the modules and Cisco's IPS appliances.

    Secondly, the question may be associated Hardware.  The first test would be to remove the module from the chassis for 20 minutes and then firmly back in the chassis.  If this does not resolve the issue, it would be better to open a service request with TAC for additional tests can be performed.

    Scott

  • The suffix K9 - what encryption protocols he guess?

    I need information about the encryption protocols in some products: IDS-4215-4FE-K9, K9-CISCOSB101, NFC-5.0-SW-K9,WS-C6509-E-FWM-K9 WS-SVC-IDS2-BUN-K9. They have the suffix K9, it means strong encryption, but description of its products has no information on this subject.

    It uses SSH which is part of the set of images of K9.

  • How to display the size of the file in my computer or Windows Explorer?

    When you open my computer or Windows Explorer, there is an option to display the 'size', but it does not for the record, only the files in the folders. How can I automatically see sizes of the entire folder without going through a right click and see the properties on each folder or without having to go on the record?

    When you open my computer or Windows Explorer, there is an option to display the 'size', but it does not for the record, only the files in the folders. How can I automatically see sizes of the entire folder without going through a right click and see the properties on each folder or without having to go on the record?

    Hello

    Windows Explorer has never included the ability to display folder sizes.

    There are third-party modules that can do it. Use your favorite search engine to find these.

    Thank you for using Windows 7

    Ronnie Vernon MVP

  • What is the latest IOS version supported WS-SVC-FWM-1?

    Dear all,

    Is it possible to set up final IOS 4.1. series with ASDM in the WS-SVC-FWM-1 firewall module?

    Please suggest on the last support for IOS version on the WS-SVC-FWM-1 firewall.

    Thanks in advance,

    Selva.

    Hi Selva,

    FWSM uses a different operating system (not IOS) and the latest version is 4.1 (15). You can go to the following URL

    http://software.Cisco.com/download/release.html?mdfid=277413409&softwareid=280775068&release=4.1%2811%29

    Choose 4.1 (15) and download it from here.

    Latest version ASDM is 6.2 (3). You can download here:

    http://software.Cisco.com/download/release.html?mdfid=277413409&softwareid=280775067&release=6.2%283%29F&relind=available&rellifecycle=&RelType=latest

    Thank you!

    Gerard

  • How to find, separate and convert hexagonal channels streaming via the com port?

    Hello

    I have a xbee wireless network set up with 3 sensors. Output 1 (23bytes) at 20 Hz, the other 2 (46bytes) to 1 Hz. The data arrives correctly in the computer and I can see the stream on my read series VI (joint) basis. on my software XCTU (terminal program that comes with the wireless nodes), the console displays the packets received:

    22/08/2016 13:36:04.196, 6126, RECV, 7E00178100002B00205A203030303230207A2030303031350D0A00
    
22/08/2016 13:36:04.252, 6127, RECV, 7E00178100002B00205A203030303230207A2030303031350D0A00
    
22/08/2016 13:36:04.296, 6128, RECV, 7E00178100002B00205A203030303230207A2030303032300D0A04
    
22/08/2016 13:36:04.346, 6129, RECV, 7E00178100002C00205A203030303230207A2030303032320D0A01
    
22/08/2016 13:36:04.346, 6130, RECV, 7E00178100002F00205A203030303230207A2030303032320D0AFE
    
22/08/2016 13:36:04.436, 6131, RECV, 7E002E81000032004F20303230362E332054202B32352E38205020313031382025203032302E3237206520303030300D0AC4
    
22/08/2016 13:36:04.436, 6132, RECV, 7E00178100003200205A203030303230207A2030303032300D0AFD
    
22/08/2016 13:36:04.486, 6133, RECV, 7E00178100003600205A203030303230207A2030303031350D0AF5
    
22/08/2016 13:36:04.536, 6134, RECV, 7E002E81000032004F20303230362E362054202B32362E38205020313031392025203032302E3237206520303030300D0ABF
    
22/08/2016 13:36:04.596, 6135, RECV, 7E00178100003800205A203030303139207A2030303030380D0AE9
    
22/08/2016 13:36:04.596, 6136, RECV, 7E00178100003300205A203030303138207A2030303030380D0AEF
    
22/08/2016 13:36:04.652, 6137, RECV, 7E00178100003100205A203030303139207A2030303032320D0AF4
    
22/08/2016 13:36:04.652, 6138, RECV, 7E00178100002F00205A203030303139207A2030303032340D0AF4
    
22/08/2016 13:36:04.738, 6139, RECV, 7E00178100002F00205A203030303139207A2030303032310D0AF7
    
22/08/2016 13:36:04.786, 6140, RECV, 7E00178100003000205A203030303139207A2030303032300D0AF7
    
22/08/2016 13:36:04.836, 6141, RECV, 7E00178100003200205A203030303139207A2030303032320D0AF3
    
22/08/2016 13:36:04.886, 6142, RECV, 7E00178100003200205A203030303139207A2030303031380D0AEE
    
22/08/2016 13:36:04.946, 6143, RECV, 7E00178100003200205A203030303139207A2030303031330D0AF3
    
22/08/2016 13:36:04.996, 6144, RECV, 7E00178100002E00205A203030303138207A2030303031310D0AFA
    
22/08/2016 13:36:05.046, 6145, RECV, 7E00178100002C00205A203030303138207A2030303031360D0AF7
    
22/08/2016 13:36:05.096, 6146, RECV, 7E00178100002C00205A203030303139207A2030303032350D0AF6
    
22/08/2016 13:36:05.146, 6147, RECV, 7E00178100002E00205A203030303138207A2030303031340D0AF7
    
22/08/2016 13:36:05.146, 6148, RECV, 7E00178100002F00205A203030303138207A2030303031330D0AF7
    
22/08/2016 13:36:05.236, 6149, RECV, 7E00178100003000205A203030303138207A2030303032300D0AF8
    
22/08/2016 13:36:05.286, 6150, RECV, 7E00178100003300205A203030303138207A2030303032320D0AF3
    
22/08/2016 13:36:05.346, 6151, RECV, 7E00178100003700205A203030303138207A2030303031360D0AEC
    
22/08/2016 13:36:05.396, 6152, RECV, 7E00178100003900205A203030303138207A2030303031320D0AEE
    
22/08/2016 13:36:05.446, 6153, RECV, 7E002E81000032004F20303230362E332054202B32352E38205020313031382025203032302E3237206520303030300D0AC4
    
22/08/2016 13:36:05.446, 6154, RECV, 7E00178100002A00205A203030303138207A2030303031360D0AF9
    
22/08/2016 13:36:05.506, 6155, RECV, 7E00178100002600205A203030303138207A2030303032320D0A00
    
22/08/2016 13:36:05.506, 6156, RECV, 7E00178100002300205A203030303138207A2030303031380D0AFE
    
22/08/2016 13:36:05.566, 6157, RECV, 7E002E8100002E004F20303230362E362054202B32362E37205020313031392025203032302E3237206520303030300D0AC4

    Since it is an endless stream of hexagonal channels, how can I isolate each of them so that I can convert them then their values digital sensor to plot, display, etc.?


  • Update IDSM2 5,0000 S225 to 5.1 using the application partition

    can I switch an IDSM2 (WS-SVC-IDSM2-BUN) in a 5,0000 S225 5.1 6513 by copying the partition of 5.1 application on the sensor

    [Correction to the userguide cisco]

    Chapter 10 Configuring the sensor using the CLI

    Modules and devices available

    Reimage on JOINT-2

    This section contains the following topics:

    Catalyst Software, page 10-124

    Software Cisco IOS, page 10-126

    Catalyst Software

    To reimage the application partition, follow these steps:

    Step 1 get the file from the software Center on Cisco.com and copy application partition

    it to a FTP server.

    Step 2, connect to the switch CLI.

    Step 3 start the JOINT-2 to the maintenance partition:

    cat6k > (enable) reset module_number cf:1

    Step 4 connect to the partition maintenance CLI:

    Login: guest

    Password: cisco

    Step 5 Reimage the application partition:

    [email protected] / * /# ftp://user@ftp server IP/directory update

    file access/image path

    Step 6 specify the FTP server password.

    After the application partition file has been downloaded, you are asked if you

    you want to go forward:

    The upgrade will scan the content on the hard drive. Do you want to

    Continue to install [y | n]:

    Step 7 type y to continue.

    When the application partition file has been installed, you are returned to the

    maintenance CLI score.

    Out of step 8 maintenance partition CLI and go back to the switch CLI.

    Step 9 reboot the JOINT-2 for the application partition:

    cat6k > (enable) reset module_number hdd:1

    Step 10 when the JOINT-2 has restarted, check the version of the software.

    Step 11 in the partition CLI application log and initialize the JOINT-2.

    Page 10-2, in view of the procedure, see initialization of the sensor.

    IF NOT, THEN IS IT SHORTENED 4.1 to 5.1?

    I was in the middle of editing my answer when he entered, check again. There is the question of "fact the maint.". partition must be upgraded? "and I have identified patches and GIS level to apply later.

  • Home-4215-3725 no link

    Good day everyone! I read all the guides from cisco, but I can't understand why I encounter the following problem:

    1. I have'got 4215 in inline mode

    2 Windows host with 10.0.3.1/24,10.0.3.254 (ip\mask, gateway) is on the fa0/1 interface and Cisco 3725 is on the port of fa1/0 of the sensor.

    3. I have the following configuration on the Cisco 3725 interface:

    !

    interface FastEthernet2/12

    switchport access vlan 23

    !

    interface Vlan23

    IP 10.0.3.254 255.255.255.0

    IP access-group out IDS_vlan23_out_1

    IP nat inside

    IP virtual-reassembly

    !

    4. the sensor has the following configuration:

    ----

    Inline-interfaces pair-0

    No description

    Interface1 FastEthernet0/1

    Interface2 FastEthernet1/0

    ----

    service-analysis engine

    vs0 virtual sensor

    logical interface pair-0

    ------

    5. If I have 'package display FastEthernet0/1' of ' display of packets FastEthernet1/0 "on the sensor, I see the same thing:". "

    Cisco 3725 OSPF Hellos traffic:

    -------------------------------

    root of 18:57:32.329981 d 802.1 8000.00:0 b config: 46:fc:95:50.805 d 8000.00:0 b: 46:fc:95:50 pathcost age 0 0 20 max Hello fdelay 2 15

    --------------------------------

    BUT! The problem is that I do not have a physical link on my Windows host on the network (the Red Cross on the network connection icon on the lower right side of the toolbar)

    Can someone please give me a tip that I did wrong?

    Thanks in advance!

    What type of cable you use to connect to the host with the sensor?

    You are using a crossover cable?

    Ports 10/100, a crossover cable is required for the connection of 2 guests.

    When you plan the wiring, remember that the IDS-4215 acts as a host to end (like routers) instead of a switch or a hub.

    Normally the switch or hub is the crossover inside a straight through cable is used when connecting a host to a switch or hub. BUT when connecting a host to a host (or sensor or router) the cross on must be on the outside using a cross over cable.

    If you already use a crossover cable, the next thing to determine is if there is a problem with the speed and duplex negotiation.

    You could try hard coding the host and the sensor to use 100 Mbps Full Duplex. BU hardcode both sides, you won't have to worry about auto-negotiation.

    NOTE: If you use the 10/100/1000 on the host and the sensor interfaces you probably could use a straight cable. When neogiating 1 Gbit/s, network cards can detect the difference between a straight line through and cross over cable and adjust to use types in most cases.

    BUT most of the 10/100 interfaces generally do not have this capacity and require a cross on the cable when connecting from host to host.

  • IDSM2 error of Installation license

    Hello

    I am facing a problem to apply licenses on 2 different WS-SVC-IDSM2-BUN (installed on base switches). I get the attached error.

    I tried to use CLI & GUI, same thing. I even contacted cisco licenses and they sent me the license files themselves, but always the same question. No idea why the installation of the license fails? I tried to check any bugs, but does not match any.

    Thank you

    E.B.:.

    Hi, try to download the license using the IPS for 'OS 6.x and earlier versions' link (although you have 7.x) given that this link requires no PID and the downloaded license will be related only to the SN of your IPS without its PID.

  • Check the IPS configuration

    I am very new on the front of Cisco IPS and have configured an ASA 5510 with the SSM-10 IPS module.  We have a compatible interface with multiple VLANs on this interface.  I installed the IPS, to the best of my ability, and I think it's okay as inline doesn't open in a configuration of active / standby asa.  Is it possible to check that the traffic flows properly to this IPS module?  Also, I've mentioned on the Setup it of because this version of the IPS, if I understand correctly, will not allow pairs VLAN, then when I put the policy to inspect all traffic, this traffic inspected between all the VLANS.  Another mystery, this is when I discovered my IPS interfaces (management and is not) that is not configured as management shows no matched.

    I know it of a lot, so let me summarize:

    -How can I check that my setup works as intended where all traffic between all them VLAN is inspected.

    -Why my interface managers showing 'matched '.

    -Looking through all of the Cisco documentation, I noticed the mention of the "contexts"; I don't see any reference to these contexts within the IDM.  It's just for my knowledge, but may be necessary for installation... I do not know.

    Thank you!

    Hello Mote, heat

    With regard to your questions:

    -How can I check that my setup works as intended where all traffic between all them VLAN is inspected?

    Since you're using an IPS module, traffic that matches the class configured on the SAA is under inspection, you can configure a capture on the dataplane Interface (the Interface used to send traffic to the ASA to IPS) using this command:

    capture ips int asa_dataplane buffer 15000000

    Check capture using the:

    See the FPS capture

    The output should display the packets from for each VLAN.

    -Why my interface managers showing 'matched '?

    Modules ASA IPS (ASA 5500 AIP SSM, ASA IPS 5500-X SSP and ASA IPS SSP 5585-X) do not support pairs VLAN inline.

    You can associate a VLAN in pairs on a physical interface. This is known as pair mode for the VLAN inline. Packets received on one of VLAN matched are analyzed and then forwarded to another VLAN in the pair. Because the module has only a detection interface, this is why it is shown as Unpaired.

    Literature speaks of "security contexts. You can partition an ASA unique in several virtual devices, called security contexts. Each context is an independent device, with its own security policy, interfaces, and administrators. Several contexts resemble have several stand-alone devices. Many features are supported in multiple context mode, including the routing tables, features of firewall, IPS, and management.

    Please rate the answer if you find it useful.

  • JOINT-2 Show Version / disk space

    I have an IDSM2 in a Cat65XX. When I session in it and do a version see the I see the following:

    Version of the OS 2.4.18 - 5-phoenix

    Platform: WS-SVC-IDSM2-BUN

    Sensor time is 25 minutes.

    With the help of 389292032 of 1979682816 memory available bytes (19% of use)

    With the help of 758M off bytes 17 G of disk space available (5% of use)

    My questions are, what is using 758 M disk space? and how do I clear it?

    Thank you

    -Jeff

    The use of the disc you see is for storage of EventStore of the probe (sort of a database of alerts) and the IpLogs and may also include a prior upgrade backup files storage (so you can downgrade later).

    The EventStore uses up to 4 gigs (4 concerts are previously assigned and then filled the need). When the 4 gigs is full sensor will automatically overwrite the oldest alerts with the latest alerts so it is not necessary to manually delete anything.

    The large difference in the use of the disc between 2 sensors is probably the number of alarms stored in the EventStore. If a sensor was freshly image, and another sensor worked for several weeks, then the freshly image sensor using not all 4Gigs for now. The other sensor has probably already filled it is 4 Gigs and is already overwhelming alarms older with the most recent alarms.

    If you want to delete old alert data, you can run "erase events" in the CLI. This may not, however, erase the disk space of these past events. It marks usually just these past events as deleted.

    The IpLogs uses 512 Megs is also pre-allocated system. New IpLogs will automatically overwrite older IpLogs more so it is not necessary to manually delete anything on the system (in fact there no supplied command for the removal of the IpLogs in the system).

    Storage of backup data is automatic, and the installation program always checks that enough disk space exists for the backup to occur. The CLI provides no way to delete the backup files.

    So you see that all this space is managed by the system internally. There is no reason for the user to delete all data, or trying to manage disk space. On some of the latest platforms and more with less disk storage usage percentage could be quite high, even under normal conditions.

    So same uses very high disk are not cause for concern, and there is nothing that the user should be under normal circumstances (something could actually cause a problem on the sensor).

    It's only when another problem is seen on the sensor using the drive to become a matter of concern. The user would have communicated with the TAC, and the development team will focus on the use of the disc and other factors of possible clues as to what might happen. While led by TAC engineers and developers the user may be sent to the enter the service account and do some manual diagnosis and possibly maintenance.

    The only way to really clear the use of the disc is to recreate the image on the sensor. The new image will reformat the hard drive and install a new OS and new application IDS files. The EventStore will start back to size 0 and start building up to 4 Gig over time. This new image, however, is never really necessary unless a major problem or file corruption is seen on the sensor.

  • Calculation in forms

    I worked on an interactive brochure for days now.

    Basically someone fills in the forms with the packages they want for their apartment, with each selection of a checkbox or a radio that button contributes at the bottom of the list.

    I have the following:

    Packages - DISPLAYS TOTALS OF PACKAGES

    Additions-DISPLAYS TOTALS of ADDITIONS

    Items household-DISPLAYS TOTALS FOR HOUSEWARES

    Subtotal-DISPLAYS TOTAL packets, additions, and household items.

    WAIVER - this is a waiver of 12% to be ADDED to the price of the rent. It is: (.12) (Subtotal)

    Monthly Base rent - waiver + subtotal

    The problem I have is that I can't get the total to show that the waiver and the subtotal.

    When someone makes a selection it shows in the total of THIS section, but then it does not calculate the subtotal and total waiver.

    When it is deselected, it shows the waiver, subtotal and total but NOT the total for this section.

    I'm just trying to do all the calculations to display at the same time.

    Help!

    Make sure that your field calculation order is correct (forms - Edit - Edit field calculation order).

    The total should appear last in the list.

  • Big size and consistency?

    Does anyone tried with a network set up with the size of large frame (packet) using coherence? We have a network that support up to 9 k packets, but before I spend the time to try I would like to know if someone have already some experience with performance gains (if any) as well as the configuration parameters that must (or should preferably) be modified to take advantage of the frame size is...

    Best regards
    Magnus

    Hi Magnus,

    In my expierence it's useless on gigabit networks as coherence is capable of maxing out the nic even with the size of the standard framework. If you want to enable the consistency to generate larger packages, please visit http://wiki.tangosol.com/display/COH35UG/packet-size

    Thank you

    Mark | The Oracle coherence

Maybe you are looking for