Table Of Contents
Using Detector Diagnostic Tools
Displaying the Detector Configuration
Displaying Detector Zones
Using Counters to Analyze Traffic
Displaying Counters and Average Traffic Rates
Clearing Detector and Zone Counters
Displaying the Zone Status
Managing Detector Logs
Managing Online Event Logs
Displaying Online Event Logs
Exporting Online Event Logs
Managing the Log File
Displaying the Log File
Exporting the Log File
Clearing the Log File
Clearing the BIOS System Log File
Monitoring Network Traffic and Extracting Attack Signatures
Configuring the Detector to Automatically Record Traffic
Activating the Detector to Manually Record Traffic
Stopping the Detector from Manually Recording Traffic
Managing Packet-Dump Capture Files Disk Space
Displaying Manual Packet-Dump Settings
Displaying Automatic Packet-Dump Settings
Exporting Packet-Dump Capture Files Automatically
Exporting Packet-Dump Capture Files Manually
Importing Packet-Dump Capture Files
Displaying Packet-Dump Capture Files
Generating Attack Signatures from Packet-Dump Capture Files
Copying Packet-Dump Capture Files
Deleting Packet-Dump Capture Files
Displaying General Diagnostic Data
Managing Disk Space
Configuring the Log and Report History
Displaying Memory Consumption
Displaying the CPU Utilization
Monitoring System Resources
Managing the ARP Cache
Displaying Network Statistics
Using Traceroute
Verifying Connectivity
Obtaining Debug Information
Using Detector Diagnostic Tools
This chapter describes how to display statistics and diagnostics on the Cisco Traffic Anomaly Detector (Detector) and contains the following sections:
•Displaying the Detector Configuration
•Displaying Detector Zones
•Using Counters to Analyze Traffic
•Displaying the Zone Status
•Managing Detector Logs
•Monitoring Network Traffic and Extracting Attack Signatures
•Displaying General Diagnostic Data
•Managing Disk Space
•Displaying Memory Consumption
•Displaying the CPU Utilization
•Monitoring System Resources
•Managing the ARP Cache
•Displaying Network Statistics
•Using Traceroute
•Verifying Connectivity
•Obtaining Debug Information
Displaying the Detector Configuration
You can display the Detector configuration file, which includes information about the Detector configuration, such as interface IP addresses, default gateway addresses, and configured zones.
To display the Detector configuration file, use the following command:
show running-config [all | detector | interfaces interface-name | router | self-protection | zones]
Table 11-1 provides the arguments and keywords for the show running-config command.
Table 11-1 Arguments and Keywords for the show running-config Command
Parameter
|
Description
|
all
|
(Optional) Displays configuration files of all Detector functions (Detector, zones, interfaces, router, and self-protection).
|
detector
|
(Optional) Displays the Detector configuration file.
|
interfaces interface-name
|
(Optional) Displays the configuration file of the Detector interfaces. Enter the interface name.
|
router
|
(Optional) Displays the router configuration.
|
zones
|
(Optional) Displays the configuration files of all zones.
|
The following example shows how to display the Detector configuration file:
user@DETECTOR# show running-config detector
The configuration file consists of the commands that you enter to configure the Detector with the current settings. You can export the Detector configuration file to a remote FTP server for backup purposes or for implementing the Detector configuration parameters on another Detector. See the "Displaying Detector Zones" section for more information.
Displaying Detector Zones
You can display an overview of the zones to see which zones are active and what their current status is by entering the show command in global mode.
Table 11-2 describes the possible operating states of a zone.
Table 11-2 Zone Status
Status
|
Description
|
Auto detect mode
|
Zone anomaly detection is enabled, and the dynamic filters are activated without user intervention.
The Detector displays (+learning) next to the zone name if zone anomaly detection is enabled and the Detector is learning zone traffic characteristics for policy threshold tuning.
|
Interactive detect mode
|
Zones are in interactive detect mode, and the dynamic filters are activated manually.
|
Threshold Tuning phase
|
Zones are in the threshold tuning phase. The Detector analyzes the zone traffic and defines thresholds for the policies that were constructed during the policy construction phase of the learning process.
|
Policy Construction phase
|
Zones are in the policy construction phase, and the zone policies are created.
|
Standby
|
Zones are not active.
|
The following example shows how to display an overview of the Detector zones:
Using Counters to Analyze Traffic
You can display Detector and zone counters to display information about the current traffic that the Detector is handling, analyze zone traffic, and perform monitoring tasks.
This section contains the following topics:
•Displaying Counters and Average Traffic Rates
•Clearing Detector and Zone Counters
Displaying Counters and Average Traffic Rates
To display the zone counters, use one of the following commands:
•show [zone zone-name] rates—Displays the average traffic rate of the received counter.
•show [zone zone-name] rates details—Displays the average traffic rate of the received counter. When you execute this command from the global or configuration mode without using the zone keyword, the average traffic rate of any invalid zone is also displayed.
•show [zone zone-name] rates history—Displays the average traffic rate of the received counter for every minute in the past 24 hours.
•show [zone zone-name] counters—Displays the received counter.
•show [zone zone-name] counters details—Displays the received counter. When you execute this command from the global or configuration mode without using the zone keyword, the average traffic rate of any invalid zone is also displayed.
•show [zone zone-name] counters history—Displays the value of the received counter for every minute in the past hour.
To display the Detector counters, use the command in global or configuration mode.
To display the zone counters, use the command in one of the following command modes:
•Zone configuration mode—Do not use the zone zone-name keyword and argument because the command displays only the information related to the current zone configuration mode.
•Global or configuration mode—Enter the zone keyword and the zone-name argument to specify the zone name.
The rate units are in bits per second (bps) and in packets per second (pps).
Note Zone rates are available only when you enable zone anomaly detection or activate the learning process.
The counter units are in packets and in kilobits. The counters are set to zero when you activate zone detection.
Table 11-3 displays the Detector counters.
Table 11-3 Detector Counters
Counter
|
Description
|
Received
|
Total packets, destined to the zone, that were handled by the Detector.
|
Invalid zone
|
Traffic that is not destined to any one of the zones for which anomaly detection is enabled. This information is available for Detector counters only (if you enter the command in global or configuration mode without using the zone keyword).
|
The following example shows how to display the Detector average traffic rates:
user@DETECTOR-conf-zone-scannet# show rates
Clearing Detector and Zone Counters
You can clear the Detector or zone counters if you are going to perform testing and want to be sure that the counters include information from the testing session only. The Detector clears the counters and the average traffic rates.
To clear the Detector counters, use the following command in global or configuration mode:
clear counters
The following example shows how to clear the Detector counters:
user@DETECTOR-conf# clear counters
To clear the zone counters, use one of the following commands:
•clear counters—In zone configuration mode.
•clear zone zone-name counters—In global or configuration mode. The zone-name argument specifies the name of the zone.
The following example shows how to clear the zone counters:
user@DETECTOR-conf-zone-scannet# clear counters
Displaying the Zone Status
To display an overview of the zone and its current status, use the show command in zone configuration mode. The overview includes the following information:
•Zone status—Indicates the operation state. The operation state can be one of the following: protect mode, protect and learning mode, threshold tuning mode, policy construction mode, or inactive.
•Zone basic configuration—Describes the basic zone configuration, such as automatic or interactive detect mode, thresholds, timers, and IP addresses.
See the "Configuring Zone Attributes" section on page 4-6 for more information.
•Zone filters—Includes the flex-content filter configuration and the number of active dynamic filters. If the zone is in interactive detect mode, the overview displays the number of recommendations.
See the "Configuring Flex-Content Filters" section on page 5-2 and the "Configuring Dynamic Filters" section on page 5-12 for more information.
•Zone traffic rates—Displays the zone legitimate and malicious traffic rates.
See the "Using Counters to Analyze Traffic" section for more information.
The following example shows how to display the zone status:
user@DETECTOR-conf-zone-scannet# show
Managing Detector Logs
The Detector automatically logs the system activity and events. You can display the Detector logs to review and track the Detector activity.
Table 11-4 displays the event log levels.
Table 11-4 Event Log Levels
Event Level
|
Numeric Code
|
Description
|
Emergencies
|
0
|
System is unusable.
|
Alerts
|
1
|
Immediate action required.
|
Critical
|
2
|
Critical condition.
|
Errors
|
3
|
Error condition.
|
Warnings
|
4
|
Warning condition.
|
Notifications
|
5
|
Normal but significant condition.
|
Informational
|
6
|
Informational messages.
|
Debugging
|
7
|
Debugging messages.
|
The log file displays all log levels (emergencies, alerts, critical, errors, warnings, notification, informational, and debugging). The Detector log file includes zone events with severity levels: emergencies, alerts, critical, errors, warnings, and notifications.
You can display the event log locally or from a remote server. This section contains the following topics:
•Managing Online Event Logs
•Managing the Log File
Managing Online Event Logs
This section describes how to manage the Detector real-time logging of events and contains the following topics:
•Displaying Online Event Logs
•Exporting Online Event Logs
Displaying Online Event Logs
You can activate the Detector monitoring feature and display a real-time event log, which enables you to view the online logging of the Detector events. To display the online event logs, use the following command:
event monitor
The following example shows how to activate monitoring:
user@DETECTOR# event monitor
The screen constantly updates to show new events.
Note To deactivate monitoring, use the no event monitor command.
Exporting Online Event Logs
You can export the Detector online event logs to display the Detector operations that are registered in the log file and to display the Detector events from a remote host while they are registered in the Detector log file. The Detector log file is exported using the syslog mechanism. You can export the Detector log file to several syslog servers and specify additional servers so that if one server goes offline, another server is available to receive messages.
Online Detector log export is applicable with a remote syslog server only. If a remote syslog server is not available, use the copy log command to export the Detector log information to a file.
The following is an example of a logging event:
Sep 11 16:34:40 10.4.4.4 cm: scannet, 5 threshold-tuning-start: Zone activation completed
successfully.
The system log message syntax is as follows:
event-date event-time Detector-IP-address software-daemon/modulel zone-name event-severity-level event-type event-description
To export online event logs, perform the following steps:
Step 1 (Optional) Configure the logging parameters by entering the following command in configuration mode:
logging {facility | trap}
Table 11-5 provides the keywords for the logging command.
Table 11-5 Keywords for the logging Command
Parameter
|
Description
|
facility
|
Specifies the export syslog facility. The remote syslog server uses logging facilities to filter events. For example, the logging facility allows the remote user to receive the Detector events in one file and use another file for events from other networking devices.
The available facilities are local0 through local7. The default is local4.
|
trap
|
Specifies the severity level of the syslog traps sent to the remote syslog. When you specify one of the lower severity levels, the event log includes the higher severity levels above it. For example, if the trap level is set to warning, then error, critical, alert, and emergency traps are also sent. The available trap levels from the highest to the lowest severity level are emergencies, alerts, critical, errors, warnings, notification, informational, and debugging. The default is notification.
|
Note To receive events about the addition and removal of dynamic filters, change the trap level to informational.
Step 2 Configure the remote syslog server IP address by entering the following command:
logging host remote-syslog-server-ip
The remote-syslog-server-ip argument specifies the remote syslog server IP address.
To build a list of syslog servers that receive logging messages, use the logging host command more than once.
The following example shows how to configure the Detector to send traps with a severity level that is higher than notification. The Detector sends the traps using the facility local3 to a syslog server with IP address 10.0.0.191:
user@DETECTOR-conf# logging facility local3
user@DETECTOR-conf# logging trap notifications
user@DETECTOR-conf# logging host 10.0.0.191
To display the configuration that the Detector uses to export online event logs, use the show logging command or the show log export-ip command.
Managing the Log File
This section describes how to manage the Detector log file and contains the following topics:
•Displaying the Log File
•Exporting the Log File
•Clearing the Log File
•Clearing the BIOS System Log File
Displaying the Log File
You can display the Detector log for diagnostic or monitoring purposes. The Detector log file includes zone events with these severity levels: emergencies, alerts, critical, errors, warnings, and notification.
To display the Detector log, use the following command in global mode:
show log
The following example shows how to display the Detector log:
You can display a zone log to display events that relate to the specified zone only.
To display the zone log, use the show log command in zone configuration mode.
Exporting the Log File
You can export the Detector log file to a network server for monitoring or diagnostics by entering one of the following commands in global mode:
•copy [zone zone-name] log ftp server full-file-name [login [password]]
•copy [zone zone-name] log {sftp | scp} server full-file-name login
Table 11-6 provides the arguments and keywords for the copy log ftp command.
Table 11-6 Arguments and Keywords for the copy log ftp Command
Parameter
|
Description
|
zone zone-name
|
(Optional) Specifies the zone name. Exports the zone log file. The default is to export the Detector log file.
|
log
|
Exports the log file.
|
ftp
|
Specifies File Transfer Protocol (FTP).
|
sftp
|
Specifies Secure File Transfer Protocol (SFTP).
|
scp
|
Specifies Secure Copy Protocol (SCP).
|
server
|
IP address of the network server, path, and filename. Enter the IP address in dotted-decimal notation (for example, enter 192.168.10.2). If you do not specify a path, the server saves the file in your home directory.
|
login
|
(Optional) Server login name. The login argument is optional when you define an FTP server. When you do not enter a login name, the FTP server assumes an anonymous login and does not prompt you for a password.
|
password
|
(Optional) Password for the remote FTP server. If you do not enter the password, the Detector prompts you for it.
|
Note You can configure the Detector to export event logs automatically by using the logging host command. See the "Exporting Online Event Logs" section for more information.
Because SFTP and SCP rely on Secure Shell (SSH) for secure communication, if you do not configure the key that the Detector uses before you enter the copy command with the sftp or scp option, the Detector prompts you for the password. See the "Configuring the Keys for SFTP and SCP Connections" section on page 3-27 for more information about how to configure the key that the Detector uses for secure communication.
The following example shows how to export the Detector log file to an FTP server:
user@DETECTOR# copy log ftp 10.0.0.191 log.txt <user> <password>
Clearing the Log File
You can clear the Detector or zone log file if it is large or if you are going to perform testing and want to be sure that the log file includes information from the testing session only.
To clear the zone log file of all entries, use the following command in zone configuration mode:
clear log
To clear the Detector or zone log file of all entries, use the following command in configuration mode:
clear [zone zone-name] log
The optional zone zone-name keyword and argument specifies the zone name. The default is to clear the Detector log file.
The following example shows how to clear the Detector log:
user@DETECTOR-conf# clear log
Clearing the BIOS System Log File
The BIOS system log contains mainly hardware-related event messages, such as the number of times that the device was powered off or restarted. You can clear the BIOS system log by using the following command in configuration mode:
clear log bios
The following example shows how to clear the BIOS log:
user@DETECTOR-conf# clear log bios
Monitoring Network Traffic and Extracting Attack Signatures
You can configure the Detector to record traffic directly from the network through nonintrusive taps and create a database from the recorded traffic. By querying the recorded traffic database, you can analyze past events, generate signatures of an attack, or compare current network traffic patterns with traffic patterns that the Detector recorded previously under normal traffic conditions.
You can configure filters so that the Detector records only traffic that meets certain criteria or you can record all traffic data and filter the traffic that the Detector displays.
The Detector records the traffic in PCAP format, which is compressed and encoded by the gzip (GNU zip) program with an accompanying file in Extensible Markup Language (XML) format that describes the recorded data.
The Detector can analyze the recorded traffic to determine if there are any common patterns or signatures that appear in the payload of the recorded attack packets. The Detector can extract attack signatures from the recorded traffic. Using the attack signature, you can configure a flex-content filter to block all traffic containing packet payloads that match the signature.
The Detector can record traffic as follows:
•Automatically—Continuously records the traffic data in packet-dump capture files.
•Manually—Records the traffic in packet-dump capture files when you activate the Detector to record the traffic.
New packet-dump capture files replace previous files. To save the recorded traffic, export the packet-dump capture files to a network server before you activate the Detector to record traffic again.
You can activate only one manual packet-dump capture at a time for a zone, but you can activate the manual packet-dump capture and the automatic packet-dump capture simultaneously. The Detector can manually record traffic for up to 10 zones simultaneously.
The Detector allocates, by default, 5-GB disk space for the manual packet-dump capture files of all zones. The Detector can save up to 50-GB disk space for manual and automatic packet-dump capture files of all zones. You must delete old files to free the disk space for additional packet-dump capture files.
This section contains the following topics:
•Configuring the Detector to Automatically Record Traffic
•Activating the Detector to Manually Record Traffic
•Stopping the Detector from Manually Recording Traffic
•Managing Packet-Dump Capture Files Disk Space
•Displaying Manual Packet-Dump Settings
•Displaying Automatic Packet-Dump Settings
•Exporting Packet-Dump Capture Files Automatically
•Exporting Packet-Dump Capture Files Manually
•Importing Packet-Dump Capture Files
•Displaying Packet-Dump Capture Files
•Generating Attack Signatures from Packet-Dump Capture Files
•Copying Packet-Dump Capture Files
•Deleting Packet-Dump Capture Files
Configuring the Detector to Automatically Record Traffic
You can activate the Detector to automatically record network traffic for troubleshooting network problems or analyzing attack traffic. By using packet-dump capture filters, you can configure the Detector to record only the traffic that meets the criteria that you specify. You can also record all traffic and apply packet-dump capture filters to the recorded traffic when you view it.
The Detector records traffic in a capture buffer. When the capture buffer size reaches 50 MB, or after 10 minutes have elapsed, the Detector saves the buffered information to a local file in a compressed format, clears the buffer, and then continues recording traffic.
The Detector saves multiple automatic packet-dump capture files. The Detector divides the recorded traffic based on the way that it handled the traffic, so you might have more than one automatic packet-dump capture file from a single time frame. The name of the automatic packet-dump capture file provides information about when the Detector recorded the traffic and how it handled the traffic.
Table 11-7 describes the sections of the automatic packet-dump capture filename.
Table 11-7 Sections of the Automatic Packet-Dump Capture Filename
Section
|
Description
|
Function
|
Type of Detector function performed at the time of the packet-dump capture:
•protect—The Detector recorded the traffic during zone anomaly detection.
•learn—The Detector recorded the traffic during the zone learning process or the detect and learning process.
|
Capture start time
|
Time that the Detector started recording the traffic.
|
Capture end time
|
(Optional) Time that the Detector finished recording the traffic. If the Detector is currently recording the traffic to the file, the end time is not displayed.
|
Dispatch
|
Method that the Detector used to handle the traffic. The Detector supports the following method:
dropped—The Detector received traffic. The Detector does not forward traffic, so it is dropped.
|
When you enable the learning process or the detect and learning function, the Detector saves all of the packet-dump capture files that it creates. When you enable zone detection, the Detector saves one set of past packet-dump capture files only. To save all packet-dump capture files when zone detection is enabled, configure the Detector to automatically export the packet-dump capture files that it creates to a network server.
When you activate zone detection or activate the Detector to automatically record network traffic, the Detector erases all previous packet-dump capture files that it recorded during the detection process and creates new ones.
To configure the Detector to automatically record network traffic, perform the following steps:
Step 1 Configure the Detector to automatically record zone traffic. Enter the following command in zone configuration mode:
Step 2 (Optional) To create a packet-dump capture database, export the packet-dump capture files to a network server.
See the "Configuring the Detector to Automatically Record Traffic" section.
The following example shows how to configure the Detector to automatically record zone traffic:
user@DETECTOR-conf-zone-scannet# packet-dump auto-capture
To stop the Detector from automatically capturing zone traffic data, use the no packet-dump auto-capture command.
To display the current packet-dump settings, use the show packet-dump command.
Activating the Detector to Manually Record Traffic
You can activate the Detector to start recording traffic so that you can record traffic during a specific period or change the criteria that the Detector uses to record the traffic.
The Detector stops recording traffic and saves the manual packet-dump capture to a file when the specified number of packets have been recorded or when either the learning process or zone detection have ended.
You can activate only one manual packet-dump capture at a time for a zone, but you can activate the manual packet-dump capture and the automatic packet-dump capture simultaneously. The Detector can record manual packet-dump captures for up to 10 zones simultaneously.
To activate a manual packet-dump capture, use the following command in zone configuration mode:
packet-dump capture [view] capture-name pdump-rate pdump-count [tcpdump-expression]
Note The CLI session halts while the traffic is captured. To continue working while the capture is in process, establish an additional session with the Detector.
Table 11-8 provides the arguments and keywords for the packet-dump command.
Table 11-8 Arguments and Keywords for the packet-dump Command
Parameter
|
Description
|
view
|
(Optional) Displays the traffic that the Detector is recording in real time.
|
capture-name
|
Name of the packet-dump capture file. Enter an alphanumeric string from 1 to 63 characters. The string can contain underscores but cannot contain spaces.
|
pdump-rate
|
Sample rate in packets per second. Enter a value from 1 to 10000.
Note The Detector supports a maximum accumulated packet-dump capture rate of 10000 pps for all concurrent manual captures.
A packet-dump capture configured with a high sample-rate value consumes resources. We recommend that you use high-rate values cautiously because of the potential performance penalty.
|
pdump-count
|
Number of packets to record. When the Detector finishes recording the specified number of packets, it saves the manual packet-dump capture buffer to a file. Enter an integer from 1 to 5000.
|
tcpdump-expression
|
(Optional) Filter that you apply to specify the traffic to record. The Detector captures only traffic that complies with the filter expression. The expression rules are identical to the flex-content filter TCPDump expression rules. See the "Configuring the tcpdump-expression Syntax" section on page 5-5 for more information.
|
The following example shows how to activate a manual packet-dump capture to record 1000 packets with a sample rate of 10 pps and display the packets that are captured:
user@DETECTOR-conf-zone-scannet# packet-dump capture view 10 1000
Stopping the Detector from Manually Recording Traffic
The Detector stops a manual packet-dump capture when it records the number of packets that you specified when you activated the capture. However, you can stop a manual packet-dump capture before the Detector records the specified number of packets by performing one of the following actions:
•Press Ctrl-C in the open CLI session.
•Open a new CLI session and enter the following command in the desired zone configuration mode:
no packet-dump capture capture-name
The capture-name argument specifies the name of the capture to stop.
The Detector saves the packet-dump capture file.
Managing Packet-Dump Capture Files Disk Space
By default, the Detector allocates 2 GB of disk space for the zone automatic packet-dump capture files. To modify the amount of disk space that the Detector allocates for the zone automatic packet-dump capture files, use the following command in zone configuration mode:
packet-dump disk-space disk-space
The disk-space argument specifies the amount of disk space that the Detector allocates for the zone automatic packet-dump capture files in megabytes. Enter an integer from 1 to 51200.
The following example shows how to configure the amount of disk space that the Detector allocates for the zone automatic packet-dump capture files:
user@DETECTOR-conf-zone-scannet# packet-dump disk-space 500
The Detector saves past packet-dump capture files in PCAP format, which is compressed and encoded by the gzip (GNU zip) program.
See the "Displaying Manual Packet-Dump Settings" section for information about how to view the current amount of allocated disk space.
Displaying Manual Packet-Dump Settings
You can display the current amount of disk space that the Detector allocated for manual packet-dump capture files by using the show packet-dump command in configuration mode or in global mode. The Detector allocates a single block of disk space for the manual packet-dump capture files of all zones.
The following example shows how to display the current amount of disk space that the Detector allocated for manual packet-dump capture files:
user@DETECTOR-conf# show packet-dump
Table 11-9 describes the fields in the show packet-dump command output.
Table 11-9 Field Descriptions for the Manual show packet-dump Command Output
Field
|
Description
|
Allocated disk-space
|
Amount of total disk space that the Detector has allocated for manual packet-dump captures of all zones in megabytes.
|
Occupied disk-space
|
Percentage of allocated disk space consumed by manual packet-dump files from all zones.
|
Displaying Automatic Packet-Dump Settings
You can display the current amount of disk space that is allocated for the zone automatic packet-dump capture files by using the show packet-dump command in zone configuration mode.
The following example shows how to display the current amount of disk space that is allocated for the zone automatic packet-dump capture files:
user@DETECTOR-conf-zone-scannet# show packet-dump
Table 11-10 describes the fields in the show packet-dump command output.
Table 11-10 Field Descriptions for the Automatic show packet-dump Command Output
Field
|
Description
|
Automatic-capture
|
State of the automatic packet-dump capture process.
|
Allocated disk-space
|
Amount of disk space that the Detector has allocated for automatic packet-dump captures in megabytes.
|
Occupied disk-space
|
Percentage of the allocated disk space that is currently consumed by the automatic packet-dump captures.
|
Exporting Packet-Dump Capture Files Automatically
You can configure the Detector to automatically export packet-dump capture files to a network server that uses FTP, SFTP, or SCP to transfer files. When you enable the automatic export function, the Detector exports the packet-dump capture files each time that it saves the contents of the packet-dump buffer to a local file. The Detector exports the packet-dump capture files in PCAP format, which is compressed and encoded by the gzip (GNU zip) program, with an accompanying file in XML format that describes the recorded data. The XML schema is described in the Capture.xsd file which you can download from the Software Center at http://www.cisco.com/public/sw-center/.
To configure the Detector to export packet-dump capture files automatically, use the following command in configuration mode:
export packet-dump file-server-name
The file-server-name argument specifies the name of a network server to which you export the files that you configure by using the file-server command. If you configure the network server for SFTP or SCP, you must configure the SSH key that the Detector uses for SFTP and SCP communication. See the "Exporting Files Automatically" section on page 12-5 for more information.
The following example shows how to automatically export packet-dump capture files:
user@DETECTOR-conf# export packet-dump Corp-FTP-Server
Exporting Packet-Dump Capture Files Manually
You can manually export packet-dump capture files to a network server that uses FTP, SFTP, or SCP to transfer files. You can export a single packet-dump capture file or all packet-dump capture files of a specific zone. The Detector exports the packet-dump capture files in PCAP format, which is compressed and encoded by the gzip (GNU zip) program with an accompanying file in XML format that describes the recorded data. See the Capture.xsd file that accompanies the version for a description of the XML schema. You can download the xsd files that accompany the version from www.cisco.com.
To manually export packet-dump capture files to a network server, use one of the following commands in global mode:
•copy zone zone-name packet-dump captures [capture-name] ftp server remote-path [login [password]]
•copy zone zone-name packet-dump captures [capture-name] {sftp | scp} server remote-path login
•copy zone zone-name packet-dump captures [capture-name] file-server-name
Table 11-11 provides the arguments and keywords for the copy zone packet-dump command.
Table 11-11 Arguments and Keywords for the copy zone packet-dump Command
Parameters
|
Description
|
zone zone-name
|
Specifies the name of an existing zone.
|
packet-dump captures
|
Exports packet-dump capture files.
|
capture-name
|
(Optional) Name of an existing packet-dump capture file. If you do not specify the name of a packet-dump capture file, the Detector exports all the zone packet-dump capture files. See the "Displaying Packet-Dump Capture Files" section for more information.
|
ftp
|
Specifies FTP.
|
sftp
|
Specifies SFTP.
|
scp
|
Specifies SCP.
|
server
|
IP address of the network server. Enter the IP address in dotted-decimal notation (for example, enter 192.168.10.2).
|
remote-path
|
Complete name of the path where the Detector saves the packet-dump capture files.
|
login
|
(Optional) Server login name. The login argument is optional when you define an FTP server. When you do not enter a login name, the FTP server assumes an anonymous login and does not prompt you for a password.
|
password
|
(Optional) Password for the remote FTP server. If you do not enter the password, the Detector prompts you for one.
|
file-server-name
|
Name of a network server. You must configure the network server using the file-server command.
If you configured the network server using SFTP or SCP, you must configure the SSH key that the Detector uses for SFTP and SCP communication.
See the "Exporting Files Automatically" section on page 12-5 for more information.
|
Because SFTP and SCP rely on SSH for secure communication, if you do not configure the key that the Detector uses before you enter the copy command with the sftp or scp option, the Detector prompts you for the password. See the "Configuring the Keys for SFTP and SCP Connections" section on page 3-27 for more information about how to configure the key that the Detector uses for secure communication.
The following example shows how to manually export the packet-dump capture files of zone scannet to FTP server 10.0.0.191:
user@DETECTOR# copy zone scannet packet-dump captures ftp 10.0.0.191 <user> <password>
The following example shows how to manually export the packet-dump capture files of zone scannet to a network server that was defined by using the file-server command:
user@DETECTOR# copy zone scannet packet-dump captures cap-5-10-05 Corp-FTP-Server
Importing Packet-Dump Capture Files
You can import packet-dump capture files from a network server to the Detector so that you can analyze past events or compare current network traffic patterns with traffic patterns that the Detector previously recorded under normal traffic conditions. The Detector imports the packet-dump capture files in both XML and PCAP formats.
To import a packet-dump capture file, use one of the following commands in global mode:
•copy ftp zone zone-name packet-dump captures server full-file-name [login [password]]
•copy {sftp | scp} zone zone-name packet-dump captures server full-file-name login
•copy file-server-name zone zone-name packet-dump captures capture-name
Table 11-12 provides the arguments and keywords for the copy zone packet-dump command.
Table 11-12 Arguments and Keywords for the copy zone packet-dump Command
Parameter
|
Description
|
ftp
|
Specifies FTP.
|
sftp
|
Specifies SFTP.
|
scp
|
Specifies SCP.
|
zone zone-name
|
Specifies the name of an existing zone for which the packet-dump capture files are imported.
|
packet-dump captures
|
Imports packet-dump capture files.
|
server
|
IP address of the network server. Enter the IP address in dotted-decimal notation (for example, enter 192.168.10.2).
|
full-file-name
|
Complete path and filename, excluding the file extension, of the file to import. If you do not specify a path, the server copies the file from your home directory.
Note Do not specify the file extension because it will cause the import process to fail.
|
login
|
(Optional) Server login name.
The login argument is optional when you define an FTP server. When you do not enter a login name, the FTP server assumes an anonymous login and does not prompt you for a password.
|
password
|
(Optional) Password for the FTP server. If you do not enter the password, the Detector prompts you for one.
|
file-server-name
|
Name of a network server. You must configure the network server using the file-server command.
If you configured the network server using SFTP or SCP, you must configure the SSH key that the Detector uses for SFTP and SCP communication.
See the "Exporting Files Automatically" section on page 12-5 for more information.
|
capture-name
|
Name of the file to import. The Detector appends the name of the file to the path that you defined for the network server by using the file-server command.
|
Because SFTP and SCP rely on SSH for secure communication, if you do not configure the key that the Detector uses before you enter the copy command with the sftp or scp option, the Detector prompts you for the password. See the "Configuring the Keys for SFTP and SCP Connections" section on page 3-27 for more information about how to configure the key that the Detector uses for secure communication.
The following example shows how to import packet-dump capture files of zone scannet from FTP server 10.0.0.191:
user@DETECTOR# copy ftp zone scannet packet-dump captures 10.0.0.191
/root/scannet/captures/capture-1 <user> <password>
The following example shows how to import a packet-dump capture file from a network server:
user@DETECTOR# copy CorpFTP running-config capture-1
Displaying Packet-Dump Capture Files
You can display either a list of packet-dump capture files or the contents of a single packet-dump capture file. By default, the Detector displays a list of all zone packet-dump capture files.
To display packet-dump capture files, use the following command in zone configuration mode:
show packet-dump captures [capture-name [tcpdump-expression]]
Table 11-13 provides the arguments for the show packet-dump captures command.
Table 11-13 Arguments for the show packet-dump captures Command
Parameters
|
Description
|
capture-name
|
(Optional) Name of an existing packet-dump capture file. If you do not specify the name of a packet-dump capture file, the Detector displays a list of all zone packet-dump capture files. See Table 11-14 for field descriptions of the command output. If you specify the name of a packet-dump capture file, the Detector displays the file in TCPDump format.
|
tcpdump- expression
|
(Optional) Filter that the Detector uses when displaying the packet-dump capture file. The Detector displays only the portion of the packet-dump capture file that matches the filter criteria. The expression rules are identical to the flex-content filter TCPDump expression rules. See the "Configuring the tcpdump-expression Syntax" section on page 5-5 for more information.
|
The following example shows how to display the list of packet-dump capture files:
user@DETECTOR-conf-zone-scannet# show packet-dump captures
Table 11-14 describes the fields in the show packet-dump captures command output.
Table 11-14 Field Descriptions for the show packet-dump captures Command Output
Field
|
Description
|
Capture-name
|
Name of the packet-dump capture file. See Table 11-7 for a description of the automatic packet-dump capture filenames.
|
Size (MB)
|
Size of the packet-dump capture file in megabytes.
|
Filter
|
User-defined filter that the Detector used when recording traffic. The filter is in TCPDump format. The expression rules are identical to the flex-content filter TCPDump expression rules. See the "Configuring the tcpdump-expression Syntax" section on page 5-5 for more information.
|
Generating Attack Signatures from Packet-Dump Capture Files
An attack signature describes the common pattern that appears in the payload of attack packets. You can activate the Detector to generate the signature of attack traffic and then use this information to quickly identify future attacks of the same type. This feature allows you to detect new DDoS attacks and Internet worms even before signatures are published (for example, from antivirus software companies or mailing lists).
The Detector can generate an attack signature using the flex-content filter pattern expression syntax. You can use the attack signature in the flex-content filter pattern to filter out attack traffic. See the "Configuring Flex-Content Filters" section on page 5-2 for more information.
When you execute the attack signature generating process, you can determine the accuracy of the generated attack signature by specifying a reference packet-dump capture file containing clean (legitimate) traffic. After the Detector generates the attack signature from the packet-dump capture file containing malicious traffic, the Detector runs an analysis to determine how often the attack signature appears in the clean traffic of the reference packet-dump capture file. The Detector displays the results of the analysis as a percentage of the attack signature occurrences in the reference packet-dump capture file to the number of packets in the reference file. A percentage value that is less than 10% indicates that the attack signature is accurate and that you can use the signature to detect malicious traffic.
A percentage value that is greater than 10% indicates that the signature generating process failed. Do not use the signature to detect malicious traffic because it will result in the Detector wrongly identifying clean traffic as malicious traffic. The signature generating process may fail for the following reasons:
•The packet-dump capture file that contains malicious traffic also contains valid traffic. Use a packet-dump capture file that contains malicious traffic only during the signature generating process.
•The Detector's signature generating algorithm is unable to detect a unique signature in the sample of malicious traffic.
To generate a signature of an attack, perform the following steps:
Step 1 Activate the Detector to record traffic during the attack by using the packet-dump capture command.
See the "Activating the Detector to Manually Record Traffic" section for more information.
Step 2 Identify the packet-dump capture file that the Detector recorded during the attack. To display the list of packet-dump capture files, use the show packet-dump captures command.
See the "Displaying Packet-Dump Capture Files" section for more information.
Step 3 Activate the Detector to generate a signature of the attack traffic. Enter the following command in zone configuration mode:
show packet-dump signatures capture-name [reference-capture-name]
Table 11-15 provides the arguments for the show packet-dump signatures command.
Table 11-15 Arguments for the show packet-dump signatures Command
Parameter
|
Description
|
capture-name
|
Name of an existing packet-dump capture file from which to generate an attack signature.
|
reference-capture-name
|
(Optional) Name of an existing packet-dump capture file that the Detector recorded during normal traffic conditions. The Detector runs an analysis to determine how often the attack signature appears in the reference file.
|
Table 11-16 describes the fields in the show packet-dump signatures command output.
Table 11-16 Field Descriptions for the show packet-dump signatures Command Output
Field
|
Description
|
Start Offset
|
Offset (in bytes) from the beginning of the packet payload where the pattern begins. If you copy the pattern into the flex-content filter pattern expression, copy this offset into the flex-content filter start-offset argument.
|
End Offset
|
Offset (in bytes) from the beginning of the packet payload where the pattern ends. If you copy the pattern into the flex-content filter pattern expression, copy this offset into the flex-content filter end-offset argument.
|
Pattern
|
Signature that the Detector generated. The Detector generates the signature using the flex-content filter pattern expression syntax. See the "Configuring the pattern-expression Syntax" section on page 5-8 for more information. You can copy this pattern into the flex-content filter pattern expression.
|
Percentage
|
Percentage of the attack signature occurrences in the reference packet-dump capture file to the number of packets in the reference file.
|
The following example shows how to generate a signature from a manual packet-dump capture file:
user@DETECTOR-conf-zone-scannet# show packet-dump signatures PDumpCapture
Copying Packet-Dump Capture Files
You can copy a packet-dump capture file (or a portion of a file) under a new name. When you copy an automatic packet-dump capture file or a manual packet-dump capture file, the Detector saves them as manual files. If you want to save an existing automatic packet-dump capture file, you need to create a copy of it before the Detector overwrites the automatic packet-dump capture file with a new one.
You must manually delete packet-dump capture files if you need to free disk space. See the "Deleting Packet-Dump Capture Files" section for more information.
To copy a packet-dump capture file, use the following command in configuration mode:
copy zone zone-name packet-dump captures capture-name [tcpdump-expression] new-name
Table 11-17 provides the arguments and keywords for the copy zone packet-dump captures command.
Table 11-17 Arguments and Keywords for the copy zone packet-dump captures Command
Parameters
|
Description
|
zone zone-name
|
Specifies the name of an existing zone.
|
packet-dump
|
Copies the packet-dump capture file.
|
captures capture-name
|
Specifies the name of an existing packet-dump capture file.
|
tcpdump-expression
|
(Optional) Filter that the Detector uses to copy the packet-dump capture file. The Detector copies only the portion of the packet-dump capture file that matches the filter criteria. The expression rules are identical to the flex-content filter TCPDump expression rules. See the "Configuring the tcpdump-expression Syntax" section on page 5-5 for more information.
|
new-name
|
Name of the new packet-dump capture file.
The name is an alphanumeric string from 1 to 63 characters and can contain underscores but cannot contain spaces.
|
The following example shows how to copy a portion of the packet-dump capture file capture-1 that complies with the capture file under the name capture-2:
user@DETECTOR-conf# copy zone scannet capture-1 "tcp and dst port 80 and not src port
1000" capture-2
Deleting Packet-Dump Capture Files
The Detector allocates by default, 5 GB of disk space for the manual packet-dump capture files of all zones. It can save up to 50 GB of manual and automatic packet-dump capture files of all zones. To free disk space for additional packet-dump capture files, delete the old ones.
You can save only one manual packet-dump capture file per zone and no more than 10 packet-dump capture files on the Detector. You must delete old manual packet-dump capture files to allow space for new files.
To delete automatic or manual packet-dump capture files, use one of the following commands:
•clear zone zone-name packet-dump captures {* | name} (in configuration mode)
•clear packet-dump captures {* | name} (in zone configuration mode)
Table 11-18 provides the arguments and keywords for the clear packet-dump command.
Table 11-18 Arguments and Keywords for the clear packet-dump Command
Parameter
|
Description
|
zone zone-name
|
Specifies the name of an existing zone.
|
packet-dump captures
|
Deletes packet-dump capture files.
|
*
|
Erases all packet-dump capture files.
|
name
|
Name of the packet-dump capture file to delete.
|
The following example shows how to delete all manual packet-dump capture files:
user@DETECTOR-conf# clear packet-dump captures *
Displaying General Diagnostic Data
You can display a general summary of the diagnostic data by using the following command:
show diagnostic-info [details]
The diagnostic data consists of the following information:
•Accelerator card CPU speed—Accelerator card CPU speed.
•Accelerator card revision—Accelerator card revision number.
•Accelerator card serial—Accelerator card serial number.
•CFE version—CFE version number.
Note To change the CFE version, you must install a new flash version. To burn a new CFE version, use the flash-burn command. See the "Upgrading the Detector Software Version" section on page 12-7 for more information.
•Recognition Average Sample Loss—Calculated average packet sample loss.
•Forward failures (no resources)—Number of packets that were not forwarded due to lack of system resources.
Note A high Recognition Average Sample Loss or a large number of forward failures indicate that the Detector is overloaded with traffic. We recommend that you install more than one Detector in a load-sharing configuration.
•Fan speeds—Speed of each fan. The values are a percentage of maximum RPM.
•Maximum fans—Maximum number of fans that the system supports.
•Installed fans—Number of fans currently installed in the system.
•Running fans—List of operational fans.
•Number of system restarts—Number of times that the system has been restarted.
•System UUID—System Universal Unique ID (UUID).
•CPU temperature—Current CPU temperature in Celsius for each installed CPU.
•DASD temperature—Current hard disk drive temperature in Celsius.
•Ambient temperature—Ambient system temperature in Celsius.
The Detector has several LEDs that indicate inner operation status. These LEDs are normally off. When the LEDs are lit, they indicate hardware failure; the Detector sends a syslog message and an SNMP trap to inform the user of the problem.
Managing Disk Space
The Detector maintains activity logs and zone attack reports. If the disk usage is higher than 75 percent, or if you define a large number of zones on the Detector (over 500), we recommend that you decrease the file history parameters. When the used disk space reaches approximately 80 percent of the disk maximum capacity, the Detector displays a warning message in its syslog.
If the Detector displays a warning message, you can perform the following tasks:
•Export the Detector or zone log to a network server and then clear the log (see the "Exporting the Log File" section and the "Clearing the Log File" section).
•Export the zone attack reports to a network server and then delete the old attack reports (see the "Exporting Attack Reports" section on page 10-6 and the "Deleting Attack Reports" section on page 10-10).
•Export the packet-dump capture files and then delete the old packet-dump capture files (see the "Exporting Packet-Dump Capture Files Automatically" section, the "Exporting Packet-Dump Capture Files Manually" section, and the "Deleting Packet-Dump Capture Files" section).
•Decrease the log file and attack report history size (see the "Configuring the Log and Report History" section).
•Decrease the amount of disk space that is allocated for zone automatic packet-dump capture files (see the "Managing Packet-Dump Capture Files Disk Space" section).
We recommend that you periodically store the Detector records on a network server, and then clear the logs.
Note When disk usage reaches 80 percent of the disk maximum capacity, the Detector automatically erases 5 percent of the information to reduce the used disk space to approximately 75 percent.
You can display the percentage of used disk space by using the following command in global mode:
show disk-usage
The following example shows how to display the percentage of used disk space:
user@DETECTOR# show disk-usage
Configuring the Log and Report History
You can configure the length of time that the Detector records the logs and the attack reports of both the Detector and its zones. The Detector deletes old logs and reports.
You can configure the report and log history by using the following command:
history {logs | reports} days [enforce-now]
Table 11-19 provides the arguments and keywords for the history command.
Table 11-19 Arguments and Keywords for the history Command
Parameter
|
Description
|
logs
|
Sets the history parameters for the Detector and zone logs.
|
reports
|
Sets the history parameters for zone attack reports.
|
days
|
Number of days to keep old logs or attack reports. For the log history, the range is 1 to 7 days. For the report history, the range is 1 to 60 days.
The default log history time is 7 days; the default report history time is 30 days.
|
enforce-now
|
(Optional) Immediately adopts the newly configured history parameters. If necessary, the Detector erases existing logs and reports to conform to the new history parameters.
Note If you configure the history reporting to a shorter period, use the enforce-now keyword to reduce the log file and report file sizes to the newly configured size. You can also use the disk-clean command to erase the stored logs and reports to match the newly configured history size.
|
Displaying Memory Consumption
The Detector displays the following information:
•Memory usage in kilobytes.
•Percentage of memory that the Detector statistical engine uses as the Anomaly Detection Engine Used Memory field.
The anomaly detection engine memory usage is affected by the number of active zones and the number of services that each zone monitors.
Note If the anomaly detection engine memory usage is higher than 95 percent, we strongly recommend that you lower the number of active zones.
To display the Detector memory consumption, use the following command:
show memory
The following example shows how to display the Detector memory consumption:
user@DETECTOR# show memory
total used free shared buffers cached
In KBytes: 2065188 146260 1918928 0 2360 69232
Anomaly detection engine used memory: 0.3%
Note The total amount of free memory that the Detector has is a sum of the free memory and the cached memory.
Displaying the CPU Utilization
The Detector displays the percentage of CPU time in user mode, system mode, niced tasks (tasks with a nice value, which represents the priority of a process, that is negative), and idle. Niced tasks are counted in both system time and user time, so the total CPU utilization can be more than 100 percent.
To display the current percentage of CPU utilization, use the following command:
show cpu
The Detector displays the CPU utilization for both processors.
The following example shows how to display the current percentage of CPU utilization:
Host CPU1: 0.0% user, 0.1% system, 0.1% nice, 98.0% idle
Host CPU2: 0.0% user, 7.0% system, 0.0% nice, 92.0% idle
Monitoring System Resources
You can display an overview of the resources that the Detector is using to help you analyze and monitor the system status by entering the following command in global or configuration mode:
show resources
The following example shows how to display the system resources:
user@DETECTOR# show resources
Table 11-20 describes the fields in the show resources command output.
Table 11-20 Field Descriptions for the show resources Command Output
Field
|
Description
|
Host CPU1
|
Percentage of CPU time for CPU1 in user mode, system mode, niced tasks (tasks with a nice value, which represents the priority of a process, that is negative), and idle. Niced tasks are also counted in system time and user time so that the total CPU utilization can be more than 100 percent.
|
Host CPU2
|
Percentage of CPU time for CPU2 in user mode, system mode, niced tasks (tasks with a nice value, which represents the priority of a process, that is negative), and idle. Niced tasks are also counted in system time and user time so that the total CPU utilization can be more than 100 percent.
|
Disk space usage
|
Percentage of the allocated disk space that the Detector is using.
When the disk space usage reaches approximately 75 percent of the disk maximum capacity, the Detector displays a warning message in its syslog and sends a trap.
|
Disk space usage (continued)
|
Note When the disk usage reaches 80 percent of the disk maximum capacity, the Detector automatically erases 5 percent of the information to reduce the used disk space to approximately 75 percent.
We recommend that you periodically store the Detector records on a network server and delete the old records.
If the disk space usage reaches 80 percent, you can perform the following tasks:
•Export the Detector or zone log to a network server and then clear the log (see the "Exporting the Log File" section and the "Clearing the Log File" section).
•Export the zone attack reports to a network server and then delete the old attack reports (see the "Exporting Attack Reports" section on page 10-6 and the "Deleting Attack Reports" section on page 10-10).
•Export the packet-dump capture files and then delete the old packet-dump capture files (see the "Exporting Packet-Dump Capture Files Automatically" section, the "Exporting Packet-Dump Capture Files Manually" section, and the "Deleting Packet-Dump Capture Files" section).
•Decrease the log file and attack report history size (see the "Configuring the Log and Report History" section).
•Decrease the amount of disk space that is allocated for zone automatic packet-dump capture files (see the "Managing Packet-Dump Capture Files Disk Space" section).
|
Accelerator card memory usage
|
Percentage of memory that the accelerator card is using.
If the accelerator card memory usage is higher than 85 percent, the Detector generates an SNMP trap. A high value may indicate that the Detector is monitoring a high volume of traffic.
|
Accelerator card CPU utilization
|
Percentage of the accelerator card CPU utilization.
If the accelerator card CPU utilization is higher than 85 percent, the Detector generates an SNMP trap. A high value may indicate that the Detector is monitoring a high volume of traffic.
|
Anomaly detection engine used memory
|
Specifies the percentage of memory that the Detector statistical engine uses. The anomaly detection engine memory usage is affected by the number of active zones, the number of services each of the zones monitors, and the amount of nonspoofed traffic that the Detector is monitoring.
If the anomaly detection engine memory usage is higher than 95 percent, we strongly recommend that you lower the number of active zones.
|
Dynamic filters used
|
Total number of dynamic filters that are active in all the zones. The Detector displays the number of active dynamic filters and the percentage of dynamic filters that are active out of the total number of dynamic filters that the Detector supports, which is 150,000. If the number of active dynamic filters reaches 150,000, the Detector generates an SNMP trap with a severity level of EMERGENCY. If the number of active dynamic filters reaches 135,000, the Detector generates an SNMP trap with a severity level of WARNING.
A high value may indicate that the Detector is monitoring a high traffic volume of a DDoS attack.
|
For more information about the traps that the Detector generates, see Table 3-15 on page 3-29.
Managing the ARP Cache
You can display or manipulate the Address Resolution Protocol (ARP) cache to clear an address mapping entry or to manually define an address mapping entry. To manage the ARP cache, use one of the following commands:
arp [-evn] [-H type] [-i if] -a [hostname]
arp [-v] [-i if] -d hostname [pub]
arp [-v] [-H type] [-i if] -s hostname hw_addr [temp]
arp [-v] [-H type] [-i if] -s hostname hw_addr [netmask nm] pub
arp [-v] [-H type] [-i if] -Ds hostname ifa [netmask nm] pub
arp [-vnD] [-H type] [-i if] -f [filename]
Note You can enter the complete keyword or an abbreviation of the keyword. The abbreviated keyword is preceded by a dash (-) and the complete keyword is preceded by two dashes (--).
Table 11-21 provides the arguments and keywords for the arp command.
Table 11-21 Arguments and Keywords for the arp Command
Abbreviated Parameter Name
|
Parameter Full Name
|
Description
|
-H type, -t type
|
--hw-type type
|
(Optional) Specifies the class of entries for which the Detector checks. The default type value is ether (hardware code 0x01 for IEEE 802.3 10-Mbps Ethernet).
|
-i If
|
--device If
|
(Optional) Specifies an interface. When you dump the ARP cache, only entries that match the specified interface are printed. If you configure a permanent or temporary ARP entry, this interface is associated with the entry. If you do not use this option, the Detector determines the interface based on the routing table. If you use the pub keyword, this interface is the interface on which the Detector answers ARP requests and must be different from the interface to which the IP datagrams are routed.
|
-s hostname hw_addr
|
--set hostname hw_addr
|
Creates an ARP address mapping entry for the hostname with the hardware address set to the hw_addr class value. If you do not enter the temp flag, the entries are stored permanently in the ARP cache.
|
-a [hostname]
|
--display [hostname]
|
Displays the entries of the specified hosts in alternate (BSD) style. The default is to display all entries.
|
-v
|
--verbose
|
(Optional) Displays the output in verbose mode.
|
-n
|
--numeric
|
Displays numerical addresses.
|
-d hostname
|
--delete hostname
|
Removes any entry for the specified host.
|
-D
|
--use-device
|
Uses the hardware address of interface ifa.
|
-e
|
|
Displays the entries in default style.
|
-f filename
|
--file filename
|
Creates an ARP address mapping entry. The information is taken from the filename file. The file format is ASCII text lines with a hostname and a hardware address separated by white space. You can also use the pub, temp, and netmask flags. In all places where a hostname is expected, you can also enter an IP address in dotted-decimal notation.
|
Caution To configure the Detector ARP cache, you must be familiar with the Detector system and the network.
The following example shows how to display the ARP entries in default style:
Address HWtype HWaddress Flags Mask Iface
10.10.1.254 ether 00:02:B3:C0:61:67 C eth1
10.10.8.11 ether 00:02:B3:45:B9:F1 C eth1
10.10.8.253 ether 00:D0:B7:46:72:37 C eth1
10.10.10.54 ether 00:03:47:A6:44:CA C eth1
Displaying Network Statistics
You can display the host network connections, routing tables, interface statistics, and multicast memberships to debug network problems by entering one of the following commands:
netstat [address_family_options] [--tcp | -t] [--udp | -u] [--raw | -w] [--listening | -l] [--all | -a]
[--numeric | -n] [--numeric-hosts] [--numeric-ports] [--numeric-users] [--symbolic | -N]
[--extend | -e [--extend | -e]] [--timers | -o] [--program | -p] [--verbose | -v] [--continuous |
-c] [delay]
netstat {--route | -r} [address_family_options] [--extend | -e [--extend | -e]] [--verbose | -v]
[--numeric | -n] [--numeric-hosts] [--numeric-ports] [--numeric-users] [--continuous | -c]
[delay]
netstat {--interfaces | -i} [iface] [--all | -a] [--extend | -e [--extend | -e]] [--verbose | -v]
[--program | -p] [--numeric | -n] [--numeric-hosts] [--numeric-ports] [--numeric-users]
[--continuous | -c] [delay]
netstat {--groups | -g} [--numeric | -n] [--numeric-hosts] [--numeric-ports] [--numeric-users]
[--continuous | -c] [delay]
netstat {--masquerade | -M} [--extend | -e] [--numeric | -n] [--numeric-hosts] [--numeric-ports]
[--numeric-users] [--continuous | -c] [delay]
netstat {--statistics | -s} [--tcp | -t] [--udp | -u] [--raw | -w] [delay]
netstat {--version | -V}
netstat {--help | -h}
Note If you do not specify any address families, the Detector displays the active sockets of all configured address families.
Table 11-22 provides arguments and keywords for the netstat command.
Note You can enter the complete keyword or an abbreviation of the keyword. The abbreviated keyword is preceded by a dash (-) and the complete keyword is preceded by two dashes (--).
Table 11-22 Arguments and Keywords for the netstat Command
Abbreviated Parameter Name
|
Parameter Full Name
|
Description
|
address_family_ options
|
|
(Optional) The address family options can be one of the following:
•[--protocol={inet,unix,ipx,ax25,netrom,ddp}[,...]]
•[--unix|-x] [--inet|--ip] [--ax25] [--ipx] [--netrom]
•[--ddp]
|
-r
|
--route
|
Displays the Detector routing tables.
|
-g
|
--groups
|
Displays multicast group membership information for IPv4 and IPv6.
|
-i iface
|
--interface iface
|
Displays a table of all network interfaces or of the optional iface value.
|
-M
|
--masquerade
|
Displays a list of masqueraded connections for which Network Address Translation (NAT) was used.
|
-s
|
--statistics
|
Displays summary statistics for each protocol.
|
-v
|
--verbose
|
(Optional) Displays the output in verbose.
|
-n
|
--numeric
|
(Optional) Displays numerical addresses.
|
|
--numeric-hosts
|
(Optional) Displays numerical host addresses but does not affect the resolution of port or usernames.
|
|
--numeric-ports
|
(Optional) Displays numerical port numbers but does not affect the resolution of host or usernames.
|
|
--numeric-users
|
(Optional) Displays numerical user IDs but does not affect the resolution of host or port names.
|
-c
|
--continuous
|
(Optional) Displays the selected information every second on a continuous basis.
|
-e
|
--extend
|
(Optional) Displays additional information. Use this option twice for maximum detail.
|
-o
|
--timers
|
(Optional) Displays information related to networking timers.
|
-p
|
--program
|
(Optional) Displays the PID and name of the program to which each socket belongs.
|
-l
|
--listening
|
(Optional) Displays only listening sockets. These sockets are omitted by default.
|
-a
|
--all
|
(Optional) Displays both listening and nonlistening sockets.
|
delay
|
|
(Optional) Netstat cycles printing through statistics every delay seconds.
|
Note You can enter a maximum of 13 arguments and keywords in one command.
The following example shows how to display netstat information in verbose:
user@DETECTOR# netstat -v
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:1111 localhost:32777 ESTABLISHED
tcp 0 0 localhost:8200 localhost:32772 ESTABLISHED
tcp 0 0 localhost:33464 localhost:8200 TIME_WAIT
tcp 1 0 localhost:1113 localhost:33194 CLOSE_WAIT
Active UNIX domain sockets (w/o servers)
unix 2 [ ] STREAM CONNECTED 928
unix 3 [ ] STREAM CONNECTED 890 /tmp/.zserv
Using Traceroute
You can determine the route that packets take to arrive at a network host to debug network problems by entering the following command:
traceroute ip-address [-F] [-f first_ttl] [-g gateway] [-i iface]
[-m max_ttl] [-p port] [-q nqueries] [-s src_addr] [-t tos] [-w waittime] [packetlen]
Note The traceroute command displays IP addresses only, not names.
Table 11-23 provides the arguments and keywords for the traceroute command.
Table 11-23 Arguments and Keywords for the traceroute Command
Parameter
|
Description
|
ip-address
|
The IP address to which the route will be traced.
|
-F
|
(Optional) Sets the don't fragment bit.
|
-f first_ttl
|
(Optional) Sets the initial time-to-live (TTL) used in the first outgoing probe packet.
|
-g gateway
|
(Optional) Specifies a loose source route gateway. You can specify more than one gateway by using -g for each gateway. The maximum number of gateways is 8.
|
-i iface
|
(Optional) Specifies a network interface to obtain the source IP address for outgoing probe packets and, in most cases, is useful on a multihomed host.
|
-m max_ttl
|
(Optional) Sets the maximum time-to-live (maximum number of hops) used in outgoing probe packets. The default is 30 hops.
|
-p port
|
(Optional) Sets the base UDP port number used in probes. The default is 33434.
|
-q nqueries
|
(Optional) Sets the number of probes that are defined for the ttl value. The default is 3.
|
-s src_addr
|
(Optional) Sets the src_addr IP address as the source IP address in outgoing probe packets.
|
-t tos
|
(Optional) Sets the type-of-service in probe packets to the tos value. The default is zero.
|
-w waittime
|
(Optional) Sets the time in seconds to wait for a response for a probe. The default is 5 seconds.
|
packetlen
|
(Optional) Sets the packet length of the probe.
|
The following example shows how to trace the route to IP address 10.10.10.34:
user@DETECTOR# traceroute 10.10.10.34
traceroute to 10.10.10.34 (10.10.10.34), 30 hops max, 38 byte packets
1 10.10.10.34 (10.10.10.34) 0.577 ms 0.203 ms 0.149 ms
Verifying Connectivity
You can send ICMP ECHO_REQUEST packets to network hosts and verify connectivity by entering the following command:
ping ip-address [-c count] [-i interval] [-l preload] [-s packetsize] [-t ttl] [-w deadline] [-F
flowlabel] [-I interface]
[-Q tos] [-T timestamp option] [-W timeout]
Table 11-24 provides arguments and keywords for the ping command.
Table 11-24 Arguments and Keywords for the ping Command
Parameter
|
Description
|
ip-address
|
Destination IP address.
|
-c count
|
(Optional) Sends count number of ECHO_REQUEST packets. With a deadline option, the command waits for count ECHO_REPLY packets until the timeout expires.
|
-i interval
|
(Optional) Waits to send packets. The interval time is in seconds. The default is to wait for 1 second.
|
-l preload
|
(Optional) Sends preload packets without waiting for a reply.
|
-s packetsize
|
(Optional) Specifies the number of data bytes to send. The default is 56.
|
-t ttl
|
(Optional) Sets the IP TTL.
|
-w deadline
|
(Optional) Specifies the timeout in seconds before ping exits, regardless of how many packets have been sent or received.
|
-F flow label
|
(Optional) Allocates and sets a 20-bit flow label on echo request packets. If the value is zero, a random flow label is used.
|
-I interface
|
(Optional) Sets the source IP address to the specified interface address.
|
-Q tos
|
(Optional) Sets Type of Service (ToS)-related bits in Internet Control Message Protocol (ICMP) datagrams.
|
-T timestamp option
|
(Optional) Sets special IP time-stamp options.
|
-W timeout
|
(Optional) Time (in seconds) to wait for a response.
|
You can enter a maximum of 10 arguments and keywords in one command.
The following example shows how to send one ICMP ECHO_REQUEST packet to IP address 10.10.10.30:
user@DETECTOR# ping 10.10.10.30 -n 1
Obtaining Debug Information
If the Detector experiences an operational problem, Cisco TAC may request that you send them a copy of the Detector internal debug information. The Detector debug core file contains information for troubleshooting Detector malfunctions. The file output is encrypted and intended for use by Cisco TAC personnel only.
To extract debug information to an FTP, SCP, or SFTP server, perform the following steps:
Step 1 Display the Detector log file.
See the "Displaying the Log File" section for more information.
Step 2 Identify the first log message that indicates a problem to determine the time from when to extract debug information. The Detector extracts the debug information from the time specified up to the current time.
Step 3 Copy the debug information to an FTP, SCP, or SFTP server by entering the following command in global mode:
copy debug-core time {ftp | scp | sftp} server full-file-name [login [password]]
Table 11-25 provides the arguments and keywords for the copy debug-core command.
Table 11-25 Arguments and Keywords for the copy debug-core Command
Parameter
|
Description
|
time
|
Time of the event that triggers the need for debug information. The time string uses the format MMDDhhmm[[CC]YY][.ss] as follows:
•MM—Month in numeric figures
•DD—Day of the month
•hh—Hour in a 24-hour clock
•mm—Minutes
•CC—(Optional) First two digits of the year (for example, 2007)
•YY—(Optional) Last two digits of the year (for example, 2007)
•.ss—(Optional) Seconds (the decimal point must be present)
|
ftp
|
Specifies FTP.
|
scp
|
Specifies SCP.
|
sftp
|
Specifies SFTP.
|
server
|
IP address of the network server. Enter the IP address in dotted-decimal notation (for example, enter 192.168.10.2).
|
full-file-name
|
Full name of the version file. If you do not specify a path, the server saves the file in your home directory.
|
login
|
(Optional) Server login name. The server assumes an anonymous login when you do not enter a login name. The server does not prompt you for a password.
|
password
|
(Optional) Server password. If you do not enter the password, the Detector prompts you for one.
|
The following example shows how to extract debug information from November 9 at 06:45 a.m. of the current year to FTP server 10.0.0.191:
user@DETECTOR# copy debug-core 11090645 ftp 10.0.0.191 /home/debug/debug-file <user>
<password>