IDS interfaces and capturing the traffic
Description of network interfaces used by IDS module and hints for capturing the traffic there.
Product: Flowmon IDS
What does the idsp_eth2_in/idsp_eth2_out mean?
How to filter VLAN traffic on idsp_eth2_out?
|Steps to Reproduce:|
IDS module is using interfaces idsp_eth2_in/idsp_eth2_out as a pipe (eth2 - the name of the monitoring port). Flow exporter is sending packets to idsp_eth2_in and Suricata is reading the packets from idsp_eth2_out.
No traffic modification is done between in/out interfaces.
It is possible to capture the traffic on these interfaces via tcpdump.
Filtering VLANs in tcpdump captures:
1) Filtering on the IN interfaces works as expected. Example for filtering VLAN 118 (HEX representation is 0x0076, 0x8100 stands for L2 type 802.1Q):
[flowmon@localhost ~]$ tcpdump -i idsp_eth2_in -XX '(ether[12:2]=0x8100) and (ether[14:2]=0x0076)'
2) Filtering VLANs on the OUT interface cannot be done the same way because tcpdump skips the 802.1Q header (highlighted with green color). Example:
[flowmon@localhost ~]$ tcpdump -i idsp_eth2_out -XX '(ether[12:2]=0x8100) and (ether[14:2]=0x000a)'
-XX - When parsing and printing, in addition to printing the headers of each packet, print the data of each packet, including its link level header, in hex and ASCII.
filter ether[12:2] - filters 13. and 14. byte of the frame
It is possible to use a workaround to filter the VLAN ID for the OUT interface:
[flowmon@localhost ~]$ tcpdump -i idsp_eth2_out -e '(ether[12:2]=0x8100)' | grep 'vlan 118'
-e - Print the link-level header on each dump line. This can be used, for example, to print MAC layer addresses for protocols such as Ethernet and IEEE 802.11.
Another way of workaround is:
[flowmon@localhost ~]$ tcpdump -i idsp_eth2_out 'ether[14:2]=118 or vlan 118'
The first part of the filter (ether[14:2]=118) matches the VLAN 118 on the IN interface and the second part (vlan 118) matches it on the OUT interface.