Packet capture with Sourcefire CLI

Posted on March 17, 2017 by Sasa

This one will be short 🙂

If we need for some reason to do a packet capture on Cisco Sourcefire/Firepower we can do that from the CLI.

Let’s say that we have issues in communication from IP 10.0.0.3 to Google name server 8.8.8.8. On ASA it looks good, but we still have issues. Sure, we can try sifting through the FMC events, but where is the fun in that 🙂

So, we need to log in to the SFR module with SSH:

login as: admin
Using keyboard-interactive authentication.
Password:
Last login: Fri Mar 17 17:54:28 2017 from pop-ssd.popravak.local

Copyright 2004-2017, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Fire Linux OS v6.2.0 (build 42)
Cisco ASA5525 v6.2.0 (build 362)

>

Here we can direct a packet capture to the screen, which is not recommended, especially if we don’t use filters, or we can direct a capture to the file, which can be later viewed with tcpdump or Wireshark. So, let’s do both…

First, we capture to the console with:

> system support capture-traffic

But before we actually try to resolve some names, we first prepare SFR with right options and filter:

It is important to select domain for capture “2 – Single Context” (at least in my case) and after the Options: we should specify our filter, as depicted above. Now we try to resolve some name:

And on the SFR we have the expected result:

The capture options are in the tcpdump format, so it is possible to redirect the output to the file by using “-w filename.pcap” option, like this:

It is important to state “-w filename.pcapbefore the capture filter, otherwise it won’t work:

Now, it may be possible to view this file from this mode, but I feel more confident doing this from expert mode. The file captured is located in “/var/common/” folder. We can view it by using tcpdump command:

Finally, we can transfer the file from the SFR to something with Wireshark, for better viewing experience. First, we list files:

Then we transfer them using FTP or SCP. In this example we are using FTP server:

And by the way, we interrupt the packet capture with CTRL-C.

 

Ok, that’s all for now. Thanks for reading.

 

Advertisement
This entry was posted in Cisco, FirePOWER, IPS, Security, Sourcefire and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s