I've moved this blog to GitHub Pages.
The RSS feed is here.
Loopback Mountain
Very Intermittent Geekery: Cisco IOS, VoIP, Infosec, etc.
Friday, September 18, 2015
Wednesday, July 15, 2015
Installing netmiko on Windows
Netmiko is a Python module by Kirk Byers that provides a wrapper around the Paramiko SSH module for doing screen scraping and CLI automation on network devices.
Paramiko has some dependencies that make installation on Windows a tad tricky. Here's a quick way to get it done:
Paramiko has some dependencies that make installation on Windows a tad tricky. Here's a quick way to get it done:
- Install Anaconda.
- From the Anaconda shell, run "conda install paramiko".
- From the Anaconda shell, run "pip install scp".
- Install git for Windows.
- Clone netmiko with "git clone https://github.com/ktbyers/netmiko"
- cd into the netmiko directory and run "python setup.py install".
Tuesday, July 14, 2015
Extracting Traffic from Rolling Capture Files
Every so often I need to extract a subset of traffic from a set of rolling timestamped pcap files. One common place I do this is with Security Onion; one of the great features of SO is its full-packet-capture feature: you can easily pivot from Snort, Suricata, or Bro logs to a full packet capture view, or download the associated pcap file.
But what if you don't have an associated alert or Bro log entry? Or if you're doing pcap on some system that's not as user-friendly as Security Onion, but nonetheless supports rolling captures?
The way I usually do this is with find and xargs. Here's an example of my most common workflow, using timestamps as the filtering criteria for find:
> find . -newerct "16:07" ! -newerct "16:10" | xargs -I {} tcpdump -r {} -w /tmp/{} host 8.8.8.8
> cd /tmp
> mergecap -w merged.pcap *.pcap
Translated:
But what if you don't have an associated alert or Bro log entry? Or if you're doing pcap on some system that's not as user-friendly as Security Onion, but nonetheless supports rolling captures?
The way I usually do this is with find and xargs. Here's an example of my most common workflow, using timestamps as the filtering criteria for find:
> find . -newerct "16:07" ! -newerct "16:10" | xargs -I {} tcpdump -r {} -w /tmp/{} host 8.8.8.8
> cd /tmp
> mergecap -w merged.pcap *.pcap
Translated:
- Find all files in the current directory created after 16:07 but not created after 16:10. This requires GNU find 4.3.3 or later. It supports many different time and date formats.
- Using xargs, filter each file with the "host 8.8.8.8" BPF expression and write it to /tmp with the same filename.
- Merge all the .pcap files in /tmp into merged.pcap.
Friday, May 15, 2015
More ADN (Awk Defined Networking)
Want to know how many IPv4 nodes are in each of your VLANs? Use ADN:
ssh myswitch 'sh arp | i Vlan' | awk '{print $NF}' | sort | uniq -c | sort -rn
79 Vlan38
65 Vlan42
58 Vlan34
22 Vlan36
21 Vlan32
20 Vlan40
9 Vlan3
7 Vlan8
5 Vlan6
5 Vlan204
5 Vlan203
5 Vlan2
4 Vlan74
3 Vlan82
3 Vlan4
ssh myswitch 'sh arp | i Vlan' | awk '{print $NF}' | sort | uniq -c | sort -rn
79 Vlan38
65 Vlan42
58 Vlan34
22 Vlan36
21 Vlan32
20 Vlan40
9 Vlan3
7 Vlan8
5 Vlan6
5 Vlan204
5 Vlan203
5 Vlan2
4 Vlan74
3 Vlan82
3 Vlan4
Friday, April 24, 2015
ADN - Awk Defined Networking
Because I have yet to transition to a completely software-defined network in which everything configures itself (wink wink), I still have to do tasks like bulk VLAN changes.
Thanks to a recent innovation called ADN, or "AWK Defined Networking", I can do this in a shorter time window that the average bathroom break. For example, I just had a request to change all ports on a large access switch stack that are currently in VLAN 76 to VLAN 64:
# ssh switch_name.foo.com 'show int status | i _76_' | grep Gi | awk '{print "int ",$1,"\n","description PC/Phone","\n","switchport access vlan 64"}'
Password: ***
int Gi1/0/25
description PC/Phone
switchport access vlan 64
int Gi1/0/26
description PC/Phone
switchport access vlan 64
[many more deleted]
Then I copied and pasted the results into config mode. Back to lounging on the beach.
Not even any Python skills required!
Thanks to a recent innovation called ADN, or "AWK Defined Networking", I can do this in a shorter time window that the average bathroom break. For example, I just had a request to change all ports on a large access switch stack that are currently in VLAN 76 to VLAN 64:
# ssh switch_name.foo.com 'show int status | i _76_' | grep Gi | awk '{print "int ",$1,"\n","description PC/Phone","\n","switchport access vlan 64"}'
Password: ***
int Gi1/0/25
description PC/Phone
switchport access vlan 64
int Gi1/0/26
description PC/Phone
switchport access vlan 64
[many more deleted]
Then I copied and pasted the results into config mode. Back to lounging on the beach.
Not even any Python skills required!
Thursday, March 26, 2015
Quick Example: Elasticsearch Bulk Index API with Python
A quick example that shows how to use Elasticsearch bulk indexing from the Python client. This is dramatically faster than indexing documents one at a time in a loop with the index() method.
Saturday, February 28, 2015
Filtering .raw fields with Python Elasticsearch DSL High-Level Client
It took me a while to figure out how to search the not_analyzed ".raw" fields created by Logstash in Elasticsearch indices, using the high-level Python Elasticsearch client. Because keyword arguments can't have attributes, Python throws an error if you try it the intuitive way (this assumes you've already set up a client as es and an index as i, as shown in the docs):
Instead, you create a dictionary with your parameters and unpack it using the ** operator:
This produces the Elasticsearch query we want:
Instead, you create a dictionary with your parameters and unpack it using the ** operator:
This produces the Elasticsearch query we want:
Thursday, January 15, 2015
Pleasing terminal colors on Security Onion
To get the lovely Solarized theme working in Security Onion:
- sudo apt-get install gnome-terminal
- I'm sure there's a way to get in working in the default xfce4 terminal, but I couldn't figure it out.
- Follow instructions here: http://stackoverflow.com/questions/23118916/configuring-solarized-colorscheme-in-gnome-terminal-tmux-and-vim
Thursday, January 8, 2015
Problems with kvm-ok in VIRL with VMWare Player
I'm installing Cisco VIRL, and despite following the instructions regarding nested virtualization settings, the kvm-ok command was still complaining. I needed to edit the .vmx file for the VIRL VM and add/edit the following:
monitor.virtual_mmu = "hardware"
monitor.virtual_exec = "hardware"
vhv.enable = "TRUE"
monitor_control.restrict_backdoor = "true"
Friday, January 2, 2015
My Network Toolkit
A while back, Chris Marget of Fragmentation Needed posted a run-down of his comprehensive and extremely clever network toolkit. Because I'm something of a weight weenie, mine is a lot more slimmed down. I thought I'd post it here:
The contents:
The Fenix AA light and Leatherman Skeletool CX almost always live in a pocket rather than the kit and go with me everywhere. The kit all fits into a small zippered case that used to hold a Dell laptop power supply.
My main goal here was to have all the hard-to-find professional stuff in one small package. I have a separate "personal" kit that contains stuff like headphones, USB cables, and chargers for personal electronics.
The contents:
- Two random USB drives (in case I need to leave one with somebody).
- Single-mode and multi-mode LC fiber loopback plugs.
- Rack PDU plug adapter.
- Awesome PicQuic compact screwdriver (thanks to Chris's post).
- T1 loopback plug (red) (because we still have T1s out here in the boonies).
- Cat-6 pass-through plug (white).
- Crossover adapter (orange).
- Sharpie.
- Console setup:
- USB-to-DB9 adapter.
- DB9-to-RJ45 adapter.
- Flat Cat-6 cable.
- Rollover adapter.
- Velcro tie
- Flat Cat-6 cable with velcro tie.
The Fenix AA light and Leatherman Skeletool CX almost always live in a pocket rather than the kit and go with me everywhere. The kit all fits into a small zippered case that used to hold a Dell laptop power supply.
My main goal here was to have all the hard-to-find professional stuff in one small package. I have a separate "personal" kit that contains stuff like headphones, USB cables, and chargers for personal electronics.
Friday, December 5, 2014
Imposing Artificial Limitations to Develop Skills
I'm a big fan of imposing artificial limitations on yourself in order to aid skill development. Here are some quick ideas:
- When troubleshooting network devices from the CLI, try not to look at the configuration. Use only "show" or "debug" commands instead. I found this enormously beneficial when practicing for CCIE.
- When troubleshooting larger operational issues or learning a new environment, try not to log into individual devices at all. Force yourself to use only your network management system, NetFlow, packet captures, or host-based tools like ping, traceroute, or nmap.
- When learning automation or orchestration skills, force yourself to write scripts, run API calls, or use your favorite orchestration tool to do simple things, even if it doesn't seem like they merit the extra effort.
Tuesday, July 1, 2014
Simple Python Syslog Counter
Recently I did a Packet Pushers episode about log management. In it, I mentioned some of the custom Python scripts that I run to do basic syslog analysis, and someone asked about them in the comments.
The script I'm presenting here isn't one of the actual ones that I run in production, but it's close. The real one sends emails, does DNS lookups, keeps a "rare messages" database using sqlite3, and a few other things, but I wanted to keep this simple.
One of the problems I see with getting started with log analysis is that people tend to approach it like a typical vendor RFP project: list some requirements, survey the market, evaluate and buy a product to fit your requirements. Sounds good, right? The problem with log analysis is that often you don't know what your requirements really are until you start looking at data.
A simple message counting script like this lets you look at your data, and provides a simple platform on which you can start to iterate to find your specific needs. It also lets us look at some cool Python features.
I don't recommend pushing this too far: once you have a decent idea of what your data looks like and what you want to do with it, set up Logstash, Graylog2, or a similar commercial product like Splunk (if you can afford it).
That said, here's the Python:
I tried to make this as self-documenting as possible. You run it from the CLI with a syslog file as the argument, and you get this:
$ python simple_syslog_count.py sample.txt
214 SEC-6-IPACCESSLOGP
15 SEC-6-IPACCESSLOGRL
10 LINEPROTO-5-UPDOWN
10 LINK-3-UPDOWN
7 USER-3-SYSTEM_MSG
4 STACKMGR-4-STACK_LINK_CHANGE
4 DUAL-5-NBRCHANGE
3 IPPHONE-6-UNREGISTER_NORMAL
3 CRYPTO-4-PKT_REPLAY_ERR
3 SEC-6-IPACCESSLOGRP
3 SEC-6-IPACCESSLOGSP
2 SSH-5-SSH2_USERAUTH
2 SSH-5-SSH2_SESSION
2 SSH-5-SSH2_CLOSE
10.1.16.12
6 SEC-6-IPACCESSLOGP
10.1.24.3
2 LINEPROTO-5-UPDOWN
2 LINK-3-UPDOWN
[Stuff deleted for brevity]
For Pythonistas, the script makes use of a few cool language features:
per_reporter_counts[reporter][msg] += 1
Here, the dictionary per_reporter_counts has the IPv4 addresses of the syslog reporters as keys, with a Counter object as the value holding the counts for each message type:
>>> from collections import Counter,defaultdict
>>> per_reporter_counts = defaultdict(Counter)
>>> per_reporter_counts['1.1.1.1']['SOME-5-MESSAGE'] += 1
>>> per_reporter_counts
defaultdict(, {'1.1.1.1': Counter({'SOME-5-MESSAGE': 1})})
>>> per_reporter_counts['1.1.1.1']['SOME-5-MESSAGE'] += 5
>>> per_reporter_counts
defaultdict(, {'1.1.1.1': Counter({'SOME-5-MESSAGE': 6})})
If you got this far, you can go implement it for IPv6 addresses. :-)
The script I'm presenting here isn't one of the actual ones that I run in production, but it's close. The real one sends emails, does DNS lookups, keeps a "rare messages" database using sqlite3, and a few other things, but I wanted to keep this simple.
One of the problems I see with getting started with log analysis is that people tend to approach it like a typical vendor RFP project: list some requirements, survey the market, evaluate and buy a product to fit your requirements. Sounds good, right? The problem with log analysis is that often you don't know what your requirements really are until you start looking at data.
A simple message counting script like this lets you look at your data, and provides a simple platform on which you can start to iterate to find your specific needs. It also lets us look at some cool Python features.
I don't recommend pushing this too far: once you have a decent idea of what your data looks like and what you want to do with it, set up Logstash, Graylog2, or a similar commercial product like Splunk (if you can afford it).
That said, here's the Python:
I tried to make this as self-documenting as possible. You run it from the CLI with a syslog file as the argument, and you get this:
$ python simple_syslog_count.py sample.txt
214 SEC-6-IPACCESSLOGP
15 SEC-6-IPACCESSLOGRL
10 LINEPROTO-5-UPDOWN
10 LINK-3-UPDOWN
7 USER-3-SYSTEM_MSG
4 STACKMGR-4-STACK_LINK_CHANGE
4 DUAL-5-NBRCHANGE
3 IPPHONE-6-UNREGISTER_NORMAL
3 CRYPTO-4-PKT_REPLAY_ERR
3 SEC-6-IPACCESSLOGRP
3 SEC-6-IPACCESSLOGSP
2 SSH-5-SSH2_USERAUTH
2 SSH-5-SSH2_SESSION
2 SSH-5-SSH2_CLOSE
10.1.16.12
6 SEC-6-IPACCESSLOGP
10.1.24.3
2 LINEPROTO-5-UPDOWN
2 LINK-3-UPDOWN
[Stuff deleted for brevity]
For Pythonistas, the script makes use of a few cool language features:
Named, Compiled rRgexes
- We can name a regex match with the (?P
PATTERN) syntax, which makes it easy to understand it when it's referenced later with the .group('') method on the match object. - This is demonstrated in lines 36-39 and 58-59 of the gist shown above.
- It would be more efficient to capture these fields by splitting the line with the .split() string method, but I wanted the script to work for unknown field positions -- hence the regex.
Multiplication of Strings
- We control indentation by multiplying the ' ' string (that a single space enclosed in quotes) by an integer value in the print_counter function (line 50).
- The reason this works is that the Python str class defines a special __mul__ method that controls how the * operator works for objects of that class:
>>> 'foo'.__mul__(3)
'foofoofoo'
>>> 'foo' * 3
'foofoofoo'
collections.Counter Objects
- Counter objects are a subclass of dictionaries that know how to count things. Jeremy Schulman talked about these in a comment on the previous post. Here, we use Counters to build both the overall message counts and the per-device message counts:
>>> my_msg = 'timestamp ip_address stuff %MY-4-MESSAGE:other stuff'
>>> CISCO_MSG = re.compile('%(?P.*?):')
>>> from collections import Counter
>>> test_counter = Counter()
>>> this_msg = re.search(CISCO_MSG,my_msg).group('msg')
>>> this_msg
'MY-4-MESSAGE'
>>> test_counter[this_msg] += 1
>>> test_counter
Counter({'MY-4-MESSAGE': 1})
collections.defaultdict Dictionaries
- It could get annoying when you're assigning dictionary values inside a loop, because you get errors when the key doesn't exist yet. This is a contrived example, but it illustrates the point:
>>> reporters = {}
>>> for reporter in ['1.1.1.1','2.2.2.2']:
... reporters[reporter].append['foo']
...
Traceback (most recent call last):
File "", line 2, in
KeyError: '1.1.1.1'
- To fix this, you can catch the exception:
>>> reporters = {}
>>> for reporter in ['1.1.1.1','2.2.2.2']:
... try:
... reporters[reporter].append['foo']
... reporters[reporter].append['bar']
... except KeyError:
... reporters[reporter] = ['foo']
... reporters[reporter].append('bar')
- As usual, though, Python has a more elegant way in the collections module: defaultdict
>>> from collections import defaultdictIn the syslog counter script, we use a collections.Counter object as the type for our defaultdict. This allows us to build a per-syslog-reporter dictionary that shows how many times each message appears for each reporter, while only looping through the input once (line 66):
>>> reporters = defaultdict(list)
>>> for reporter in ['1.1.1.1','2.2.2.2']:
... reporters[reporter].append('foo')
... reporters[reporter].append('bar')
>>> reporters
defaultdict(, {'1.1.1.1': ['foo', 'bar'], '2.2.2.2': ['foo', 'bar']})
per_reporter_counts[reporter][msg] += 1
Here, the dictionary per_reporter_counts has the IPv4 addresses of the syslog reporters as keys, with a Counter object as the value holding the counts for each message type:
>>> from collections import Counter,defaultdict
>>> per_reporter_counts = defaultdict(Counter)
>>> per_reporter_counts['1.1.1.1']['SOME-5-MESSAGE'] += 1
>>> per_reporter_counts
defaultdict(
>>> per_reporter_counts['1.1.1.1']['SOME-5-MESSAGE'] += 5
>>> per_reporter_counts
defaultdict(
If you got this far, you can go implement it for IPv6 addresses. :-)
Friday, June 20, 2014
Python Sets: Handy for Network Data
My Python-related posts seem to get the most reads, so here's another one!
A problem that comes up fairly often in networking is finding the number of occurrences of unique items in a large collection of data: let's say you want to find all of the unique IP addresses that accessed a website, traversed a firewall, got denied by an ACL, or whatever. Maybe you've extracted the following list from a log file:
1.1.1.1
2.2.2.2
3.3.3.3
1.1.1.1
5.5.5.5
5.5.5.5
1.1.1.1
2.2.2.2
...
and you need to reduce this to:
1.1.1.1
2.2.2.2
3.3.3.3
5.5.5.5
In other words, we're removing the duplicates. In low-level programming languages, removing duplicates is a bit of a pain: generally you need to implement an efficient way to sort an array of items, then traverse the sorted array to check for adjacent duplicates and remove them. In a language that has dictionaries (also known as hash tables or associative arrays), you can do it by adding each item as a key in your dictionary with an empty value, then extract the keys. In Python:
>>> items = ['1.1.1.1','2.2.2.2','3.3.3.3','1.1.1.1','5.5.5.5','5.5.5.5','1.1.1.1','2.2.2.2']
>>> d = {}
>>> for item in items:
... d[item] = None
...
>>> d
{'5.5.5.5': None, '3.3.3.3': None, '1.1.1.1': None, '2.2.2.2': None}
>>> unique = d.keys()
>>> unique
['5.5.5.5', '3.3.3.3', '1.1.1.1', '2.2.2.2']
or, more concisely using a dictionary comprehension:
>>> {item:None for item in items}.keys()
['5.5.5.5', '3.3.3.3', '1.1.1.1', '2.2.2.2']
Python has an even better way, however: the "set" type, which emulates the mathematical idea of a set as a collection of distinct items. If you create an empty set and add items to it, duplicates will automatically be thrown away:
>>> s = set()
>>> s.add('1.1.1.1')
>>> s
set(['1.1.1.1'])
>>> s.add('2.2.2.2')
>>> s.add('1.1.1.1')
>>> s
set(['1.1.1.1', '2.2.2.2'])
>>> for item in items:
... s.add(item)
...
>>> s
set(['5.5.5.5', '3.3.3.3', '1.1.1.1', '2.2.2.2'])
Predictably, you can use set comprehensions just like list comprehensions to do the same thing as a one liner:
>>> {item for item in items}
set(['5.5.5.5', '3.3.3.3', '1.1.1.1', '2.2.2.2'])
Or, if you have a list built already you can just convert it to a set:
>>> set(items)
set(['5.5.5.5', '3.3.3.3', '1.1.1.1', '2.2.2.2'])
Python also provides methods for the most common types of set operations: union, intersection, difference and symmetric difference. Because these methods accept lists or other iterables, you can quickly find similarities between collections of items:
>>> items
['1.1.1.1', '2.2.2.2', '3.3.3.3', '1.1.1.1', '5.5.5.5', '5.5.5.5', '1.1.1.1', '2.2.2.2']
>>> more_items = ['1.1.1.1','8.8.8.8','1.1.1.1','7.7.7.7','2.2.2.2']
>>> set(items).intersection(more_items)
set(['1.1.1.1', '2.2.2.2'])
>>> set(items).difference(more_items)
set(['5.5.5.5', '3.3.3.3'])
Have fun!
A problem that comes up fairly often in networking is finding the number of occurrences of unique items in a large collection of data: let's say you want to find all of the unique IP addresses that accessed a website, traversed a firewall, got denied by an ACL, or whatever. Maybe you've extracted the following list from a log file:
1.1.1.1
2.2.2.2
3.3.3.3
1.1.1.1
5.5.5.5
5.5.5.5
1.1.1.1
2.2.2.2
...
and you need to reduce this to:
1.1.1.1
2.2.2.2
3.3.3.3
5.5.5.5
In other words, we're removing the duplicates. In low-level programming languages, removing duplicates is a bit of a pain: generally you need to implement an efficient way to sort an array of items, then traverse the sorted array to check for adjacent duplicates and remove them. In a language that has dictionaries (also known as hash tables or associative arrays), you can do it by adding each item as a key in your dictionary with an empty value, then extract the keys. In Python:
>>> items = ['1.1.1.1','2.2.2.2','3.3.3.3','1.1.1.1','5.5.5.5','5.5.5.5','1.1.1.1','2.2.2.2']
>>> d = {}
>>> for item in items:
... d[item] = None
...
>>> d
{'5.5.5.5': None, '3.3.3.3': None, '1.1.1.1': None, '2.2.2.2': None}
>>> unique = d.keys()
>>> unique
['5.5.5.5', '3.3.3.3', '1.1.1.1', '2.2.2.2']
or, more concisely using a dictionary comprehension:
>>> {item:None for item in items}.keys()
['5.5.5.5', '3.3.3.3', '1.1.1.1', '2.2.2.2']
Python has an even better way, however: the "set" type, which emulates the mathematical idea of a set as a collection of distinct items. If you create an empty set and add items to it, duplicates will automatically be thrown away:
>>> s = set()
>>> s.add('1.1.1.1')
>>> s
set(['1.1.1.1'])
>>> s.add('2.2.2.2')
>>> s.add('1.1.1.1')
>>> s
set(['1.1.1.1', '2.2.2.2'])
>>> for item in items:
... s.add(item)
...
>>> s
set(['5.5.5.5', '3.3.3.3', '1.1.1.1', '2.2.2.2'])
Predictably, you can use set comprehensions just like list comprehensions to do the same thing as a one liner:
>>> {item for item in items}
set(['5.5.5.5', '3.3.3.3', '1.1.1.1', '2.2.2.2'])
Or, if you have a list built already you can just convert it to a set:
>>> set(items)
set(['5.5.5.5', '3.3.3.3', '1.1.1.1', '2.2.2.2'])
Python also provides methods for the most common types of set operations: union, intersection, difference and symmetric difference. Because these methods accept lists or other iterables, you can quickly find similarities between collections of items:
>>> items
['1.1.1.1', '2.2.2.2', '3.3.3.3', '1.1.1.1', '5.5.5.5', '5.5.5.5', '1.1.1.1', '2.2.2.2']
>>> more_items = ['1.1.1.1','8.8.8.8','1.1.1.1','7.7.7.7','2.2.2.2']
>>> set(items).intersection(more_items)
set(['1.1.1.1', '2.2.2.2'])
>>> set(items).difference(more_items)
set(['5.5.5.5', '3.3.3.3'])
Have fun!
Wednesday, April 2, 2014
Fun with Router IP Traffic Export and NSM
The Basics
I finally got around to setting up Security Onion (the best network security monitoring package available) to monitor my home network, only to discover that my Cisco 891 router doesn't support support the right form of SPAN. Here's how I worked around it. The topology looks like this:
The 891 router has an integrated 8-port switch module, so the simple case would have been a traditional SPAN setup; something like this:
! vlan 10 is the user VLAN
monitor session 1 source interface vlan 10
monitor session 1 destination interface FastEthernet0
with the server's monitoring NIC connected to FastEthernet0.
The problem is that the 891 doesn't support using a VLAN as a source interface, and because of the way the embedded WAP works, a physical source interface won't work either. Hence, I turned to an obscure feature that's helped me occasionally in the past: Router IP Traffic Export. This is a feature for IOS software platforms that enables you to enable SPAN-like functions for almost any source interface.
The configuration looks like this:
ip traffic-export profile RITE_MIRROR
interface FastEthernet0
bidirectional
mac-address 6805.ca21.2ddd
interface Vlan10
ip traffic-export apply RITE_MIRROR
This takes all traffic routed across the Vlan10 SVI and sends it out the FastEthernet0 interface, rewriting the destination MAC address to the specified value. I used the MAC address of my monitoring NIC, but it shouldn't matter in this case because the monitoring NIC is directly attached. If I wanted to copy the traffic across a switched interface, it would matter.
My ESXi host (a low-cost machine from Zareason with 32GB of RAM) has two physical NICs; one for all of the regular VM traffic (using 802.1q to separate VLANs if needed) and one for monitoring. The monitoring pNIC is attached to a promiscuous mode vSwitch in ESXi, which in turn is connected to the monitoring vNIC on the Security Onion VM. The effect of this is identical to SPAN-ing all the traffic from VLAN 10 to my Security Onion monitoring system; I get Snort, Bro, Argus, and full packet capture with just the built-in software tools in IOS and ESXi.
Oddity: RITE Capture, Tunnels?
Interestingly, you can also use RITE to capture traffic to a RAM buffer and export it to a pcap file. I don't understand why you would use this instead of the much more flexible Embedded Packet Capture Feature, though.
Another thing I've wondered is whether you could use a L2 tunnel to send the mirrored traffic elsewhere in the network. The destination interface must be a physical Ethernet interface, but it would be interesting to try using a L2TPv3 tunnel from an Ethernet interface to another router--I have no idea if this would work.
Production Use?
Cisco makes the UCS E-series blades for ISR G2 routers that let you run a hypervisor on a blade inside your router chassis. These things have an external Ethernet port on them, so you should be able to connect a RITE export interface to the external port on an E-series blade, and run Security Onion inside your router. I've always wanted to try this, but I haven't been able to get funding yet to test it.
I finally got around to setting up Security Onion (the best network security monitoring package available) to monitor my home network, only to discover that my Cisco 891 router doesn't support support the right form of SPAN. Here's how I worked around it. The topology looks like this:
The 891 router has an integrated 8-port switch module, so the simple case would have been a traditional SPAN setup; something like this:
! vlan 10 is the user VLAN
monitor session 1 source interface vlan 10
monitor session 1 destination interface FastEthernet0
with the server's monitoring NIC connected to FastEthernet0.
The problem is that the 891 doesn't support using a VLAN as a source interface, and because of the way the embedded WAP works, a physical source interface won't work either. Hence, I turned to an obscure feature that's helped me occasionally in the past: Router IP Traffic Export. This is a feature for IOS software platforms that enables you to enable SPAN-like functions for almost any source interface.
The configuration looks like this:
ip traffic-export profile RITE_MIRROR
interface FastEthernet0
bidirectional
mac-address 6805.ca21.2ddd
interface Vlan10
ip traffic-export apply RITE_MIRROR
This takes all traffic routed across the Vlan10 SVI and sends it out the FastEthernet0 interface, rewriting the destination MAC address to the specified value. I used the MAC address of my monitoring NIC, but it shouldn't matter in this case because the monitoring NIC is directly attached. If I wanted to copy the traffic across a switched interface, it would matter.
My ESXi host (a low-cost machine from Zareason with 32GB of RAM) has two physical NICs; one for all of the regular VM traffic (using 802.1q to separate VLANs if needed) and one for monitoring. The monitoring pNIC is attached to a promiscuous mode vSwitch in ESXi, which in turn is connected to the monitoring vNIC on the Security Onion VM. The effect of this is identical to SPAN-ing all the traffic from VLAN 10 to my Security Onion monitoring system; I get Snort, Bro, Argus, and full packet capture with just the built-in software tools in IOS and ESXi.
Oddity: RITE Capture, Tunnels?
Interestingly, you can also use RITE to capture traffic to a RAM buffer and export it to a pcap file. I don't understand why you would use this instead of the much more flexible Embedded Packet Capture Feature, though.
Another thing I've wondered is whether you could use a L2 tunnel to send the mirrored traffic elsewhere in the network. The destination interface must be a physical Ethernet interface, but it would be interesting to try using a L2TPv3 tunnel from an Ethernet interface to another router--I have no idea if this would work.
Production Use?
Cisco makes the UCS E-series blades for ISR G2 routers that let you run a hypervisor on a blade inside your router chassis. These things have an external Ethernet port on them, so you should be able to connect a RITE export interface to the external port on an E-series blade, and run Security Onion inside your router. I've always wanted to try this, but I haven't been able to get funding yet to test it.
Subscribe to:
Posts (Atom)