TechTip: capture traffic on TippingPoint IPS using traffic-capture CLI command or web interface

CLI

To start the packet capture on TippingPoint using CLI, SSH to the appliance directly (not the management server) and enter the following command “traffic-capture start [filename] ANY-ANY”. Where [filename] is the name of the file where you want to save the capture output. This will start the capture immediately on all interfaces. To restrict interfaces, source/destination addresses, protocols, et cetera - use the following parameters:

traffic-capture start [filename] [pair] [parameters]
[filename] Output filename
[pair] Virtual port pair: one of 1A-1B, 1B-1A, 2A-2B, 2B-2A, 3A-3B, 3B-3A, 4A-4B, 4B-4A, ANY-ANY
-c Number of packets to capture
-C Max size of file to save to (bytes)
-s Source IP address
-d Destination IP address
-S Source port
-D Destination port
-p IP protocol (UDP, ICMP, TCP etc.)

Example: traffic-capture start october2109 3A-3B -s 192.168.1.1 -d 192.168.1.2
This will start to capture the traffic flowing through interfaces 3A-3B, from 192.168.1.1 to 192.168.1.2 address. You will also notice that the command line prefix will now say "(PktCpt=on)" on the end (but this will not persist through reconnect, even though the packet capture will continue to run until stopped). You can check the current packet capture files with “traffic-capture list” command.
To stop the packet capture on TippingPoint using CLI, SSH to the appliance directly (not the management server) enter the following command “traffic-capture stop”. This will stop the active traffic capture and write the contents to the file name selected when the capture was initiated.
To export the traffic capture file to an FTP server once you have stopped the capture, use the "traffic-capture export" command:
traffic-capture export [FTP server] [folder] [filename]
[filename] Output filename
[FTP server] IP address of the destination FTP server
[folder] Sub-folder on the destination FTP server

Example: traffic-capture export 192.168.1.1 \ october2109
You will be prompted for the FTP credentials* and transfer will be accompanied by a progress percentage counter.
*In my experience it is very difficult to get Tipping Point to authenticate to an FTP server to export the traffic capture files, which is where the next section comes in handy.
Web Interface
To start a packet capture using the web interface, navigate to the Tipping Point appliance IP address in your browser (for example https://192.168.1.100/) and login using SuperUser or Administrator level credentials. Once logged in, navigate to Network --> Tools section and click on the ambiguous "Traffic Capture" tab on the top-right of the screen. You will see a big button stating "Create capture file", click on that to access the traffic capture configuration screen with the following fields:
[File Name] Traffic capture output filename
[Max File Size] Maximum size of the capture file in bytes
[Max Packets] Maximum number of packets to capture
[Virtual Segment] IPS ports on which to capture the traffic (see [pair] above)

[IP Protocol] Protocol traffic to be captured (see -p switch above)
[Source Host/Net IP] Source address (see -s switch above)
[Destination Host/Net IP] Destination address (see -d switch above)

Once you have filled in all the fields, click "Start Capture" to begin capturing traffic on the selected interface pair. You will now see the active capture filename with "In progress" label and "Delete" and "Stop" icons under Network --> Tools --> Traffic Capture page.

To stop a traffic capture using the web interface, navigate to the Tipping Point appliance IP address in your browser (for example https://192.168.1.100/) and login using SuperUser or Administrator level credentials. Once logged in, navigate to the Network --> Tools --> Traffic Capture page and click the "Stop" icon (which intuitively looks like a traffic stop-sign) corresponding to the current active capture session you wish to stop. You will see the "In Progress" indicator under that traffic capture filename dissapear and the "Stop" button replaced with the "Download this file" icon (looking like a green floppy disk).

To download a capture file using the web interface, simply click on the corresponding "Download this file" icon under the Network --> Tools --> Traffic Capture page.

To delete a capture file using the web interface, click on the corresponding "Delete File" icon (red X) under the Network --> Tools --> Traffic Capture page.

No comments: