Table Of Contents

Using Detector Module Diagnostics Tools

Displaying the Detector Module Configuration

Displaying Detector Module Zones

Displaying Zone Counters

Displaying the Zone Status

Displaying Detector Module Logs

Managing Online Event Logs

Displaying Online Event Logs

Exporting Online Event Logs

Managing the Log File

Displaying the Log File

Exporting the Log File

Clearing the Log File

Monitoring Network Traffic and Extracting Attack Signatures

Configuring the Detector Module to Automatically Record Traffic

Activating the Detector Module to Manually Record Traffic

Stopping the Detector Module from Manually Recording Traffic

Displaying Manual Packet-Dump Settings

Exporting Packet-Dump Capture Files Automatically

Exporting Packet-Dump Capture Files Manually

Importing Packet-Dump Capture Files

Displaying Packet-Dump Capture Files

Generating Attack Signatures from Packet-Dump Capture Files

Copying Packet-Dump Capture Files

Deleting Packet-Dump Capture Files

Displaying General Diagnostics Data

Displaying Memory Consumption

Displaying the CPU Utilization

Managing the ARP Cache

Displaying Network Statistics

Using Traceroute

Verifying Connectivity

Obtaining Debug Information

Using Detector Module Diagnostics Tools

---

This chapter describes how to display statistics and diagnostics on the Cisco Traffic Anomaly Detector Module (Detector module) and contains the following sections:

•Displaying the Detector Module Configuration

•Displaying Detector Module Zones

•Displaying Zone Counters

•Displaying the Zone Status

•Displaying Detector Module Logs

•Monitoring Network Traffic and Extracting Attack Signatures

•Displaying General Diagnostics Data

•Displaying Memory Consumption

•Displaying the CPU Utilization

•Managing the ARP Cache

•Displaying Network Statistics

•Using Traceroute

•Verifying Connectivity

•Obtaining Debug Information

Displaying the Detector Module Configuration

You can display the Detector module configuration file, which includes information relating to the Detector module configuration such as interface IP addresses, default Gateway address, and configured zones.

To display the Detector module configuration file, enter the following command:

show running-config [all | Detector module | interfaces interface-name | self-protection | zones]

Table 10-1 provides the arguments and keywords for the show running-config command.

Table 10-1 Arguments and Keywords for the show running-config Command 

Parameter	Description
all	Displays configuration files of all Detector module functions (Detector module, zones, interfaces, and self-protection).
Detector module	Displays Detector module configuration file.
interfaces interface-name	Displays the configuration file of the Detector module interfaces. Enter the interface name.
zones	Displays the configuration files of all zones.

The following example shows how to display the Detector module configuration file:

user@DETECTOR# show running-config detector 

The configuration file consists of the commands that you enter to configure the Detector module with the current settings. You can export the Detector module configuration file to a remote FTP server for backup purposes or for implementing the Detector module configuration parameters on another Detector module. See the "Displaying Detector Module Zones" section for more information.

Displaying Detector Module Zones

You can display an overview of the zones to see which zones are active and what their current status is by entering the show command in global mode.

Table 10-2 describes the different zone statuses.

Table 10-2 Zone Status

Status	Description
Auto detect mode	Zone anomaly detection is enabled, and the dynamic filters are activated without user intervention. The Detector module displays (+learning) next to the zone name if zone anomaly detection is enabled and the Detector module is learning zone traffic characteristics for policy threshold tuning.
Interactive detect mode	The zones are in interactive detect mode, and the dynamic filters are activated manually.
Threshold Tuning phase	The zones are in the threshold tuning phase. The Detector analyzes the zone traffic and defines thresholds for the policies that were constructed during the policy construction phase of the learning process.
Policy Construction phase	The zones are in the policy construction phase, and the zone policies are created.
Standby	The zones are not active.

The following example shows how to display an overview of the Detector module zones:

user@DETECTOR# show

Displaying Zone Counters

To display the zone counters and analyze zone traffic you can use the following commands:

•show rates—Displays the average traffic rate of the received counter.

•show rates details—Displays the average traffic rate of the received counter.

•show rates history—Displays the average traffic rate of the received counter for every minute in the past 24 hours.

•show counters—Displays the received counter.

•show counters details—Displays the received counter.

•show counters history—Displays the value of the received counter for every minute in the past hour.

The rate units are in bps and in pps.

---

Note Zone rates are available only when you enable zone anomaly detection or activate the learning process.

---

The Detector module measures the total traffic and computes the average traffic rate. A rate with the value of cleared indicates a time when zone anomaly detection was not enabled.

The counters units are in packets and in Kilobits. The counters are set to zero when you activate zone detection.

Table 10-3 displays the Detector module counters.

Table 10-3 Detector Module Counters 

Counter	Description
Received	The total packets, destined to the zone, that were handled by the Detector module.

The following example shows how to display the Detector module counters:

admin@GUARD-conf-zone-scannet# show rates 

Displaying the Zone Status

To display an overview of the zone and its current status, use the show command in zone configuration mode. The overview includes the following information:

•Zone status—Indicates operation state. The operation state can be one of the following: protect mode, protect and learning mode, threshold tuning mode, policy construction mode, or inactive.

•Zone basic configuration—Describes the basic zone configuration, such as automatic or interactive detect mode, thresholds, timers, and IP addresses.

See the "Configuring Zone Attributes" section for more information.

•Zone filters—Includes the flex-content filter configuration, and the number of active dynamic filters. If the zone is in interactive detect mode, the overview displays the number of recommendations.

See the "Configuring Flex-Content Filters" section and the "" section for more information.

•Zone traffic rates—Displays the zone legitimate and malicious traffic rates.

See the "Displaying Zone Counters" section for more information.

The following example shows how to display the zone status:

user@DETECTOR-conf-zone-scannet# show

Displaying Detector Module Logs

The Detector module automatically logs system activity and events. You can display the Detector module logs to review and track the Detector module activity.

Table 10-4 displays the event log levels.

Table 10-4 Event Log Levels 

Event Level	Numeric code	Description
Emergencies	0	System is unusable.
Alerts	1	Immediate action required.
Critical	2	Critical condition.
Errors	3	Error condition.
Warnings	4	Warning condition.
Notifications	5	Normal but significant condition.
Informational	6	Informational messages.
Debugging	7	Debugging messages.

The log file displays all log levels (emergencies, alerts, critical, errors, warnings, notification, informational, debugging). The Detector module log file includes zone events with severity levels: emergencies, alerts, critical, errors, warnings, and notifications.

You can display the event log locally or from a remote server. The following sections describe these topics:

•Displaying Online Event Logs

•Managing the Log File

Managing Online Event Logs

This section describes how to manage the Detector module real-time logging of events and contains the following topics:

•Displaying Online Event Logs

•Exporting Online Event Logs

Displaying Online Event Logs

You can activate the Detector module monitoring feature and display a real-time event log, which enables you to view the online logging of the Detector module events. To display the online event logs, enter the following command:

event monitor

The following example shows how to activate the monitoring feature:

user@DETECTOR# event monitor

The screen constantly updates to show new events.

---

Note To deactivate the monitoring function, use the no event monitor command.

---

Exporting Online Event Logs

You can export the Detector module online event logs to display the Detector module operations that are registered in the log file, and to display the Detector module events from a remote host while they are registered in the Detector module log file. The Detector module log file is exported using the syslog mechanism. You can export the Detector module log file to several syslog servers and specify additional servers so that if one goes offline, another is available to receive messages.

The online Detector module log export function is applicable with a remote syslog server only. If a remote syslog server is not available, use the copy log command to export the Detector module log information to a file.

The following is an example of a logging event:

Sep 11 16:34:40 10.4.4.4 cm: scannet, 5 threshold-tuning-start: Zone 
activation completed successfully.

The system log message syntax is as follows:

event-date event-time Guard-IP-address protection-level zone-name event-severity-level event-type event-description

To export online event logs, perform the following steps:

---

Step 1 (Optional) Configure the logging parameters by entering the following command in configuration mode:

logging {facility | trap}

Table 10-5 provides the keywords for the logging command.

Table 10-5 Keywords for the logging Command 

Parameter	Description
facility	The export syslog facility. The remote syslog server uses logging facilities to filter events. For example, the logging facility allows the remote user to receive the Detector module events in one file and use another file for events from other networking devices. The available facilities are local0 through local7. The default is local4.
trap	The severity level of the syslog traps sent to the remote syslog. Trap levels of lower severity include levels of higher severity. For example, if the trap level is set to warning, then error, critical, alerts, and emergencies are also sent. The available trap levels from the highest to the lowest severity level are emergencies, alerts, critical, errors, warnings, notification, informational, debugging. The default is notification.

---

Note To receive events about the addition and removal of dynamic filters, change the trap level to informational.

---

Step 2 Configure the remote syslog server IP address by entering one of the following commands:

•logging host remote-syslog-server-ip

•export log remote-syslog-server-ip

The remote-syslog-server-ip argument specifies the remote syslog server IP address.

To build a list of syslog servers that receive logging messages, enter the logging host command or the export log more than once.

---

The following example shows how to configure the Detector module to traps from severity level notification, using the facility local3, to a syslog server with IP address 10.0.0.191:

user@DETECTOR-conf# logging facility local3

user@DETECTOR-conf# logging trap notifications

user@DETECTOR-conf# logging host 10.0.0.191

To view the export online event logs configuration, use the show logging command or the show log export-ip command.

Managing the Log File

This section describes how to manage the Detector module log file and contains the following topics:

•Displaying the Log File

•Exporting the Log File

•Clearing the Log File

Displaying the Log File

You can display the Detector module log for diagnostic or monitoring purposes. The Detector module log file includes zone events with these severity levels: emergencies, alerts, critical, errors, warnings and notification.

To display the Detector module log, enter the following command in global mode:

show log

The following example shows how to display the Detector module log:

user@DETECTOR# show log

You can display a zone log to display events that relate to the specified zone only.

To view the zone log, use the show log command in zone configuration mode.

Exporting the Log File

You can export the Detector module log file to an FTP or SFTP server for monitoring or diagnostic purposes by entering one of the following commands in global mode:

•copy [zone zone-name] log ftp server full-file-name [login [password]]

•copy [zone zone-name] log sftp server full-file-name login

---

Note You must configure the SSH key that the Detector module uses for SFTP communication before you enter the copy log sftp command. See the "Configuring the Key for SFTP Connections" section for more information.

---

Table 10-6 provides the arguments and keywords for the copy log ftp command.

Table 10-6 Arguments and Keywords for the copy log ftp Command 

Parameter	Description
zone zone-name	(Optional) The zone name. Exports the zone log file. The default is to export the Detector module log file.
ftp	Export the logs to an FTP server.
sftp	Export the logs to an SFTP server.
server	The IP address of the server.
remote-path	The complete name of the file. If you do not specify a path, the server saves the file in your home directory.
login	The server login name. The login argument is optional when you define an FTP server. When you do not insert a login name, the FTP server assumes an anonymous login and does not prompt you for a password.
password	(Optional) The password for the remote FTP server. If you do not insert the password the Detector module prompts you for it.

The following example shows how to export the Detector module log file to an FTP server:

user@DETECTOR# copy log ftp 10.0.0.191 log.txt <user> <password>

Clearing the Log File

You can clear the Detector module or zone log file if it is large or if you are going to perform testing and want to be sure that the log file includes information from the testing session only.

To clear the Detector module or zone log file of all entries, enter the following command in configuration mode or in zone configuration mode:

clear [zone zone-name] log

The zone-name argument specifies the zone name. The default is to clear the Detector module log file. When you enter the clear log command from zone configuration mode, do not use the zone zone-name keyword and argument. To clear the current zone log of all entries, use the clear log command in zone configuration mode.

The following example shows how to clear the Detector module log:

user@DETECTOR-conf# clear log

Monitoring Network Traffic and Extracting Attack Signatures

You can configure the Detector module to record traffic directly from the network through non-intrusive taps and create a database from the recorded traffic. By querying the recorded traffic database you can analyze past events, generate signatures of an attack, or compare current network traffic patterns with traffic patterns that the Detector module recorded previously under normal traffic conditions.

You can configure filters so that the Detector module records only traffic that meets certain criteria or you can record all traffic data and filter the traffic that the Detector module displays.

The Detector module saves the traffic in PCAP format, which is compressed and encoded by the "gzip" (GNU zip) program, with an accompanying file in Extensible Markup Language (XML) format that describes the recorded data.

An important use of the recorded traffic is to determine if there are any common patterns, or signatures, that appear in the payload of recorded attack packets. The Detector module is capable of analyzing the recorded traffic and extracting signatures. Using the signature, you can configure a flex-content filter to block all traffic containing packet payloads that match the signature.

The Detector module can record traffic in two ways:

•Automatically—Continuously records traffic data in packet-dump capture files.

New packet-dump capture files replace the previous ones. To save previous packet-dump capture files, you must export them to an FTP or an SFTP server.

•Manually—Records traffic in packet-dump capture files when activated by you.

New packet-dump capture files replace previous ones. To save the recorded traffic, export the packet-dump capture files to an FTP or an SFTP server before you activate the Detector module to record traffic again.

You can activate only one manual packet-dump capture at a time for a zone, but you can activate the manual packet-dump capture and the automatic packet-dump capture simultaneously. The Detector module can manually record traffic for up to 4 zones simultaneously.

The Detector module allocates, by default, 20 MBytes disk space for manual packet-dump capture files of all zones. It can save up to 80 MB of manual and automatic packet-dump capture files of all zones. Delete old files to free disk space for additional packet-dump capture files.

This section contains the following topics:

•Configuring the Detector Module to Automatically Record Traffic

•Activating the Detector Module to Manually Record Traffic

•Stopping the Detector Module from Manually Recording Traffic

•Displaying Manual Packet-Dump Settings

•Exporting Packet-Dump Capture Files Automatically

•Exporting Packet-Dump Capture Files Manually

•Importing Packet-Dump Capture Files

•Displaying Packet-Dump Capture Files

•Generating Attack Signatures from Packet-Dump Capture Files

•Copying Packet-Dump Capture Files

•Deleting Packet-Dump Capture Files

Configuring the Detector Module to Automatically Record Traffic

You can activate the Detector module to automatically record network traffic so that you have traffic records that you can analyze, or compare to, if a network problem or an attack occurs. By using packet-dump capture filters, you can configure the Detector module to record only the traffic that meets the criteria you specify. You can also record all traffic and apply packet-dump capture filters to the recorded traffic when you view it.

The Detector module records traffic in a capture buffer. When the capture buffer size reaches 50 MB, or after 10 minutes have elapsed, the Detector module saves the buffered information to a local file in a compressed format, clears the buffer, and then continues recording traffic.

The Detector module saves multiple automatic packet-dump capture files. It divides the recorded traffic based on the way it handled the traffic, so you might have more than one automatic packet-dump capture file from a single time frame. The name of the automatic packet-dump capture file provides information about when the Detector module recorded the traffic and how it handled the traffic.

Table 10-7 describes the sections of the automatic packet-dump capture filename.

Table 10-7 Sections of the Automatic Packet-Dump Capture
Filename 

Section	Description
Function	The type of Detector module function performed at the time of the packet-dump capture: •protect—The Detector module recorded the traffic during zone anomaly detection. •learn—The Detector module recorded the traffic during the zone learning process or the detect and learning process.
Capture start time	The time that the Detector module started recording the traffic.
Capture end time	(Optional) The time that the Detector module finished recording the traffic. If the Detector module is currently recording the traffic to the file, the end time is not displayed.
Dispatch	The method that the Detector module used to handle the traffic. The Detector module the following method: dropped—The Detector module received traffic. The Detector module does not forward traffic, so it is dropped.

The Detector module saves one packet-dump capture file from the learning process. The Detector module saves the following two types of packet-dump capture files when zone protection is enabled:

•Traffic from the previous 10 minutes

•Current traffic

When you activate zone detection or activate the Detector module to automatically record network traffic, the Detector module erases all previous packet-dump capture files that were recorded during the detection process and creates new ones.

To configure the Detector module to automatically record network traffic, perform the following steps:

---

Step 1 Configure the Detector module to automatically record zone traffic. Enter the following command in zone configuration mode:

packet-dump auto-capture

(Optional) To create a packet-dump capture database, export the packet-dump capture files to an FTP or an SFTP server. New packet-dump capture files replace the previous ones. To create a packet-dump capture database you must export the packet-dump capture files.

See the "Exporting Packet-Dump Capture Files Automatically" section.

---

The following example shows how to configure the Detector module to automatically record zone traffic:

user@DETECTOR-conf-zone-scannet# packet-dump auto-capture

To stop the Detector module from automatically capturing zone traffic data, use the no packet-dump auto-capture command.

To view the current packet-dump settings, use the show packet-dump command.

Activating the Detector Module to Manually Record Traffic

You can activate the Detector module to start recording traffic so that you can record traffic during a specific period or change the criteria that the Detector module uses to record the traffic.

The Detector module stops recording traffic and saves the manual packet-dump capture to a file when the specified number of packets have been recorded, or when either the learning process or zone detection have ended.

You can only activate one manual packet-dump capture at a time for a zone, but you can activate the manual packet-dump capture and the automatic packet-dump capture simultaneously. The Detector module can record manual packet-dump captures for up to 10 zones simultaneously.

To activate a manual packet-dump capture, enter the following command in zone configuration mode:

packet-dump capture [view] capture-name pdump-rate pdump-count [tcpdump-expression]

---

Note The CLI session halts while the traffic is captured. To continue working while the capture is in process, establish an additional session with the Detector module.

---

Table 10-8 provides the arguments and keywords for the packet-dump command.

Table 10-8 Arguments and Keywords for the packet-dump
Command 

Parameter	Description
view	(Optional) Displays traffic that the Detector module is recording in real time.
capture-name	The name of the packet-dump capture file. Enter an alphanumeric string from 1 to 63 characters in length. The string can contain underscores but cannot contain spaces.
pdump-rate	The sample rate in pps. Enter a value from 1 to 10000. Note The Detector module supports a maximum accumulated packet-dump capture rate of 10000 packets per second for all concurrent manual captures. A packet-dump capture configured with a high sample-rate value consumes resources. We recommend that you use high-rate values cautiously because of the potential performance penalty.
pdump-count	The number of packets to record. When the Detector module finishes recording the specified number of packets, it saves the manual packet-dump capture buffer to a file. Enter an integer from 1 to 5000.
tcpdump-expression	(Optional) A filter you apply to specify the traffic to record. The Detector module captures only traffic that complies with the filter expression. The expression rules are identical to the Flex-Content filter TCPDump expression rules. See the "Understanding the tcpdump-expression Syntax" section for more information.

The following example shows how to activate a manual packet-dump capture to record 1000 packets with a sample rate of 10 packets per second and display the packets that are captured:

user@DETECTOR-conf-zone-scannet# packet-dump capture view 10 1000 

Stopping the Detector Module from Manually Recording Traffic

The Detector module stops a manual packet-dump capture when it records the number of packets you specified when you activated the capture. However, you can stop a manual packet-dump capture before the Detector module records the specified number of packets.

To stop the Detector module from manually recording traffic, perform one of the following actions:

•Press CTRL-C in the open CLI session.

•Open a new CLI session, and enter the following command in the relevant zone configuration mode:

no packet-dump capture capture-name

The capture-name argument specifies the name of the capture to stop.

The Detector module saves the packet-dump capture file.

Displaying Manual Packet-Dump Settings

To display the current amount of disk space that the Detector module allocated for manual packet-dump capture files, use the show packet-dump command in configuration mode or in global mode. The Detector module allocates a single block of disk space for the manual packet-dump capture files of all zones.

The following example shows how to display the current amount of disk space that the Detector module allocated for manual packet-dump capture files:

user@DETECTOR-conf# show packet-dump

Table 10-9 describes the fields in the show packet-dump command output.

Table 10-9 Field Descriptions for the Manual show packet-dump
Command Output 

Field	Description
Allocated disk-space	Specifies the amount of total disk space that the Detector module has allocated for manual packet-dump captures of all zones in MB.
Occupied disk-space	Specifies the percentage of allocated disk space consumed by manual packet-dump files from all zones.

Exporting Packet-Dump Capture Files Automatically

You can configure the Detector module to automatically export packet-dump capture files to an FTP or an SFTP server. When you enable the automatic export function, the Detector module exports the packet-dump capture files each time it saves the contents of the packet-dump buffer to a local file. The Detector module exports the packet-dump capture files in PCAP format, which is compressed and encoded by the "gzip" (GNU zip) program, with an accompanying file in XML format that describes the recorded data. The XML schema is described in the Capture.xsd file that accompanies the version. You can download the xsd files that accompany the version from the Software Center at: http://www.cisco.com/public/sw-center/.

To automatically export packet-dump capture files, enter one of the following commands in configuration mode:

•export packet-dump ftp server full-file-name [login password]

•export packet-dump sftp server full-file-name login

---

Note You must configure the SSH key that the Detector module uses for SFTP communication before you enter the export packet-dump sftp command. See the "Configuring the Key for SFTP Connections" section for more information.

---

Table 10-10 describes the arguments for the export packet-dump command.

Table 10-10 Arguments for the export packet-dump Command  

Parameter	Description
ftp	Export the packet-dump capture files to an FTP server.
sftp	Export the packet-dump capture files to an SFTP server.
server	The IP address of the server.
remote-path	The complete name of the path were the Detector module saves the packet-dump capture files.
login	The server login name. The login argument is optional when you define an FTP server. When you do not insert a login name, the FTP server assumes an anonymous login and does not prompt you for a password.
password	The password for the remote FTP server.

The following example shows how to automatically export packet-dump capture files to an FTP server at IP address 10.0.0.191:

user@DETECTOR# export packet-dump ftp 10.0.0.191 /root/captures/ 
<user> <password>

Exporting Packet-Dump Capture Files Manually

You can manually export packet-dump capture files to an FTP server. You can export a single packet-dump capture file or all packet-dump capture files of a specific zone. The Detector module exports the packet-dump capture files in PCAP format, which is compressed and encoded by the "gzip" (GNU zip) program, with an accompanying file in XML format that describes the recorded data. The XML schema is described in the Capture.xsd file that accompanies the version. You can download the xsd files that accompany the version from the Software Center at: http://www.cisco.com/public/sw-center/.

To manually export packet-dump capture files to an FTP server, enter one of the following commands in global mode:

•copy zone zone-name packet-dump captures [capture-name] ftp server remote-path [login [password]]

•copy zone zone-name packet-dump captures [capture-name] sftp server remote-path login

---

Note You must configure the SSH key that the Detector module uses for SFTP communication before you enter the copy zone packet-dump captures sftp command. See the "Configuring the Key for SFTP Connections" section for more information.

---

Table 10-11 provides the arguments and keywords for the copy zone packet-dump command.

Table 10-11 Arguments and Keywords for the copy zone packet-dump
Command 

Parameters	Description
zone zone-name	The name of an existing zone.
packet-dump captures	Exports packet-dump capture files.
capture-name	(Optional) The name of an existing packet-dump capture file. If you do not specify the name of a packet-dump capture file, the Detector module exports all the zone packet-dump capture files. See the "Displaying Packet-Dump Capture Files" section for more information.
ftp	Exports the packet-dump capture files to an FTP server.
sftp	Exports the packet-dump capture files to an SFTP server.
server	The IP address of the server.
remote-path	The complete name of the path were the Detector module saves the packet-dump capture files.
login	The server login name. The login argument is optional when you define an FTP server. When you do not insert a login name, the FTP server assumes an anonymous login and does not prompt you for a password.
password	(Optional) The password for the remote FTP server. If you do not insert the password the Detector module prompts you for one.

The following example shows how to manually export the packet-dump capture files of zone scannet to FTP server 10.0.0.191:

user@DETECTOR# copy zone scannet packet-dump captures ftp 10.0.0.191 
<user> <password>

Importing Packet-Dump Capture Files

You can import packet-dump capture files from an FTP or SFTP server to the Detector module so that you can analyze past events or compare current network traffic patterns with traffic patterns that the Detector module previously recorded under normal traffic conditions. The Detector module imports the packet-dump capture files in both XML and PCAP format.

To import a packet-dump capture file, enter one of the following commands in global mode:

•copy ftp zone zone-name packet-dump captures server full-file-name [login [password]]

•copy sftp zone zone-name packet-dump captures server full-file-name login

---

Note You must configure the SSH key that the Detector module uses for SFTP communication before you enter the copy sftp zone command. See the "Configuring the Key for SFTP Connections" section for more information.

---

Table 10-12 provides the arguments for the copy zone packet-dump command.

Table 10-12 Arguments for the copy zone packet-dump
Command 

Parameter	Description
ftp	Export the packet-dump capture files to an FTP server.
sftp	Export the packet-dump capture files to an SFTP server.
zone zone-name	The name of an existing zone for which the packet-dump capture files are imported.
packet-dump captures	Exports packet-dump capture files.
server	The IP address of the server.
full-file-name	The complete path and filename, excluding the file extension, of the file to import. If you do not specify a path, the server copies the file from your home directory. Note Do not specify the file extension because it will cause the import process to fail.
login	The server login name. The login argument is optional when you define an FTP server. When you do not insert a login name, the FTP server assumes an anonymous login and does not prompt you for a password.
password	(Optional) The password for the FTP server. If you do not insert the password the Detector module prompts you for one.

The following example shows how to import packet-dump capture files of zone scannet from FTP server 10.0.0.191:

user@DETECTOR# copy ftp zone scannet packet-dump captures 10.0.0.191 
capture-1 <user> <password>

Displaying Packet-Dump Capture Files

You can display either a list of packet-dump capture files or display the content of a single packet-dump capture file. By default, the Detector module displays a list of all zone packet-dump capture files.

To display packet-dump capture files, enter the following command in zone configuration mode:

show packet-dump captures [capture-name [tcpdump-expression]]

Table 10-13 provides the arguments for the show packet-dump captures command.

Table 10-13 Arguments for the show packet-dump captures
Command 

Parameters	Description
capture-name	(Optional) The name of an existing packet-dump capture file. If you do not specify the name of a packet-dump capture file, the Detector module displays a list of all zone packet-dump capture files. See Table 10-14 for field descriptions of the command output. If you specify the name of a packet-dump capture file, the Detector module displays the file in TCPDump format.
tcpdump-expression	(Optional) The filter that the Detector module uses when displaying the packet-dump capture file. The Detector module displays only the portion of the packet-dump capture file that matches the filter criteria. The expression rules are identical to the Flex-Content filter TCPDump expression rules. See the "Understanding the tcpdump-expression Syntax" section for more information.

The following example shows how to display the list of packet-dump capture files:

user@DETECTOR-conf-zone-scannet# show packet-dump captures

Table 10-14 describes the fields in the show packet-dump captures command output.

Table 10-14 Field Descriptions for the show packet-dump captures
Command Output 

Field	Description
Capture -name	The name of the packet-dump capture file. See Table 10-7 for a description of the automatic packet-dump capture filenames.
Size (MB)	The size of the packet-dump capture file in MB.
Filter	The user-defined filter that the Detector module used when recording traffic. The filter is in TCPDump format. The expression rules are identical to the Flex-Content filter TCPDump expression rules. See the "Understanding the tcpdump-expression Syntax" section for more information.

Generating Attack Signatures from Packet-Dump Capture Files

An attack signature describes the common pattern that appears in the payload of attack packets. You can activate the Detector module to generate the signature of anomalous traffic and then use this information to quickly identify future attacks of the same type. This feature allows you to detect new DDoS attacks and Internet worms, even before signatures are published, for example, from antivirus software companies or mailing lists.

The Detector module generates the attack signature using the Flex-Content filter pattern expression syntax. You can use this signature in the Flex-Content filter pattern to filter out anomalous traffic. See the "Configuring Flex-Content Filters" section for more information.

You can specify an additional packet-dump capture file that the Detector module recorded during normal traffic conditions as a reference. If you specify a reference packet-dump capture file, the Detector module generates the signature from the anomalous traffic and specifies the percentage of times that the signature is present in traffic that was recorded during normal traffic conditions. If the attack signature appears in a high percentage in traffic that was recorded during normal traffic conditions, it may not indicate the pattern of an attack.

To generate a signature of an attack, perform the following steps:

---

Step 1 Activate the Detector module to record traffic during the attack by using the packet-dump capture command.

See the "Activating the Detector Module to Manually Record Traffic" section for more information.

Step 2 Identify the packet-dump capture file that the Detector module recorded during the attack. To display the list of packet-dump capture files, use the show packet-dump captures command.

Step 3 b

Step 4 See the "Displaying Packet-Dump Capture Files" section for more information.

Step 5 Activate the Detector module to generate a signature of the attack traffic. Enter the following command in zone configuration mode:

show packet-dump signatures capture-name [reference-capture-name]

Table 10-15 provides the arguments for the show packet-dump signatures command.

Table 10-15 Arguments for the show packet-dump signatures Command  

Parameter	Description
capture-name	The name of an existing packet-dump capture file from which to generate a signature.
reference-capture-name	(Optional) The name of an existing packet-dump capture file that the Detector module recorded during normal traffic conditions. If you specify a reference packet-dump capture file, the Detector module displays the percentage of times the signature is present in the reference packet-dump capture file.

Table 10-16 describes the fields in the show packet-dump signatures command output.

Table 10-16 Field Descriptions for the show packet-dump signatures
Command Output 

Field	Description
Start Offset	The offset (in bytes) from the beginning of the packet payload where the pattern begins. If you copy the pattern into the Flex-Content filter pattern expression, copy this offset into the Flex-Content filter start-offset argument.
End Offset	The offset (in bytes) from the beginning of the packet payload where the pattern ends. If you copy the pattern into the Flex-Content filter pattern expression, copy this offset into the Flex-Content filter end-offset argument.
Pattern	The signature that the Detector module generated. The Detector module generates the signature using the Flex-Content filter pattern expression syntax. See the "Understanding the pattern-expression Syntax" section for more information. You can copy this pattern into the Flex-Content filter pattern expression.
Percentage	The percentage of times that the signature is present in reference-capture-name file.

---

The following example shows how to generate a signature from a manual packet-dump capture file:

user@DETECTOR-conf-zone-scannet# show packet-dump signatures 
PDumpCapture

Copying Packet-Dump Capture Files

You can copy a packet-dump capture file (or a portion of a file) under a new name. The Detector module overwrites existing automatic packet-dump capture files with new ones. When you copy an automatic packet-dump capture file or a manual packet-dump capture file, the Detector module saves them as manual files. You must manually delete them if you need to free up disk space. See the "Deleting Packet-Dump Capture Files" section for more information.

To copy a packet-dump capture file, enter the following command in configuration mode:

copy zone zone-name packet-dump captures capture-name [tcpdump-expression] new-name

Table 10-17 provides the arguments and keywords for the copy zone packet-dump captures command.

Table 10-17 Arguments and Keywords for the copy zone packet-dump captures Command 

Parameters	Description
zone zone-name	The name of an existing zone whose packet-dump capture files are copied.
packet-dump	Copies packet-dump capture file.
captures capture-name	The name of an existing packet-dump capture file.
tcpdump-expression	(Optional) The filter that the Detector module uses to copy the packet-dump capture file. The Detector module copies only the portion of the packet-dump capture file that matches the filter criteria. The expression rules are identical to the Flex-Content filter TCPDump expression rules. See the "Understanding the tcpdump-expression Syntax" section for more information.
new-name	The name of the new packet-dump capture file. The name is an alphanumeric string from 1 to 63 characters and can contain underscores but cannot contain spaces.

The following example shows how to copy a portion of the packet-dump capture file capture-1 that complies with the capture file under the name capture-2:

user@DETECTOR-conf# copy zone scannet capture-1 "tcp and dst port 80 
and not src port 1000" capture-2

Deleting Packet-Dump Capture Files

The Detector module allocates by default 20 MBytes of disk space for manual packet-dump capture files of all zones. It can save up to 80 MBytes of manual and automatic packet-dump capture files of all zones. To free disk space for additional packet-dump capture files, delete the old ones.

You can only save one manual packet-dump capture file per zone and no more than 10 packet-dump capture files on the Detector module. You must delete old manual packet-dump capture files to free up room for new ones.

To delete automatic or manual packet-dump capture files, enter one of the following commands:

•clear zone zone-name packet-dump captures {* | name} (in configuration mode)

•clear packet-dump captures {* | name} (in zone configuration mode)

Table 10-18 provides the arguments and keywords for the clear packet-dump command.

Table 10-18 Arguments and Keywords for the clear packet-dump Command 

Parameter	Description
zone zone-name	The name of an existing zone.
packet-dump captures	Delete packet-dump capture files.
*	Erases all packet-dump capture files.
name	The name of the packet-dump capture file to delete.

The following example shows how to delete all manual packet-dump capture files:

user@DETECTOR-conf# clear packet-dump captures *

Displaying General Diagnostics Data

To display a general summary of the diagnostics data, enter the following command:

show diagnostic-info

The diagnostics data consists of the following information:

•Line Card Number—An identifier string for the Detector module.

•Number of Pentium-class Processors—The number of the Detector module processor. The Detector module supports processor 1.

•BIOS Vendor—The vendor of the BIOS on the Detector module.

•BIOS Version—The BIOS version on the Detector module.

•Total available memory—The total memory available on the Detector module.

•Size of compact flash—The size of the compact flash on the Detector module.

•Slot Num—The number of the slot in which the module is inserted into the chassis (1-9).

•CFE version—The CFE version number.

---

Note To change the CFE version, you must install a new flash version. To burn a new CFE version, use the flash-burn command. See the "Upgrading the Detector Module Software" section for more information.

---

•Recognition Average Sample Loss—The calculated average packet sample loss.

•Forward failures (no resources)—The number of packets that were not forwarded due to lack of system resources.

---

Note A high Recognition Average Sample Loss or a large number of Forward failures indicate that the Detector module is overloaded with traffic. We recommend that you install more than one Detector module in a load-sharing configuration.

---

Displaying Memory Consumption

The Detector module displays the memory usage in kilobytes and displays the percentage of memory that the Detector module statistical engine uses displayed as the Recognition Used Memory. The Recognition memory usage is affected by the number of active zones and the number of services each of the zones monitors.

---

Note If the Recognition memory usage is higher than 90 percent, we highly recommend that you lower the number of active zones.

---

To display the Detector module memory consumption, enter the following command:

show memory

The following example shows how to display the Detector module memory consumption:

user@DETECTOR# show memory

              total    used    free    shared   buffers   cached

  In KBytes:  2065188  146260  1918928    0     2360      69232

  Recognition Used Memory: 0.3%

---

Note The total amount of free memory the Detector module has is a sum of the free memory and the cached memory.

---

Displaying the CPU Utilization

The Detector module displays the percentage of CPU time in user mode, system mode, niced tasks, and idle. Niced tasks are also counted in system and user time, so the total CPU utilization can be more than 100 percent.

To display the current percentage of CPU utilization, enter the following command:

show cpu

The following example shows how to display the current percentage of CPU utilization:

user@DETECTOR# show cpu

Host CPU:  0.0% user,  0.1% system,  0.0% nice, 99.0% idle

Managing the ARP Cache

You can display or manipulate the ARP cache to clear an address mapping entry or to manually define one. To manage the ARP cache, enter one of the following commands:

arp [-evn] [-H type] [-i if] -a [hostname]

arp [-v] [-i if] -d hostname [pub]

arp [-v] [-H type] [-i if] -s hostname hw_addr [temp]

arp [-v] [-H type] [-i if] -s hostname hw_addr [netmask nm] pub

arp [-v] [-H type] [-i if] -Ds hostname ifa [netmask nm] pub

arp [-vnD] [-H type] [-i if] -f [filename]

---

Note You can enter the complete keyword or an abbreviation of the keyword. The abbreviated keyword is preceded by a dash (-) and the complete keyword is preceded by two dashes (--).

---

Table 10-19 provides arguments and keywords for the arp command.

Table 10-19 Arguments and Keywords for the arp Command 

Abbreviated Parameter Name	Parameter Full Name	Description
-H type, -t type	--hw-type type	(Optional) Specifies the class of entries for which the Detector module checks. The default type value is ether (hardware code 0x01 for IEEE 802.3 10 Mbps Ethernet).
-i If	--device If	(Optional) Specifies an interface. When you dump the ARP cache, only entries that match the specified interface are printed. If you configure a permanent or temporary ARP entry, this interface is associated with the entry. If you do not use this option, the Detector module determines the interface based on the routing table. If you use the pub keyword, this interface is the interface on which the Detector module answers ARP requests and must be different from the interface to which the IP datagrams are routed.
-s hostname hw_addr	--set hostname hw_addr	Creates an ARP address mapping entry for the host name with the hardware address set to the hw_addr class value. If you do not enter the temp flag, the entries are stored permanently in the ARP cache.
-a [hostname]	--display [hostname]	Displays the entries of the specified hosts in alternate (BSD) style. The default is to display all entries.
-v	--verbose	(Optional) Displays the output in verbose.
-n	--numeric	Displays numerical addresses.
-d hostname	--delete hostname	Remove any entry for the specified host.
-D	--use-device	Uses the hardware address of interface ifa.
-e		Displays the entries in default style.
-f filename	--file filename	Creates an ARP address mapping entry. The information is taken from the filename file. The file format is ASCII text lines with a hostname and a hardware address separated by white space. You can also use the pub, temp, and netmask flags. In all places where a hostname is expected, you can also enter an IP address in dotted-decimal notation.

---

Caution To configure the Detector module ARP cache, you must be familiar with the Detector module system and the network.

---

The following example shows how to display the ARP entries in default style:

user@DETECTOR# arp -e

Address        HWtype  HWaddress           Flags Mask  Iface

10.10.1.254    ether   00:02:B3:C0:61:67   C           eth1

10.10.8.11     ether   00:02:B3:45:B9:F1   C           eth1

10.10.8.253    ether   00:D0:B7:46:72:37   C           eth1

10.10.10.54    ether   00:03:47:A6:44:CA   C           eth1

Displaying Network Statistics

You can display the host network connections, routing tables, interface statistics, masquerade connections, and multicast memberships to debug network problems by entering one of the following commands:

netstat [address_family_options] [--tcp|-t] [--udp|-u] [--raw|-w] [--listening|-l] [--all|-a] [--numeric|-n] [--numeric-hosts][--numeric-ports][--numeric-ports] [--symbolic|-N] [--extend|-e[--extend|-e]][--timers|-o] [--program|-p] [--verbose|-v] [--continuous|-c] [delay]

netstat {--route|-r} [address_family_options] [--extend|-e[--extend|-e]] [--verbose|-v] [--numeric|-n] [--numeric-hosts][--numeric-ports][--numeric-ports] [--continuous|-c] [delay]

netstat {--interfaces|-i} [iface] [--all|-a] [--extend|-e[--extend|-e]] [--verbose|-v] [--program|-p] [--numeric|-n] [--numeric-hosts][--numeric-ports][--numeric-ports] [--continuous|-c] [delay]

netstat {--groups|-g} [--numeric|-n] [--numeric-hosts][--numeric- ports][--numeric-ports] [--continuous|-c] [delay]

netstat {--masquerade|-M} [--extend|-e] [--numeric|-n] [--numeric- hosts][--numeric-ports][--numeric-ports] [--continuous|-c] [delay]

netstat {--statistics|-s} [--tcp|-t] [--udp|-u] [--raw|-w] [delay]

netstat {--version|-V}

netstat {--help|-h}

---

Note If you do not specify any address families, the Detector module displays the active sockets of all configured address families.

---

Table 10-20 provides arguments and keywords for the netstat command.

---

Note You can enter the complete keyword or an abbreviation of the keyword. The abbreviated keyword is preceded by a dash (-) and the complete keyword is preceded by two dashes (--).

---

Table 10-20 Arguments and Keywords for the netstat
Command 

Abbreviated Parameter Name	Parameter Full Name	Description
address_family_ options		(Optional) The address family options can be one of the following: •[--protocol={inet,unix,ipx,ax25,netrom,ddp}[,...]] •[--unix|-x] [--inet|--ip] [--ax25] [--ipx] [--netrom] •[--ddp]
-r	--route	Displays the Detector module routing tables.
-g	--groups	Displays multicast group membership information for IPv4 and IPv6.
-i iface	--interface iface	Displays a table of all network interfaces, or of the optional iface value.
-M	--masquerade	Displays a list of masqueraded connections.
-s	--statistics	Displays summary statistics for each protocol.
-v	--verbose	(Optional) Displays the output in verbose.
-n	--numeric	(Optional) Dispalys numerical addresses.
	--numeric-hosts	(Optional) Displays numerical host addresses but does not affect the resolution of port or user names.
	--numeric-ports	(Optional) Displays numerical port numbers but does not affect the resolution of host or user names.
	--numeric-users	(Optional) Displays numerical user IDs but does not affect the resolution of host or port names.
-c	--continuous	(Optional) Displays the selected information every second on a continuous basis.
-e	--extend	(Optional) Displays additional information. Use this option twice for maximum detail.
-o	--timers	(Optional) Displays information related to networking timers.
-p	--program	(Optional) Displays the PID and name of the program to which each socket belongs.
-l	--listening	(Optional) Displays only listening sockets. These sockets are omitted by default.
-a	--all	(Optional) Displays both listening and non-listening sockets.
delay		(Optional) Netstat cycles printing through statistics every delay seconds.

You can enter a maximum of 13 arguments and keywords in one command.

The following example shows how to display netstat information in verbose:

user@DETECTOR# netstat -v

Active Internet connections (w/o servers)

Proto Recv-Q Send-Q Local Address   Foreign Address         State

tcp        0      0 localhost:1111  localhost:32777    ESTABLISHED

tcp        0      0 localhost:8200  localhost:32772    ESTABLISHED

.

.

.

tcp        0      0 localhost:33464 localhost:8200     TIME_WAIT

tcp        1      0 localhost:1113  localhost:33194    CLOSE_WAIT

.

.

.

Active UNIX domain sockets (w/o servers)

unix  2      [ ]         STREAM     CONNECTED     928

unix  3      [ ]         STREAM     CONNECTED     890  /tmp/.zserv

.

.

.

user@DETECTOR#

Using Traceroute

You can determine the route that packets take to arrive at a network host to debug network problems by entering the following command:

traceroute ip-address [-F] [-f first_ttl] [-g gateway] [-i iface]
[-m max_ttl] [-p port] [-q nqueries] [-s src_addr] [-t tos] [-w waittime] [packetlen]

---

Note The traceroute command displays IP addresses only, not names.

---

Table 10-21 provides the arguments and keywords for the traceroute command.

Table 10-21 Arguments and Keywords for the traceroute
Command 

Parameter	Description
ip-address	The IP address to which the route will be traced.
-F	(Optional) Sets the don't fragment bit.
-f first_ttl	(Optional) Sets the initial time-to-live (TTL) used in the first outgoing probe packet.
-g gateway	(Optional) Specifies a loose source route gateway (8 maximum).
-i iface	(Optional) Specifies a network interface to obtain the source IP address for outgoing probe packets and, in most cases, is useful on a multi-homed host.
-m max_ttl	(Optional) Sets the maximum time-to-live (maximum number of hops) used in outgoing probe packets. The default is 30 hops.
-p port	(Optional) Sets the base UDP port number used in probes. The default is 33434.
-q nqueries	(Optional) Sets the number of probes that are defined for the ttl value. The default is 3.
-s src_addr	(Optional) Sets the src_addr IP address as the source IP address in outgoing probe packets.
-t tos	(Optional) Sets the type-of-service in probe packets to the tos value. The default is zero.
-w waittime	(Optional) Sets the time in seconds to wait for a response for a probe. The default is 5 seconds.
packetlen	(Optional) Sets the packet length of the probe.

The following example shows how to trace the route to IP address 10.10.10.34:

user@DETECTOR# traceroute 10.10.10.34

traceroute to 10.10.10.34 (10.10.10.34), 30 hops max, 38 byte packets

 1 10.10.10.34 (10.10.10.34) 0.577 ms  0.203 ms  0.149 ms

Verifying Connectivity

You can send ICMP ECHO_REQUEST packets to network hosts and verify connectivity by entering the following command:

ping ip-address [-c count] [-i interval] [-l preload] [-s packetsize] [-t ttl] [-w deadline] [-F flowlabel] [-I interface]
[-Q tos] [-T timestamp option] [-W timeout]

Table 10-22 provides arguments and keywords for the ping command.

Table 10-22 Arguments and Keywords for the ping Command 

Parameter	Description
ip-address	The destination IP address.
-c count	(Optional) Sends a determined number of ECHO_REQUEST packets. With a deadline option, the command waits for count ECHO_REPLY packets until the timeout expires.
-i interval	(Optional) Waits to send packets. The interval time is in seconds. The default is to wait for one second.
-l preload	(Optional) Sends preload packets without waiting for a reply.
-s packetsize	(Optional) Specifies the number of data bytes to send. The default is 56.
-t ttl	(Optional) Sets the IP TTL.
-w deadline	(Optional) Specifies the timeout in seconds before ping exits, regardless of how many packets have been sent or received.
-F flow label	(Optional) Allocates and sets 20-bit flow label on echo request packets. (Only ping6). If the value is zero, a random flow label is used.
-I interface	(Optional) Sets the source IP address to the specified interface address.
-Q tos	(Optional) Sets Type of Service (ToS) related bits in ICMP datagrams.
-T timestamp option	(Optional) Sets special IP timestamp options.
-W timeout	(Optional) Time (in seconds) to wait for a response.

You can enter a maximum of 10 arguments and keywords in one command.

The following example shows how to send one ICMP ECHO_REQUEST packet to IP address 10.10.10.30:

user@DETECTOR# ping 10.10.10.30 -n 1

Obtaining Debug Information

If the Detector module experiences an operational problem, Cisco Technical Support may request that you send them a copy of the Detector module internal debug information. The Detector module debug core file contains information for troubleshooting Detector module malfunctions. The file output is encrypted and intended for use by Cisco TAC personnel only.

To extract debug information to an FTP server, perform the following steps:

---

Step 1 Display the Detector module log file.

See the "Displaying the Log File" section for more information.

Step 2 Identify the first log message that indicates a problem to determine the time from when to extract debug information. The Detector module extracts the debug information from the time specified up to the current time.

Step 3 Extract the debug information to an FTP server by entering the following command in global mode:

copy debug-core time ftp server full-file-name [login [password]]

Table 10-23 provides the arguments for the copy debug-core command.

Table 10-23 Arguments for the copy debug-core Command 

Parameter	Description
time	The time of the event that triggers the need for debug information. The time string uses the format MMDDhhmm[[CC]YY][.ss] •MM—The month in numeric figures •DD—The day of the month •hh—The hour in a 24-hour clock •mm—The minutes •CC—(Optional) The first two digits of the year (for example, 2005) •YY—(Optional) The last two digits of the year (for example, 2005) •.ss—(Optional) The seconds (the decimal point must be present)
ftp server	The IP address of the FTP server.
full-file-name	The full name of the version file. If you do not specify a path, the server saves the file in your home directory.
login	(Optional) The FTP server login name. The FTP server assumes an anonymous login when you do not insert a login name. The server does not prompt you for a password.
password	(Optional) The FTP server password. If you do not insert the password the Detector module prompts you for it.

---

The following example shows how to extract debug information from November 9 at 06:45 AM of the current year to FTP server 10.0.0.191:

user@DETECTOR# copy debug-core 11090645 ftp 10.0.0.191 
/home/debug/debug-file <user> <password>