Lesson 12

Monitoring the Sensor

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—12-1

Using the CLI to Monitor
the Sensor

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—12-2

 Obtaining Information About Your Sensor

You can use the sensor CLI to obtain the

following information about your sensor:
• PEP information
• Service statistics
• Interface statistics
• Details about traffic traversing an interface
• Tech support information

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—12-3

 Displaying PEP Information

sensor#
show inventory
• Displays PEP information for the sensor hardware

sensor# show inventory

NAME: "Chassis", DESCR: "Chasis-4240"
PID: 4240-515E , VID: V04, SN: 639156

• Displays the product identifier, version identifier,

and serial number of the local 4240 sensor

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—12-4

 Displaying Service Statistics

sensor#
show statistics { analysis-engine |
authentication | denied-attackers | event-server
| event-store| host | logger | network-access |
notification | sdee-server | transaction-source
|virtual-sensor [name]| web-server } [ clear ]

• Displays statistics for the specified option

sensor# show statistics authentication

General
totalAuthenticationAttempts = 9
failedAuthenticationAttempts = 0
• Displays authentication statistics

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—12-5

 Displaying Interface Statistics

sensor#
show interfaces {fastethernet | gigabitethernet
| management } [slot/port]
• Displays statistics for system interfaces

sensor# show interfaces FastEthernet0/1

• Displays statistics for the Fast Ethernet 0/1 interface

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—12-6

 Capturing Traffic from an Interface

sensor#
packet capture interface-name [snaplen length]
[count count] [expression expression]
• Captures traffic on an interface in real time
sensor1# packet capture FastEthernet0/1
Warning: This command will cause significant
performance degradation
tcpdump: WARNING: fe0_1: no IPv4 address assigned
tcpdump: listening on fe0_1, link-type EN10MB
(Ethernet), capture size 65535 bytes
15 packets captured
15 packets received by filter
0 packets dropped by kernel
• Captures traffic on Fast Ethernet 0/1
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—12-7
 Displaying Traffic Captured from an
Interface
sensor#
packet display packet-file [verbose] [expression expression]
• Displays a previously captured file
sensor#
packet display file-info
• Displays information about a previously captured file
sensor#
packet display interface-name [snaplen length] [count count]
[verbose] [expression expression]
• Displays live traffic as it passes the specified interface
sensor#
packet display iplog id [verbose] [expression expression]
• Displays an existing IP log

sensor#packet display FastEthernet0/1 expression host 172.30.1.2

• Displays traffic passing through Fast Ethernet 0/1 only if its source or destination is host
172.301.2.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—12-8
 Displaying Tech Support Information

sensor#
show tech-support[page][password][destination-url
destination-url]
• Displays the current system status

sensor# show tech-support destination-url

ftp://[email protected]/reports/sensor1Report.html

• Places the tech support output in the file

~ipsuser/reports/sensor1Report.html.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—12-9

Using the CLI to Monitor
the Sensor

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—12-10

 Running a Diagnostics Report

Monitoring

Support
Information

Diagnostics
Report

Generate
Report

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—12-11

 Viewing Statistics

Monitoring

Support
Information

Statistics

Refresh

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—12-12

 Viewing System Information

Monitoring

Support
Information

System
Information

Refresh

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—12-13

 Configuring SNMP Monitoring

Configuration

Enable SNMP
Gets/Sets
SNMP
Read-Write
Community String
SNMP General
Configuration
Sensor Location

Sensor Agent Port

Sensor
Read-Only Contact
Sensor
Community Agent
String Protocol

Apply Reset

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—12-14

Summary

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—12-15

 Summary

• The 4240 and 4255 sensor contain a UDI, which provides the
following benefits:
– Gives you the ability to electronically inventory Cisco products
accurately and reliably
– Simplifies product identification
– Provides consistent product identification across products
• You can retrieve the UDI, a deliverable of the Cisco PEP via
the show inventory command.
• The CLI contains the following useful troubleshooting
commands:
– show statistics: Provides a snapshot of the current internal state of sensor
services
– show interfaces: Provides statistics for sensor interfaces
– packet: Captures or displays live traffic on an interface
– show tech-support: Captures all status and configuration information on
the sensor
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—12-16
 Summary (Cont.)

• The IDM enables you to monitor your sensor as

follows:
– Run a diagnostics report
– View statistics for sensor services
– View TAC contact information and system information
such as the following:
• Type of sensor
• Software version
• Upgrades installed
• PEP information

• You can configure your sensor to be monitored by

SNMP.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—12-17

Lab Exercise

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—12-18

 Lab Visual Objective

Web
FTP
.50
172.26.26.0
.150
172.30.P.0 .1 .1 172.30.Q.0
.2 .2
RBB
prP prQ
172.16.Q.0
172.16.P.0 .1 .1
.4 .4

sensorP sensorQ
.2 .2
rP rQ

10.0.P.0 .2 .2 10.0.Q.0
.100
.100

RTS
RTS

Student PC Student PC
10.0.P.12 10.0.Q.12
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—12-19