Hi Tushar,
From an elevated command prompt, first execute:
tcpdump_onThis will enable the mechanism required to capture packets on the bridge interfaces.
By default, bridges are built as follows:
Internet DMZ
eth2 <--------------------> eth3
eth4<---------------------> eth5
The following command can be executed to confirm bridge interfaces:
impctl gateway showA typical tcpdump command would be:
tcpdump -nnpi eth2 -w /filename.cap -s0 host 10.10.10.10
Common flags:
n - display IP addresses and port numbers instead of domain and service names when capturing packets.
p - do not put the port in promiscuous mode. Some switches/networks will shut down a port if it is put in promiscuous mode
i - interface to listen on
w /filename.cap - write output to this filename. Can include a directory structure.
s0 - capture all bytes in the packet (note that is a zero after the s)
port X or
host Y - only traffic to or from port X OR traffic to or from host Y are to be written; ignore all other traffic.
src host 10.10.10.10 - Capture any packets where the source host is 10.10.10.10.
dst host 10.10.10.10 - Capture any packets where the destination host is 10.10.10.10
IMPORTANT NOTE
Once data capture is complete, please execute
tcpdump_off
This is crucial for system stability and performance.
------------------------------
Jaired Anderson
Principal Consultant
Imperva
Tulsa OK
------------------------------
Original Message:
Sent: 04-13-2020 06:23
From: Tushar Sawant
Subject: Packet capture through CLI
Hello,
We have implemented Imperva WAF in Bridge mode (In-Line mode). Flow of traffic as mentioned below.
Network Firewall -----> NIPS------> Imperva WAF-------> Load Balancer -------> Web server / Application servers.
In Network firewall NAT rule, application public ip address is NAT with load balancer private ip address. so I have configured LB ip in the server group filed.
My concern is i want to take packet capture of particular application traffic, also want to check how much time WAF is taking to inspect / process a single packet to forward to next hop.
Please share the command to take packet capture with filter source ip, dst ip, port , interface etc.
#On-PremisesWAF(formerlySecuresphere)
------------------------------
Tushar Sawant
Security Analyst
IBM Security
Pune, India.
------------------------------