Using tcpdump for basic network troubleshooting through a security device.

Want to see if traffic is going through a gateway device? Here are some basic network troubleshooting tips on how you can validate that traffic is flowing through a security gateway and actually getting onto the wire.

Scenario one:

Sometimes the log says accept but maybe the traffic isn’t actually leaving the box.

Scenario two:

How about when you need to ‘prove’ to a network admin that traffic is in fact flowing, because they all believe it is the security gateway.

Answer: tcpdump

Most network people accept tcpdump as being an authority. By using tcpdump on both the incoming and outgoing interfaces you can answer either of those scenarios. Login to the box with ssh in two separate windows and run a tcpdump for the same traffic on both the incoming and outgoing interface.
As an example run a tcpdump on the interface where the connection comes from (internal) with the host IP of the device attempting to make the connection. Do this same tcpdump on the interface that the connection is to leave out of (external)

For instance you would see:

SYN (from Client) – Enters Internal Interface — SYN (from Client) Exits External Interface to Server or destination.

Or

ICMP Echo Request (From Client) – Enters Internal Interface — ICMP Echo Request (from Client) Exits External interface to Server or destination.
Whether or not you see the SYN-ACK or the ICMP Echo Reply come back the other way will be solely dependent on the server or network at that point. I used to use this quite a bit when needing to “prove” it is not the security gateway.

You will have to adjust for NAT if you are using it in this scenario however it all still applies.

How to setup the tcpdump (assuming you are ssh’d to the security gateway and in expert mode):

Session 1: Traffic entering internal interface:

tcpdump –n -i [interface name] host <IP of host>  (ex… tcpdump –n –i eth0 host 10.1.1.1 ) or preferably be more specific with your source/destination  (tcpdump –n –i eth0 host 10.1.1.1 and host 192.168.1.1)

Session 2: Traffic exiting external interface:

tcpdump –n -i [interface name] host <IP of host>  (ex… tcpdump –n –i eth1 host 10.1.1.1 ) or preferably be more specific with your source/destination  (tcpdump –n –i eth1 host 10.1.1.1 and host 192.168.1.1)
You can obviously get more and more granular with tcpdump however this is a good starting point.
Here are some examples if you want to run some generic tcpdumps or you want to filter certain things, and then put it in a pcap format.

Session 1:

tcpdump -nnei [interface] not port 22 and not port 18192 and not port 67 and not port 18190 and not port 137 -w /var/log/tmp/external.cap

Session 2:

tcpdump -nnei [interface] not port 22 and not port 18192 and not port 67 and not port 18190 and not port 137 -w /var/log/tmp/internal.cap
Have fun. 

SPAN port on a Switch

Here is a quick post on how to configure a SPAN port on some of the various switch gear should you need one

term

 

 

 

Cisco Catalyst 2850, 2940, 2950, 2955, 2960, 2970, 3550, 3560, 
3560-E, 3750, 3750-E 4500/4000

conf t
monitor session 1 source interface gigabitEthernet 0/17 both
monitor session 1 destination interface gigabitEthernet 0/15
exit
write mem

C6500/6000 Series Switches That 
Run Cisco  IOS System Software, Cisco Nexus Series Switches That Runs  
NX-OS Software

Syntax:
monitor session session_number source interface interface-id [, | -] [both | rx | tx]
monitor session session_number destination interface interface-id

Cisco Catalyst 2900, 4500/4000, 5500/5000, 
  and 6500/6000 Series Switches That Run CatOS

Syntax:
set span source_port destination_port [rx | tx | both]

Juniper

root@switch# edit
root@switch# set ethernet-switching-options analyzer mirror-3d input egress interface ge-0/0/6.0
root@switch# set ethernet-switching-options analyzer mirror-3d input ingress interface ge-0/0/6.0
root@switch# set ethernet-switching-options analyzer mirror-3d output interface ge-0/0/13.0
root@switch# commit

Brocade

Monitoring an Individual Trunk Port
By default, when you monitor the primary port in a trunk group, aggregated traffic for all the ports in the trunk group is copied to the mirror port. You can configure the device to monitor individual ports in a trunk group. You can monitor the primary port or a secondary port individually.

To monitor traffic on an individual port in a trunk group, enter commands such as the following:

ServerIron(config)# mirror ethernet 2/1
ServerIron(config)# trunk switch ethernet 4/1 to 4/8
ServerIron(config-trunk-4/1-4/8)# config-trunk-ind
ServerIron(config-trunk-4/1-4/8)# monitor ethe-port-monitored 4/5 ethernet 2/1 in