Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

IDP Utility for PCAP

Understanding Packet Capture

On SRX300, SRX320, SRX340, SRX345, SRX550, SRX550HM devices, to improve the IDP validation process, a CLI command is introduced to display and clear the contexts and the associated data only for the packet capture (PCAP) traffic.

You can run the packet capture utility in either inet mode or transparent mode to generate protocol contexts. You should run the command line PCAP feeder utility tool from the UNIX shell prompt (%).

A PCAP feeder utility uses a pair of source and destination IPv4 addresses available in the traffic, interfaces where the packets are to be fed, and the IPV4 addresses configured for the interfaces through which these PCAPs are injected.

Once the PCAPs are fed to these interfaces, a list of contexts associated with the PCAPs and the data are matched for the context. The context, hits, and associated data will be displayed only for traffic that is generated by the PCAP feeder. Live traffic statistics will not be captured. While feeding packets, make sure to feed the packets to the subnet IP of the interface. If you feed packets to the interface IP, IDP security processing might not detect the contexts. Except for the interface IP all other subnet IP can be used.

Before you run new PCAPs through PCAP feeder utility tool, clear the existing contexts and data by using the following clear contexts commands:

Sample command used for Inet mode PCAP feeder:

Or

Sample command used for transparent mode PCAP feeder:

Or

Table 1 defines the PCAP feeder tool fields from the above provided sample outputs.

Table 1:

Fields

Description

pcap --quiet

Suppresses logs from appearing in the console

pcap --verbose

Enables logs to appear in the console

interface-ip1

IP address of the first interface for feeding PCAP packets

interface-ip2

IP address of the other interface for feeding PCAP packets

pcap-ip1

IP address seen in the PCAP

pcap-ip2

Another IP address seen in the PCAP

interface1

Interface 1 in SRX device

interface2

Interface 1 in SRX device

PCAP feeder does not support:

  • IPv6

  • Multiple channel protocols such as FTP

Example: Configuring packet capture feeder in inet mode

This example explains how to run the packet capture (PCAP) feeder in inet mode to generate protocol contexts.

Requirements

Before you begin:

  • Configure network interfaces.

Overview

To run the PCAP feeder with a relevant IDP policy to get the associated protocol contexts. In this example, PCAPs are fed using pcap-ip1 6.0.0.1 and pcap-ip2 7.0.0.1 in quiet mode.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To create an application and associate it with an IDP policy:

  1. Create a policy by assigning a meaningful name to it, associate a rulebase with the policy , add rules to the rulebase, and define match criteria for the rule.

  2. Configure policies.

  3. Configure zones and assign interfaces.

  4. Configure forwarding interfaces.

Results

From configuration mode, confirm your configuration by entering the show security idp and show applications commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform this task:

Verifying the Configuration

Purpose

Verify that the IDP attack context after you run the PCAPs using the PCAP feeder tool.

Action

From operational mode, enter the show security idp attack context command.

Sample Output
command-name

Example: Configuring packet capture feeder in transparent mode

This example explains how to run the packet capture (PCAP) feeder in transparent mode to generate protocol contexts.

Requirements

Before you begin:

  • Configure network interfaces.

Overview

To run some PCAP feeder with a relevant IDP policy to get the associated protocol contexts out of the packets which are running from the packet capture. In this example, PCAP feeder pcap-ip 2 7.0.0.1 is used in quiet mode to feed the packets.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To create an application and associate it with an IDP policy:

  1. Set the configuration group.

  2. Create a policy by assigning a meaningful name to it, associate a rulebase with the policy , add rules to the rulebase, and define match criteria for the rule.

  3. Configure policies.

  4. Configure zones and assign interfaces.

  5. Configure forwarding interfaces.

  6. Configure VLAN-ID.

Results

From configuration mode, confirm your configuration by entering the show security idp and show applications commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform this task:

Verifying the Configuration

Purpose

Verify that the IDP attack context after you run the PCAPs using the PCAP feeder tool.

Action

From operational mode, enter the show security idp attack context command.

Sample Output
command-name