Provisioning Flow-Tap to a Linux Mediation Device

This section includes the following topics:

• Flow-Tap Script for Linux Device
• Invoking a Perl Script from a Linux Device

Flow-Tap Script for Linux Device

This section presents an example Linux Expect script for sending flow-tap parameters to a Linux server. The content and distribution of this script are subject to terms and conditions of Juniper Networks, Inc.

use Expect;
		use Digest::HMAC_SHA1 qw(hmac_sha1 hmac_sha1_hex);

		if ($#ARGV != 3) {
     die("Usage: dfcclient.pl <router> <user_name> <password> <input_file>\n");
}
my $exp = new Expect;

my $router = $ARGV[0];
my $user = $ARGV[1];
my $password = $ARGV[2];
my $input_file = $ARGV[3];
my $command = "ssh -l $user -p 32001 $router -s flow-tap-dtcp";
my $key = "Juniper";
my $digest;
my $hexdata;
my $dtcp_cmd = "";

print "$command\n";
$exp->raw_pty(1);
$exp->spawn($command) or die "Cannot spawn $command: $!\n";

$exp->expect(15, '-re', "password:");
$exp->send("$password\n");
sleep 3;
print "\n";

open(DAT, $input_file) || die("Could not open file!");
@raw_data=<DAT>;

foreach $line (@raw_data)
{
    chomp($line);
    if ($line eq "") {
        $digest = hmac_sha1($dtcp_cmd, $key);

        # converts binary to hex
        $hexdata = unpack("H*", $digest);

        $dtcp_cmd = $dtcp_cmd . "Authentication-Info: " . $hexdata . "\r\n\r\n";
        print "Sending DTCP cmd:\n" . $dtcp_cmd;
        $exp->send($dtcp_cmd);
        $dtcp_cmd = "";
        sleep 1;
    } else {
        $dtcp_cmd = $dtcp_cmd . $line . "\r\n";
    }
}

$exp->interact();
============================

Invoking a Perl Script from a Linux Device

The following example shows the syntax to invoke the Perl script from a Linux device:

1. Invoke the Perl script:
   [root@blr-e flowtap]# ./dfcclient.plUsage: dfcclient.pl <router> <user_name> <password> <input_file>[root@blr-e flowtap]#
2. Use the following line to push the parameter file lea1_tcp.flowtap to the router. In this example, 10.209.75.199 is the IP address of the router, and verint verint123 is the username and password that has permission to implement flow-tap-operation. Any firewall that is between the mediation device and the routing device should allow ssh and port 32001.
   [root@blr-e flowtap]# ./dfcclient.pl 10.209.75.199 verint verint123 lea1_tcp.flowtap
3. Use the show policer | match flow statement to verify that the flow-tap filter is present on the router:
   
   

   user@host-M320> show policer | match flow

   Flowtap-Internal_IFL-ID-77                    183364                 2575
   Flowtap-Internal_IFL-ID-76                    150038                 1531
   Flowtap-Internal_IFL-ID-75                    244504                  626
   

Related Topics

• Components of Flow-Tap
• Configuring Flow-Tap Services for Lawful Intercept
• Flow-Tap Filter Operation
• Frequently Asked Questions About Using Flow-Tap
• Overview of Lawful Intercept Using Flow-Tap
• Troubleshooting Flow-Tap