Imperva Cyber Community

Expand all | Collapse all

Packet capture through CLI

  • 1.  Packet capture through CLI

    Posted 04-13-2020 06:23
    Hello,

    We have implemented Imperva WAF in Bridge mode (In-Line mode). Flow of traffic as mentioned below.

    Network Firewall -----> NIPS------> Imperva WAF-------> Load Balancer -------> Web server / Application servers.

    In Network firewall NAT rule, application public ip address is NAT with load balancer private ip address. so I have configured LB ip in the server group filed.

    My concern is i want to take packet capture of particular application traffic, also want to check how much time WAF is taking to inspect / process a single packet to forward to next hop.

    Please share the command to take packet capture with filter source ip, dst ip, port , interface etc.

     

    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Tushar Sawant
    Security Analyst
    IBM Security
    Pune, India.
    ------------------------------


  • 2.  RE: Packet capture through CLI

    Imperva Employee
    Posted 04-13-2020 12:26
    Hi Tushar,

    From an elevated command prompt, first execute:

    tcpdump_on

    This will enable the mechanism required to capture packets on the bridge interfaces.

    By default, bridges are built as follows:

    Internet                        DMZ
    eth2 <--------------------> eth3
    eth4<---------------------> eth5

    The following command can be executed to confirm bridge interfaces:

    impctl gateway show

    A typical tcpdump command would be:

    tcpdump -nnpi eth2 -w /filename.cap -s0 host 10.10.10.10


    Common flags:

    n - display IP addresses and port numbers instead of domain and service names when capturing packets.

    p - do not put the port in promiscuous mode. Some switches/networks will shut down a port if it is put in promiscuous mode

    i - interface to listen on

    w /filename.cap - write output to this filename. Can include a directory structure.

    s0 - capture all bytes in the packet (note that is a zero after the s)

    port X or host Y - only traffic to or from port X OR traffic to or from host Y are to be written; ignore all other traffic.

    src host 10.10.10.10 - Capture any packets where the source host is 10.10.10.10.

    dst host 10.10.10.10 - Capture any packets where the destination host is 10.10.10.10


    IMPORTANT NOTE
    Once data capture is complete, please execute tcpdump_off
    This is crucial for system stability and performance.




    ------------------------------
    Jaired Anderson
    Principal Consultant
    Imperva
    Tulsa OK
    ------------------------------