配置並驗證安全防火牆和Firepower內部交換機捕獲

资讯 2024-07-16 阅读:87 评论:0
本文檔介紹Firepower的配置和驗證,以及安全防火牆內部交換機捕獲。This document presents the configuration and validation of F...
美化布局示例

欧易(OKX)最新版本

【遇到注册下载问题请加文章最下面的客服微信】永久享受返佣20%手续费!

APP下载   全球官网 大陆官网

币安(Binance)最新版本

币安交易所app【遇到注册下载问题请加文章最下面的客服微信】永久享受返佣20%手续费!

APP下载   官网地址

火币HTX最新版本

火币老牌交易所【遇到注册下载问题请加文章最下面的客服微信】永久享受返佣20%手续费!

APP下载   官网地址

    本文檔介紹Firepower的配置和驗證,以及安全防火牆內部交換機捕獲。

    This document presents the configuration and validation of Firepower, as well as the capture of the internal switchboard of the security firewall.

    基本的產品知識,捕獲分析。

    Basic product knowledge, capture analysis.

    本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。

    The information in this paper is based on the devices in a given laboratory environment. All devices used in the text are activated from the cleared (predicted) configuration. If you are working on your network, make sure you understand the implications of any instructions.

    本文中的資訊係根據以下軟體和硬體版本:

    The information in this paper is based on the following software and hard version:

    • 安全防火牆31xx、42xx
    • Firepower 41xx
    • Firepower 93xx
    • Cisco安全可擴充作業系統(FXOS) 2.12.0.x
    • 思科安全防火牆威脅防禦(FTD) 7.2.0.x、7.4.1-172
    • 思科安全防火牆管理中心(FMC) 7.2.0.x、7.4.1-172
    • 調適型安全裝置(ASA) 9.18(1)x、9.20(x)
    • Wireshark 3.6.7 (https://www.wireshark.org/download.html)

    從資料包流的角度來看,Firepower 4100/9300和安全防火牆3100/4200的體系結構視覺化,如下圖所示:

    From the point of view of the data stream, Firepower 4100/9300 and the security firewall 3100/4200 have a visualization of the structure of the system, as shown in the following graph:

    機箱_arch

     arc

    機箱包括以下元件:

    The boxes include the following components:

    • 內部交換機 -將資料包從網路轉發到應用,反之亦然。內部交換機連線到位於內建介面模組或外部網路模組上的前介面,並連線到外部裝置,例如交換機。前端介面的示例包括Ethernet 1/1、Ethernet 2/4等。「前線」並不是一個強有力的技術定義。在本文檔中,它用於區分連線到外部裝置的介面與背板或上行鏈路介面。
    • 背板或上行鏈路 -將安全模組(SM)連線到內部交換機的內部介面。
    • 管理上行鏈路 -安全防火牆3100/4200專用的內部介面,提供內部交換機和應用程式之間的管理流量路徑。

    下表顯示Firepower 4100/9300上的背板介面和安全防火牆3100/4200上的上行鏈路介面:

    The following table shows the backboard interface on Firepower 4100/9300 and the uplink interface on the security firewall 3100/4200:

    平台

    platform

    支援的安全模組數目

    Number of security modules supported by

    背板/上行鏈路介面

    backboard/uplink interface

    管理上行鏈路介面

    manages the uplink interface

    對映的應用介面

    The application interface for

    Firepower 4100(Firepower 4110/4112除外)

    Firepower 4100 (except Firepower 4110/4112)

    1

    SM1:

    Ethernet1/9

    Ethernet1/10

    不適用

    Not suitable.

    Internal-Data0/0

    Internal-Data0/1

    Firepower 4110/4112

    1

    Ethernet1/9

    不適用

    Not suitable.

    Internal-Data0/0

    Firepower 9300

    3

    SM1:

    Ethernet1/9

    Ethernet1/10

    SM2:

    Ethernet1/11

    Ethernet1/12

    SM3:

    Ethernet1/13

    Ethernet1/14

    不適用

    Not suitable.

    Internal-Data0/0

    Internal-Data0/1


    Internal-Data0/0

    Internal-Data0/1


    Internal-Data0/0

    Internal-Data0/1

    安全防火牆3100

    Security firewall 3100

    1

    SM1:in_data_uplink1

    in_mgmt_uplink1

    Internal-Data0/1

    管理1/1

    安全防火牆4200

    Security firewall 4200

    1

    SM1:in_data_uplink1

    SM1:in_data_uplink2(僅限4245)

    SM1:in_data_uplink (4245)

    in_mgmt_uplink1

    in_mgmt_uplink2

    Internal-Data0/1

    Internal-Data0/2(僅限4245)

    International-Data0/2 (4245) br>

    管理1/1

    管理1/2

    在每模組具有2個背板介面的Firepower 4100/9300或具有2個資料上行鏈路介面的安全防火牆4245中,內部交換機和模組上的應用程式在兩個介面上執行流量負載均衡。

    In Firewall 4245 with two backboard interfaces for each module, Firepower 4100/9300 or two data uplink interfaces, applications on internal switches and modules run traffic load balances on two interfaces.

    • 安全模組、安全引擎刀片 -安裝FTD或ASA等應用程式的模組。Firepower 9300最多支援3個安全模組。
    • 對映的應用介面 -應用(如FTD或ASA)中的背板或上行鏈路介面的名稱。

    使用show interface detail命令驗證內部介面:

    Using show interface detail command to verify internal interfaces:

    > show interface detail | grep Interface
    Interface Internal-Control0/0 "ha_ctl_nlp_int_tap", is up, line protocol is up
      Control Point Interface States:
            Interface number is 6
            Interface config status is active
            Interface state is active
    Interface Internal-Data0/0 "", is up, line protocol is up
      Control Point Interface States:
            Interface number is 2
            Interface config status is active
            Interface state is active
    Interface Internal-Data0/1 "", is up, line protocol is up
      Control Point Interface States:
            Interface number is 3
            Interface config status is active
            Interface state is active
    Interface Internal-Data0/2 "nlp_int_tap", is up, line protocol is up
      Control Point Interface States:
            Interface number is 4
            Interface config status is active
            Interface state is active
    Interface Internal-Data0/3 "ccl_ha_nlp_int_tap", is up, line protocol is up
      Control Point Interface States:
            Interface number is 5
            Interface config status is active
            Interface state is active
    Interface Internal-Data0/4 "cmi_mgmt_int_tap", is up, line protocol is up
      Control Point Interface States:
            Interface number is 7
            Interface config status is active
            Interface state is active
    Interface Port-channel6.666 "", is up, line protocol is up
    Interface Ethernet1/1 "diagnostic", is up, line protocol is up
      Control Point Interface States:
            Interface number is 8
            Interface config status is active
            Interface state is active

    Firepower 4100/9300

    為做出轉發決策,內部交換機使用介面VLAN標籤埠VLAN標籤以及虛擬網路標籤(VN標籤)

    For decision-making purposes, the internal switchboard uses VLAN tags or port VLAN tags and virtual network tags (VN tags) .

    內部交換機使用埠VLAN標籤來標識介面。交換機會將埠VLAN標籤插入到位於前介面的每個入口資料包中。VLAN標籤由系統自動配置,無法手動更改。  標籤值可以在fxos命令shell中檢查:

    The internal switcher uses the port VLAN tag to mark the interface. The exchange opportunity inserts the port VLAN tag in each entry package in the front. The VLAN tag is automatically configured by the system and cannot be changed manually. & nbsp; tag values can be checked in fxos command shell:

    firepower# connect fxos 

    firepower(fxos)# show run int e1/2
    !Command: show running-config interface Ethernet1/2
    !Time: Tue Jul 12 22:32:11 2022

    version 5.0(3)N2(4.120)

    interface Ethernet1/2
      description U: Uplink
      no lldp transmit
      no lldp receive
      no cdp enable
      switchport mode dot1q-tunnel
      switchport trunk native vlan 102
      speed 1000
      duplex full
      udld disable
      no shutdown

    VN標籤也由內部交換機插入,用於轉發資料包到應用。系統會自動設定它,且無法手動變更。

    The VN tag is also inserted by the internal switcher and is used to convert the package to the application. The system automatically sets it and cannot change it manually.

    埠VLAN標籤和VN標籤與應用共用。應用程式將各自的輸出介面VLAN標籤和VN標籤插入每個封包中。當背板介面上的內部交換機接收到來自應用的資料包時,交換機讀取出口介面VLAN標籤和VN標籤,辨識應用和出口介面,刪除埠VLAN標籤和VN標籤,並將資料包轉發到網路。

    The port VLAN tags and VN tags are shared with applications. The application inserts the respective output interface VLAN tags and VN tags into each package. When the internal switcher on the backboard receives the data package from the application, the switcher reads the export interface VLAN tags and VN tags, identifies applications and export interfaces, deletes the port VLAN tags and VN tags, and forwards the package to the web.

    安全防火牆3100/4200

    security firewall 3100/4200

    與Firepower 4100/9300一樣,內部交換機使用埠VLAN標籤來辨識介面。

    Like Firepower 4100/9300, the internal switchboard uses the port VLAN tag to identify the interface.

    埠VLAN標籤與應用程式共用。應用程式將各個輸出介面VLAN標籤插入每個封包中。當上行鏈路介面上的內部交換機接收到來自應用的資料包時,交換機讀取出口介面VLAN標籤,辨識出口介面,刪除埠VLAN標籤,並將資料包轉發到網路。

    The port VLAN tags are shared with the application. The application inserts each output interface VLAN tag into each package. When the internal switcher on the uplink interface receives the data package from the application, the switchboard reads the export interface VLAN tags, identifies the export interface, deletes the port VLAN tags and forwards the data package to the network.

    Firepower 4100/9300和安全防火牆3100

    Firepower 4100/9300 and security firewall 3100

    Firepower 4100/9300和安全防火牆3100防火牆支援內部交換機介面上的資料包捕獲。

    Firepower 4100/9300 and the security firewall 3100 supported the capture of the data package on the internal switchboard interface.

    下圖顯示了機箱和應用中資料包路徑上的資料包捕獲點:

    The following graph shows the data pack capture point on the engine and application active data package path:

    chassis_app_capture_points_2

    捕獲點包括:

    The capture points include:

    1. 內部交換機前介面入口捕獲點。前端介面是連線到對等裝置(如交換機)的任何介面。
    2. 資料平面介面入口捕獲點
    3. Snort捕獲點
    4. 資料平面介面出口捕獲點
    5. 內部交換機背板或上行鏈路入口捕獲點。背板或上行鏈路介面將內部交換機連線到應用。

    內部交換器僅支援輸入介面擷取。也就是說,只能捕獲從網路或ASA/FTD應用接收的資料包。不支援輸出封包擷取。

    The internal switcher only supports the input interface. That is, only the data package received from the Internet or from the ASA/FTD application can be captured. does not support the output of the package.

    安全防火牆4200

    security firewall 4200 >/strang

    安全防火牆4200防火牆支援內部交換機介面上的資料包捕獲。下圖顯示了機箱和應用中資料包路徑上的資料包捕獲點:

    The security firewall 4200 supports the capture of the data package on the internal switchboard interface.

    ch_4200_1

    捕獲點包括:

    The capture points include:

    1. 內部交換機前介面入口捕獲點。前端介面是連線到對等裝置(如交換機)的任何介面。
    2. 內部交換機背板介面出口捕獲點。
    3. 資料平面介面入口捕獲點
    4. Snort捕獲點
    5. 資料平面介面出口捕獲點
    6. 內部交換機背板或上行鏈路入口捕獲點。背板或上行鏈路介面將內部交換機連線到應用。
    7. 內部交換機前介面出口捕獲點。

    內部交換機可選擇支援雙向-入口和出口-捕獲。預設情況下,內部交換器會擷取輸入方向上的封包。

    The inside switcher selects to support two-way - entrance and exit - capture.

    可以在FCM上的Tools > Packet Capture中或在FXOS CLI中的scope packet-capture中配置Firepower 4100/9300內部交換機捕獲。有關資料包捕獲選項的說明,請參閱Cisco Firepower 4100/9300 FXOS機箱管理器配置指南Cisco Firepower 4100/9300 FXOS CLI配置指南故障排除一章資料包捕獲部分。

    An internal switcher of Firepower 4100/9300 may be located on FCM Tools & gt; Packet Capture or in FXOS CLI package configurations or section of configuration guidelines for Cisco Firepower 4100/9300 FXOS machines > or Cisco Firepower 4100/9300 FXOS CLI < /em > >.

    這些場景包括Firepower 4100/9300內部交換機捕獲的常見使用案例。

    These scenes include common usage cases captured by Firepower 4100/9300 internal switchboards.

    使用FCM和CLI在介面Ethernet1/2或Portchannel1介面上配置和驗證資料包捕獲。對於埠通道介面,請確保選擇所有物理成員介面。

    Use FCM and CLI to configure and authenticate the data packs on interface 1/2 or Portchannel 1. For port interfaces, make sure that all physical interfaces are selected.

    拓撲、資料包流和捕獲點

    pings, data packs, catch points

    ch_4k_9k_flow_s1_t1_eth1_2_port_allch_4k_9k_flow_s1_t1_po1_port_all

    組態

    /strang'

    FCM

    按照FCM上的以下步驟在介面Ethernet1/2或Portchannel1上配置資料包捕獲:

    The following steps on the FCM have been taken to configure the data packs on the interface 1/2 or Portchannel1:

    1. 使用Tools > Packet Capture > Capture Session建立新的捕獲會話

    fcm_s_all_cap_session

    1. 選擇介面Ethernet1/2,提供會話名稱,然後按一下Save and Run啟用捕獲:

    fcm_s1_t1_eth_1_2_all_save_run

    1. 對於埠通道介面,請選擇所有物理成員介面,提供會話名稱並按一下Save and Run以啟用捕獲:

    fcm_s1_t1_po1_all_save_run

    FXOS CLI

    按照FXOS CLI上的以下步驟在介面Ethernet1/2或Portchannel1上配置資料包捕獲:

    The following steps on FXOS CLI were taken to configure the data packs on interface 1/2 Ethernet or Portchannel1:

    1. 辨識應用程式型別和辨識碼:
    firepower# scope ssa
    firepower /ssa # show app-instance
    App Name   Identifier Slot ID    Admin State Oper State       Running Version Startup Version Deploy Type Turbo Mode Profile Name Cluster State   Cluster Role
    ---------- ---------- ---------- ----------- ---------------- --------------- --------------- ----------- ---------- ------------ --------------- ------------
    ftd        ftd1       1          Enabled     Online           7.2.0.82        7.2.0.82        Native      No                      Not Applicable  None
    1. 對於埠通道介面,請確定其成員介面:
    firepower# connect fxos
    <output skipped>
    firepower(fxos)# show port-channel summary
    Flags:  D - Down        P - Up in port-channel (members)
            I - Individual  H - Hot-standby (LACP only)
            s - Suspended   r - Module-removed
            S - Switched    R - Routed
            U - Up (port-channel)
            M - Not in use. Min-links not met
    --------------------------------------------------------------------------------
    Group Port-       Type     Protocol  Member Ports
          Channel
    --------------------------------------------------------------------------------
    1     Po1(SU)     Eth      LACP      Eth1/4(P)    Eth1/5(P)   
    1. 建立擷取階段作業:
    firepower# scope packet-capture 
    firepower /packet-capture # create session cap1
    firepower /packet-capture/session* # create phy-port Eth1/2
    firepower /packet-capture/session/phy-port* # set app ftd
    firepower /packet-capture/session/phy-port* # set app-identifier ftd1
    firepower /packet-capture/session/phy-port* # up
    firepower /packet-capture/session* # enable
    firepower /packet-capture/session* # commit
    firepower /packet-capture/session #

    對於埠通道介面,為每個成員介面配置單獨的捕獲:

    For port channel interfaces, separate captures are provided for each member interface:

    firepower# scope packet-capture 
    firepower /packet-capture # create session cap1
    firepower /packet-capture/session* # create phy-port Eth1/4
    firepower /packet-capture/session/phy-port* # set app ftd
    firepower /packet-capture/session/phy-port* # set app-identifier ftd1
    firepower /packet-capture/session/phy-port* # up
    firepower /packet-capture/session* # create phy-port Eth1/5
    firepower /packet-capture/session/phy-port* # set app ftd
    firepower /packet-capture/session/phy-port* # set app-identifier ftd1
    firepower /packet-capture/session/phy-port* # up
    firepower /packet-capture/session* # enable
    firepower /packet-capture/session* # commit
    firepower /packet-capture/session #

    驗證

    Verify/strong>

    FCM

    驗證介面名稱,確保Operational Status為up且File Size (in bytes)增加:

    Validation of the interface , ensuring that Operational Status is for the group and that File Size (in bytes) adds:

    fcm_s1_t1_eth_1_2_pcap_verify

    Portchannel1與成員介面Ethernet1/4和Ethernet1/5:

    Portchannel1 and member interface Ethernet1/4 and Ethernet1/5:

    fcm_s1_t1_po1_pcap_verify

    FXOS CLI

    驗證scope packet-capture中的捕獲詳細資訊:

    More detailed information on the capture in copet-capture:

    firepower# scope packet-capture 
    firepower /packet-capture # show session cap1

    Traffic Monitoring Session:
        Packet Capture Session Name: cap1
        Session: 1
        Admin State: Enabled
        Oper State: Up
        Oper State Reason: Active
        Config Success: Yes
        Config Fail Reason:
        Append Flag: Overwrite
        Session Mem Usage: 256  MB
        Session Pcap Snap Len: 1518  Bytes
        Error Code: 0
        Drop Count: 0

    Physical ports involved in Packet Capture:
        Slot Id: 1
        Port Id: 2
        Pcapfile: /workspace/packet-capture/session-1/cap1-ethernet-1-2-0.pcap
        Pcapsize: 75136  bytes
        Filter:
        Sub Interface: 0
        Application Instance Identifier: ftd1
        Application Name: ftd

    具有成員介面Ethernet1/4和Ethernet1/5的Port-channel 1:

    Port-channel with membership 1/4 and Ethernet 1/5:

    firepower# scope packet-capture 
    firepower /packet-capture # show session cap1

    Traffic Monitoring Session:
        Packet Capture Session Name: cap1
        Session: 1
        Admin State: Enabled
        Oper State: Up
        Oper State Reason: Active
        Config Success: Yes
        Config Fail Reason:
        Append Flag: Overwrite
        Session Mem Usage: 256  MB
        Session Pcap Snap Len: 1518  Bytes
        Error Code: 0
        Drop Count: 0

    Physical ports involved in Packet Capture:
        Slot Id: 1
        Port Id: 4
        Pcapfile: /workspace/packet-capture/session-1/cap1-ethernet-1-4-0.pcap
        Pcapsize: 310276  bytes
        Filter:
        Sub Interface: 0
        Application Instance Identifier: ftd1
        Application Name: ftd

        Slot Id: 1
        Port Id: 5
        Pcapfile: /workspace/packet-capture/session-1/cap1-ethernet-1-5-0.pcap
        Pcapsize: 160  bytes
        Filter:
        Sub Interface: 0
        Application Instance Identifier: ftd1
        Application Name: ftd

    收集捕獲檔案

    collects capture files

    按照收集Firepower 4100/9300內部交換機捕獲檔案部分中的步驟操作。

    Collecter of Firepower 4100/9300 internal switchboards in accordance with of the file.

    捕獲檔案分析

    capture file analysis

    使用資料包捕獲檔案讀取器應用程式打開Ethernet1/2的捕獲檔案。選擇第一個資料包並檢查要點:

    Opens the Ethernet1/2 capture file using the data pack to capture the file reader application. Select the first package and check the point:

    1. 僅捕獲ICMP回應請求資料包。捕獲每個資料包並顯示2次。
    2. 原始資料包報頭沒有VLAN標籤。
    3. 內部交換機插入用於辨識輸入介面Ethernet1/2的其他埠VLAN標籤102
    4. 內部開關插入一個附加VN標籤。

    pcap_s1_t1_eth1_2_1

    選擇第二個資料包並檢查要點:

    Select the second package and check the point:

    1. 僅捕獲ICMP回應請求資料包。捕獲每個資料包並顯示2次。
    2. 原始資料包報頭沒有VLAN標籤。
    3. 內部交換機插入用於辨識輸入介面Ethernet1/2的其他埠VLAN標籤102

    pcap_s1_t1_eth1_2_2

    打開Portchannel1成員介面的捕獲檔案。選擇第一個資料包並檢查要點:

    Opens the capture file of the Portchannel1 interface. Select the first package and check the point:

    1. 僅捕獲ICMP回應請求資料包。捕獲每個資料包並顯示2次。
    2. 原始資料包報頭沒有VLAN標籤。
    3. 內部交換機插入一個額外的埠VLAN標籤1001,用於辨識輸入介面Portchannel1。
    4. 內部開關插入一個附加VN標籤。

    pcap_s1_t1_po1_1

    選擇第二個資料包並檢查要點:

    Select the second package and check the point:

    1. 僅捕獲ICMP回應請求資料包。捕獲每個資料包並顯示2次。
    2. 原始資料包報頭沒有VLAN標籤。
    3. 內部交換機插入一個額外的埠VLAN標籤1001,用於辨識輸入介面Portchannel1。

    pcap_s1_t1_po1_2

    說明

    Help

    在前端介面上設定封包擷取時,交換器會同時擷取每個封包兩次:

    When you set a package on the front interface, the switch will take each package twice at the same time:

    • 在插入埠VLAN標籤之後。
    • 在插入VN標籤之後。

    按照操作順序,VN標籤在比埠VLAN標籤插入更晚的階段插入。但是,在捕獲檔案中,帶有VN標籤的資料包比帶有埠VLAN標籤的資料包顯示得更早。

    In the operating order, the VN tag is inserted at a later stage than the port VLAN tag. However, in the capture file, the bag with the VN tag is shown earlier than the bag with the port VLAN tag.

    此表格總結列出作業:

    The summary of this table lists the homework:

    工作

    /strong's >br'

    捕獲點

    /strang'

    捕獲的資料包中的內部埠VLAN

    The inside port of the captured kit VLAN

    方向

    捕獲的流量

    captured traffic

    在介面Ethernet1/2上配置並檢驗資料包捕獲

    Configure and verify data pack capture on interface Ethernet1/2

    Ethernet1/2

    102

    僅限入口

    Access only

    從主機192.0.2.100到主機198.51.100.100的ICMP回應請求

    From host 192.02.100 to host 198.51.10.100 ICMP response

    在介面Portchannel1上配置並檢驗帶有成員介面Ethernet1/4和Ethernet1/5的資料包捕獲

    Configure and test data packs on interface Portchannel1 with user interfaces Ethernet1/4 and Ethernet1/5

    Ethernet1/4 Ethernet1/5

    1001

    僅限入口

    Access only

    從主機192.0.2.100到主機198.51.100.100的ICMP回應請求

    From host 192.02.100 to host 198.51.10.100 ICMP response

    使用FCM和CLI配置並驗證背板介面上的資料包捕獲。

    Use FCM and CLI to configure and verify data pack captures on backboard interfaces.

    拓撲、資料包流和捕獲點

    pings, data packs, catch points

    ch_4k_9k_flow_s2_t1_bckp

    組態

    /strang'

    FCM

    按照FCM上的以下步驟在背板介面上配置資料包捕獲:

    Configure the data pack on the backboard interface according to the following steps on the FCM:

    1. 使用Tools > Packet Capture > Capture Session建立新的捕獲會話

    fcm_s_all_cap_session

    1. 要捕獲所有背板介面上的資料包,請從下拉選單中選擇Capture OnAll Backplane Ports。或者,選擇特定的背板介面。在這種情況下,可以使用背板介面Ethernet1/9和Ethernet1/10。提供會話名稱,然後按一下儲存並運行以啟用捕獲

    fcm_s2_t1_bckp_save_run

    FXOS CLI

    按照FXOS CLI上的以下步驟配置背板介面上的資料包捕獲:

    The following steps on FXOS CLI were used to configure the data packs on the backboard interface:

    1. 辨識應用程式型別和辨識碼:
    firepower# scope ssa
    firepower /ssa# show app-instance
    App Name   Identifier Slot ID    Admin State Oper State       Running Version Startup Version Deploy Type Turbo Mode Profile Name Cluster State   Cluster Role
    ---------- ---------- ---------- ----------- ---------------- --------------- --------------- ----------- ---------- ------------ --------------- ------------
    ftd        ftd1       1          Enabled     Online           7.2.0.82        7.2.0.82        Native      No                      Not Applicable  None
    1. 建立擷取階段作業:
    firepower# scope packet-capture 
    firepower /packet-capture # create session cap1
    firepower /packet-capture/session* # create phy-port Eth1/9
    firepower /packet-capture/session/phy-port* # set app ftd
    firepower /packet-capture/session/phy-port* # set app-identifier ftd1
    firepower /packet-capture/session/phy-port* # up
    firepower /packet-capture/session* #  create phy-port Eth1/10
    firepower /packet-capture/session/phy-port* # set app ftd
    firepower /packet-capture/session/phy-port* # set app-identifier ftd1
    firepower /packet-capture/session/phy-port* # up
    firepower /packet-capture/session* # enable
    firepower /packet-capture/session* # commit
    firepower /packet-capture/session #

    驗證

    Verify/strong>

    FCM

    驗證介面名稱,確保Operational Status為up且File Size (in bytes)增加:

    Validation of the interface , ensuring that Operational Status is for the group and that File Size (in bytes) adds:

    fcm_s2_t1_bckp_pcap_verify

    FXOS CLI

    驗證scope packet-capture中的捕獲詳細資訊:

    More detailed information on the capture in copet-capture:

    firepower# scope packet-capture
    firepower /packet-capture #  show session cap1

    Traffic Monitoring Session:
        Packet Capture Session Name: cap1
        Session: 1
        Admin State: Enabled
        Oper State: Up
        Oper State Reason: Active
        Config Success: Yes
        Config Fail Reason:
        Append Flag: Overwrite
        Session Mem Usage: 256  MB
        Session Pcap Snap Len: 1518  Bytes
        Error Code: 0
        Drop Count: 0

    Physical ports involved in Packet Capture:
        Slot Id: 1
        Port Id: 10
        Pcapfile: /workspace/packet-capture/session-1/cap1-ethernet-1-10-0.pcap
        Pcapsize: 1017424  bytes
        Filter:
        Sub Interface: 0
        Application Instance Identifier: ftd1
        Application Name: ftd

        Slot Id: 1
        Port Id: 9
        Pcapfile: /workspace/packet-capture/session-1/cap1-ethernet-1-9-0.pcap
        Pcapsize: 1557432  bytes
        Filter:
        Sub Interface: 0
        Application Instance Identifier: ftd1
        Application Name: ftd

    收集捕獲檔案

    collects capture files

    按照收集Firepower 4100/9300內部交換機捕獲檔案部分中的步驟操作。

    Collecter of Firepower 4100/9300 internal switchboards in accordance with of the file.

    捕獲檔案分析

    capture file analysis

    使用資料包捕獲檔案讀取器應用程式打開捕獲檔案。如果有一個以上的背板介面,請確定開啟每個背板介面的所有擷取檔案。在這種情況下,封包會在背板介面Ethernet1/9上擷取。

    Opens the capture file using a file reader application using the data pack. If there is more than one backboard interface, make sure that you open all extraction files for each backboard interface. In this case, the package is retrieved on the backboard interface 1/9.

    選擇第一個和第二個資料包,並檢查要點:

    Select the first and second data packs and check the key points:

    1. 捕獲每個ICMP回應請求資料包並顯示2次。
    2. 原始資料包報頭沒有VLAN標籤。
    3. 內部交換機插入用於辨識輸出介面Ethernet1/3的附加埠VLAN標籤103
    4. 內部開關插入一個附加VN標籤。

    pcap_s2_t1_eth1_9_1pcap_s2_t1_eth1_9_2

    選擇第三和第四個資料包,並檢查要點:

    Select the third and fourth packets and check the points:

    1. 捕獲每個ICMP回應應答並顯示2次。
    2. 原始資料包報頭沒有VLAN標籤。
    3. 內部交換機插入用於辨識輸出介面Ethernet1/2的其他埠VLAN標籤102
    4. 內部開關插入一個附加VN標籤。

    pcap_s2_t1_eth1_9_3

    說明

    Help

    在背板介面上設定封包擷取時,交換器會同時擷取每個封包兩次。在這種情況下,內部交換機將接收安全模組上的應用已標籤了埠VLAN標籤和VN標籤的資料包。VLAN標籤標識內部機箱用於將資料包轉發到網路的輸出介面。ICMP回應請求資料包中的VLAN標籤103將Ethernet1/3標識為輸出介面,而ICMP回應應答資料包中的VLAN標籤102將Ethernet1/2標識為輸出介面。在將資料包轉發到網路之前,內部交換機刪除VN標籤和內部介面VLAN標籤。

    In this case, the internal switcher will accept applications from the security module that have been marked as VLAN tags and VN tags. The VLAN tags are used in the internal machine to transfer the package to the network for output. The VLAN tag 103 in the ICMP response request for data requests uses Ethernet1/3 as an input, while the VLAN tag 102 in the ICMP response package uses Ethernet1/2 as an input. Before transferring the package to the Internet, the internal switchboard deletes the VN tag and VLAN tags in the internal interface.

    此表格總結列出作業:

    The summary of this table lists the homework:

    工作

    捕獲點

    /strang'

    捕獲的資料包中的內部埠VLAN

    The inside port of the captured kit VLAN

    方向

    捕獲的流量

    captured traffic

    配置並驗證背板介面上的資料包捕獲

    Configure and verify bag capture on backboard interface

    背板介面

    Backboard Interface

    102

    103

    僅限入口

    Access only

    從主機192.0.2.100到主機198.51.100.100的ICMP回應請求

    From host 192.02.100 to host 198.51.10.100 ICMP response

    從主機198.51.100.100到主機192.0.2.100的ICMP回應應答

    ICMP response from host 198.51.10.100 to host 192.02.100

    如果使用者指定應用捕獲方向,則應用或應用埠資料包捕獲始終配置在背板介面上,並配置在前端介面上。

    If the user specifies the direction of the catch, the application or application package is permanently configured on the backboard interface and on the front interface.

    主要有2個使用案例:

    There are two main cases of use:

    • 在背板介面上為離開特定前介面的資料包配置資料包捕獲。例如,在背板介面Ethernet1/9上為離開介面Ethernet1/2的封包設定封包擷取。
    • 在特定前介面和背板介面上配置同時資料包捕獲。例如,在介面Ethernet1/2和背板介面Ethernet1/9上為離開介面Ethernet1/2的封包設定同時擷取封包。

    本節介紹這兩種使用案例。

    This section presents these two cases of use.

    任務1

    Task 1 / strong / strong / strong / / strong / / strong / / strong / / strong / / strong / / strong / / strong / / strong / / strong / / strong / / strong / / strong

    使用FCM和CLI在背板介面上設定和驗證封包擷取。應用程式連線埠Ethernet1/2被辨識為輸出介面的封包會被擷取。在本例中,捕獲ICMP回覆。

    Set and verify the package on the backboard interface using FCM and CLI. The application port Ethernet1/2 is identified as the package for the output interface will be seized. In this case, the ICMP reply is captured.

    拓撲、資料包流和捕獲點

    pings, data packs, catch points

    ch_4k_9k_flow_s3_t1_eth1_2_port_egress_only

    組態

    /strang'

    FCM

    按照FCM上的以下步驟,在FTD應用程式和應用程式連線埠Ethernet1/2上設定封包擷取:

    Set package extraction on the FTD application and application port Ethernet1/2 in accordance with the following steps on FCM:

    1. 使用Tools > Packet Capture > Capture Session建立新的捕獲會話

    fcm_s_all_cap_session

    1. Application Port下拉選單中選擇應用程式Ethernet1/2,並在Application Capture Direction中選擇Egress Packet。提供會話名稱,然後按一下儲存並運行以啟用捕獲

    fcm_s3_t2_bckp_et1_2_egress_save_run

    FXOS CLI

    按照FXOS CLI上的以下步驟配置背板介面上的資料包捕獲:

    The following steps on FXOS CLI were used to configure the data packs on the backboard interface:

    1. 辨識應用程式型別和辨識碼:
    firepower# scope ssa
    firepower /ssa#  show app-instance
    App Name   Identifier Slot ID    Admin State Oper State       Running Version Startup Version Deploy Type Turbo Mode Profile Name Cluster State   Cluster Role
    ---------- ---------- ---------- ----------- ---------------- --------------- --------------- ----------- ---------- ------------ --------------- ------------
    ftd        ftd1       1          Enabled     Online           7.2.0.82        7.2.0.82        Native      No                      Not Applicable  None
    1. 建立擷取階段作業:
    firepower# scope packet-capture 
    firepower /packet-capture # create session cap1
    firepower /packet-capture/session* # create app-port 1 l12 Ethernet1/2 ftd
    firepower /packet-capture/session/app-port* # set app-identifier ftd1
    firepower /packet-capture/session/app-port* # set filter ""
    firepower /packet-capture/session/app-port* # set subinterface 0
    firepower /packet-capture/session/app-port* # up
    firepower /packet-capture/session* # commit
    firepower /packet-capture/session #

    驗證

    Verify/strong>

    FCM

    驗證介面名稱,確保Operational Status為up且File Size (in bytes)增加:

    Validation of the interface , ensuring that Operational Status is for the group and that File Size (in bytes) adds:

    fcm_s3_t1_bckp_pcap_verify

    FXOS CLI

    驗證scope packet-capture中的捕獲詳細資訊:

    More detailed information on the capture in copet-capture:

    firepower# scope packet-capture
    firepower /packet-capture #  show session cap1

    Traffic Monitoring Session:
        Packet Capture Session Name: cap1
        Session: 1
        Admin State: Enabled
        Oper State: Up
        Oper State Reason: Active
        Config Success: Yes
        Config Fail Reason:
        Append Flag: Overwrite
        Session Mem Usage: 256  MB
        Session Pcap Snap Len: 1518  Bytes
        Error Code: 0
        Drop Count: 0

    Application ports involved in Packet Capture:
        Slot Id: 1
        Link Name: l12
        Port Name: Ethernet1/2
        App Name: ftd
        Sub Interface: 0
        Application Instance Identifier: ftd1

    Application ports resolved to:
        Name: vnic1
        Eq Slot Id: 1
        Eq Port Id: 9
        Pcapfile: /workspace/packet-capture/session-1/cap1-vethernet-1036.pcap
        Pcapsize: 53640  bytes
        Vlan: 102
        Filter:

        Name: vnic2
        Eq Slot Id: 1
        Eq Port Id: 10
        Pcapfile: /workspace/packet-capture/session-1/cap1-vethernet-1175.pcap
        Pcapsize: 1824  bytes
        Vlan: 102
        Filter:

    收集捕獲檔案

    collects capture files

    按照收集Firepower 4100/9300內部交換機捕獲檔案部分中的步驟操作。

    Collecter of Firepower 4100/9300 internal switchboards in accordance with of the file.

    捕獲檔案分析

    capture file analysis

    使用資料包捕獲檔案讀取器應用程式打開捕獲檔案。如果有多個背板介面,請確保打開每個背板介面的所有捕獲檔案。在這種情況下,封包會在背板介面Ethernet1/9上擷取。

    Open the capture file using the file reader application for the data pack. If there are multiple backboard interfaces, make sure that you open all capture files for each backboard interface. In this case, the package is retrieved on the backboard interface 1/9 on the Ethernet 1/9.

    選擇第一個和第二個資料包,並檢查要點:

    Select the first and second data packs and check the key points:

    1. 捕獲每個ICMP回應應答並顯示2次。
    2. 原始資料包報頭沒有VLAN標籤。
    3. 內部交換機插入用於辨識輸出介面Ethernet1/2的其他埠VLAN標籤102
    4. 內部開關插入一個附加VN標籤。

    pcap_s3_t1_eth1_9_1pcap_s3_t1_eth1_9_2

    說明

    Help

    在這種情況下,連線埠VLAN標籤為102的Ethernet1/2是ICMP回應回覆封包的輸出介面。

    In this situation, Ethernet 1/2 of the port VLAN labeled 102 is the ICMP output interface for responding to the package.

    當在捕獲選項中將應用程式捕獲方向設定為Egress時,將在入口方向的背板介面上捕獲乙太網報頭中埠VLAN標籤為102的資料包。

    When setting application capture directions at Egress in the capture option, the backboard interface in the direction of the entry will capture the data package marked VLAN at 102 in the Aether News portal.

    此表格總結列出作業:

    The summary of this table lists the homework:

    工作

    捕獲點

    /strang'

    捕獲的資料包中的內部埠VLAN

    The inside port of the captured kit VLAN

    方向

    捕獲的流量

    captured traffic

    配置並驗證應用和應用程式埠Ethernet1/2上的捕獲資訊

    Configure and verify capture information on the application and application port Ethernet1/2

    背板介面

    Backboard Interface

    102

    僅限入口

    Access only

    從主機198.51.100.100到主機192.0.2.100的ICMP回應應答

    ICMP response from host 198.51.10.100 to host 192.02.100

    任務2

    Mission 2/strong

    使用FCM和CLI在背板介面和正面介面Ethernet1/2上設定和驗證封包擷取。

    Set and verify the envelope on the backboard interface and the front interface Ethernet1/2 using FCM and CLI.

    同時資料包捕獲配置在:

    At the same time, the data pack capture is configured:

    • 前介面-捕獲介面Ethernet1/2上埠VLAN 102的資料包。捕獲的資料包是ICMP回應請求。
    • 背板介面-會擷取Ethernet1/2辨識為輸出介面的封包,或具有連線埠VLAN 102的封包。捕獲的資料包是ICMP回應應答。

    拓撲、資料包流和捕獲點

    pings, data packs, catch points

    ch_4k_9k_flow_s3_t1_eth1_2_port_all

    組態

    /strang'

    FCM

    按照FCM上的以下步驟,在FTD應用程式和應用程式連線埠Ethernet1/2上設定封包擷取:

    Set package extraction on the FTD application and application port Ethernet1/2 in accordance with the following steps on FCM:

    1. 使用Tools > Packet Capture > Capture Session建立新的捕獲會話

    fcm_s_all_cap_session

    1. Application Port下拉選單中選擇FTD應用程式Ethernet1/2,然後在Application Capture Direction中選擇All Packets。提供會話名稱,然後按一下儲存並運行以啟用捕獲

    fcm_s3_t2_bckp_et1_2_all_save_run

    FXOS CLI

    按照FXOS CLI上的以下步驟配置背板介面上的資料包捕獲:

    The following steps on FXOS CLI were used to configure the data packs on the backboard interface:

    1. 辨識應用程式型別和辨識碼:
    firepower# scope ssa
    firepower /ssa#  show app-instance
    App Name   Identifier Slot ID    Admin State Oper State       Running Version Startup Version Deploy Type Turbo Mode Profile Name Cluster State   Cluster Role
    ---------- ---------- ---------- ----------- ---------------- --------------- --------------- ----------- ---------- ------------ --------------- ------------
    ftd        ftd1       1          Enabled     Online           7.2.0.82        7.2.0.82        Native      No                      Not Applicable  None
    1. 建立擷取階段作業:
    firepower# scope packet-capture
    firepower /packet-capture # create session cap1
    firepower /packet-capture/session* # create phy-port eth1/2
    firepower /packet-capture/session/phy-port* # set app-identifier ftd1
    firepower /packet-capture/session/phy-port* # exit
    firepower /packet-capture/session* # create app-port 1 link12 Ethernet1/2 ftd
    firepower /packet-capture/session/app-port* # set app-identifier ftd1
    firepower /packet-capture/session* # enable
    firepower /packet-capture/session* # commit
    firepower /packet-capture/session # commit

    驗證

    Verify/strong>

    FCM

    驗證介面名稱,確保Operational Status為up且File Size (in bytes)增加:

    Validation of the interface , ensuring that Operational Status is for the group and that File Size (in bytes) adds:

    fcm_s3_t2_bckp_eth_1_2_pcap_verify

    FXOS CLI

    驗證scope packet-capture中的捕獲詳細資訊:

    More detailed information on the capture in copet-capture:

    firepower# scope packet-capture 
    firepower /packet-capture #  show session cap1

    Traffic Monitoring Session:
        Packet Capture Session Name: cap1
        Session: 1
        Admin State: Enabled
        Oper State: Up
        Oper State Reason: Active
        Config Success: Yes
        Config Fail Reason:
        Append Flag: Overwrite
        Session Mem Usage: 256  MB
        Session Pcap Snap Len: 1518  Bytes
        Error Code: 0
        Drop Count: 0

    Physical ports involved in Packet Capture:
        Slot Id: 1
        Port Id: 2
        Pcapfile: /workspace/packet-capture/session-1/cap1-ethernet-1-2-0.pcap
        Pcapsize: 410444  bytes
        Filter:
        Sub Interface: 0
        Application Instance Identifier: ftd1
        Application Name: ftd

    Application ports involved in Packet Capture:
        Slot Id: 1
        Link Name: link12
        Port Name: Ethernet1/2
        App Name: ftd
        Sub Interface: 0
        Application Instance Identifier: ftd1

    Application ports resolved to:
        Name: vnic1
        Eq Slot Id: 1
        Eq Port Id: 9
        Pcapfile: /workspace/packet-capture/session-1/cap1-vethernet-1036.pcap
        Pcapsize: 128400  bytes
        Vlan: 102
        Filter:

        Name: vnic2
        Eq Slot Id: 1
        Eq Port Id: 10
        Pcapfile: /workspace/packet-capture/session-1/cap1-vethernet-1175.pcap
        Pcapsize: 2656  bytes
        Vlan: 102
        Filter:

    收集捕獲檔案

    collects capture files

    按照收集Firepower 4100/9300內部交換機捕獲檔案部分中的步驟操作。

    Collecter of Firepower 4100/9300 internal switchboards in accordance with of the file.

    捕獲檔案分析

    capture file analysis

    使用資料包捕獲檔案讀取器應用程式打開捕獲檔案。如果有多個背板介面,請確保打開每個背板介面的所有捕獲檔案。  在這種情況下,封包會在背板介面Ethernet1/9上擷取。

    Open the capture file using the file reader application in the data pack. If there are multiple backboard interfaces, make sure that all capture files in each backboard interface are opened. & nbsp; in this case, the envelope will be retrieved on the backboard interface 1/9.

    打開介面Ethernet1/2的捕獲檔案,選擇第一個資料包,然後檢查要點:

    Open access to Ethernet1/2 capture files, select the first data package and check the point:

    1. 僅捕獲ICMP回應請求資料包。捕獲每個資料包並顯示2次。
    2. 原始資料包報頭沒有VLAN標籤。
    3. 內部交換機插入用於辨識輸入介面Ethernet1/2的其他埠VLAN標籤102
    4. 內部開關插入一個附加VN標籤。

    pcap_s3_t2_eth1_2_1

    選擇第二個資料包並檢查要點:

    Select the second package and check the point:

    1. 僅捕獲ICMP回應請求資料包。捕獲每個資料包並顯示2次。
    2. 原始資料包報頭沒有VLAN標籤。
    3. 內部交換機插入用於辨識輸入介面Ethernet1/2的其他埠VLAN標籤102

    pcap_s3_t2_eth1_2_2

    打開介面Ethernet1/9的捕獲檔案,選擇第一個和第二個資料包,然後檢查要點:

    Open access to Ethernet1/9 capture files, select the first and second data packs and check the point:

    1. 捕獲每個ICMP回應應答並顯示2次。
    2. 原始資料包報頭沒有VLAN標籤。
    3. 內部交換機插入用於辨識輸出介面Ethernet1/2的其他埠VLAN標籤102
    4. 內部開關插入一個附加VN標籤。

    pcap_s3_t2_eth1_9_1pcap_s3_t2_eth1_9_2

    說明

    Help

    如果選擇應用捕獲方向中的所有資料包選項,則會配置與所選應用埠Ethernet1/2相關的2個同時資料包捕獲:前介面Ethernet1/2上的捕獲以及所選背板介面上的捕獲。

    If is selected for all

    在前端介面上設定封包擷取時,交換器會同時擷取每個封包兩次:

    When you set a package on the front interface, the switch will take each package twice at the same time:

    • 在插入埠VLAN標籤之後。
    • 在插入VN標籤之後。

    按照操作順序,VN標籤在比埠VLAN標籤插入更晚的階段插入。但在捕獲檔案中,帶有VN標籤的資料包比帶有埠VLAN標籤的資料包顯示得更早。在本範例中,ICMP回應要求封包中的VLAN標籤102將Ethernet1/2辨識為輸入介面。

    In accordance with the operating order, the VN tag is inserted in a later stage than the port VLAN tag. However, in the captured file, the package with the VN tag is displayed earlier than the package with the port VLAN tag. In this example, ICMP responded to the request that the VLAN tag 102 in the package identify Ethernet1/2 as an interface.

    在背板介面上設定封包擷取時,交換器會同時擷取每個封包兩次。內部交換機接收已由安全模組上的應用標籤了埠VLAN標籤和VN標籤的資料包。埠VLAN標籤標識內部機箱用於將資料包轉發到網路的輸出介面。在本例中,ICMP應答資料包中的VLAN標籤102將Ethernet1/2標識為輸出介面。

    When you set a package on the backboard interface, the switcher takes each package twice at the same time. The internal switcher receives the package with the port VLAN and VN tags that have been marked by the application on the security module. The port VLAN tags the internal box for sending the package to the output interface. In this case, the VLAN tag 102 in the ICMP responded to the package uses Ethernet 1/2 as an input.

    在將資料包轉發到網路之前,內部交換機刪除VN標籤和內部介面VLAN標籤。

    Before sending the package to the Internet, the internal switchboard deletes the VN tag and the internal interface VLAN tag.

    此表格總結列出作業:

    The summary of this table lists the homework:

    工作

    捕獲點

    /strang'

    捕獲的資料包中的內部埠VLAN

    The inside port of the captured kit VLAN

    方向

    捕獲的流量

    captured traffic

    配置並驗證應用和應用程式埠Ethernet1/2上的捕獲資訊

    Configure and verify capture information on the application and application port Ethernet1/2

    背板介面

    Backboard Interface

    102

    僅限入口

    Access only

    從主機198.51.100.100到主機192.0.2.100的ICMP回應應答

    ICMP response from host 198.51.10.100 to host 192.02.100

    Interface Ethernet1/2

    102

    僅限入口

    Access only

    從主機192.0.2.100到主機198.51.100.100的ICMP回應請求

    From host 192.02.100 to host 198.51.10.100 ICMP response

    使用FCM和CLI在子介面Ethernet1/2.205或埠通道子介面Portchannel1.207上配置和驗證資料包捕獲。只有在容器模式下使用FTD應用程式時,才支援子介面上的子介面和擷取。在這種情況下,會在Ethernet1/2.205和Portchannel1.207上設定封包擷取。

    FCM and CLI are used to configure and authenticate the data package on the submedial Ethernet 1/2.205 or Portchannel interface Portchannel 1.207. Only when the FTD application is used in the container mode is supported with the submedial interface and extraction. In this case, envelopes are set up on the Ethernet 1/2.205 and Portchannel 1.207.

    拓撲、資料包流和捕獲點

    pings, data packs, catch points

    ch_4k_9k_flow_s5_t1_eth1_2_205_1ch_4k_9k_flow_s5_t1_po1_207_2

    組態

    /strang'

    FCM

    按照FCM上的以下步驟,在FTD應用程式和應用程式連線埠Ethernet1/2上設定封包擷取:

    Set package extraction on the FTD application and application port Ethernet1/2 in accordance with the following steps on FCM:

    1. 使用Tools > Packet Capture > Capture Session建立新的捕獲會話

    fcm_s_all_cap_session

    1. 選擇特定應用程式例項ftd1(子介面Ethernet1/2.205),提供會話名稱,然後按一下Save and Run啟用捕獲:

    fcm_s5_t1_bckp_et1_2_205_1_save_run

    3. 對於埠通道子介面,由於Cisco bug ID CSCvq33119子介面在FCM中是不可見的。使用FXOS CLI在埠通道子介面上配置捕獲。

    3. For port interfaces, the CSCVq33119 interface is not visible in FCM from Cisco bug ID

    FXOS CLI

    按照FXOS CLI上的以下步驟在子介面Ethernet1/2.205和Portchannel1.207上配置資料包捕獲:

    The following steps on FXOS CLI were taken to configure the data packs on the submedial Ethernet 1/2.205 and Portchannel 1.207:

    1. 辨識應用程式型別和辨識碼:
    firepower# scope ssa
    firepower /ssa #  show app-instance
    App Name   Identifier Slot ID    Admin State Oper State       Running Version Startup Version Deploy Type Turbo Mode Profile Name Cluster State   Cluster Role
    ---------- ---------- ---------- ----------- ---------------- --------------- --------------- ----------- ---------- ------------ --------------- ------------
    ftd        ftd1       1          Enabled     Online           7.2.0.82        7.2.0.82        Container   No         RP20         Not Applicable  None
    ftd        ftd2       1          Enabled     Online           7.2.0.82        7.2.0.82        Container   No         RP20         Not Applicable  None
    1. 對於埠通道介面,請確定其成員介面:
    firepower# connect fxos
    <output skipped>
    firepower(fxos)# show port-channel summary
    Flags:  D - Down        P - Up in port-channel (members)
            I - Individual  H - Hot-standby (LACP only)
            s - Suspended   r - Module-removed
            S - Switched    R - Routed
            U - Up (port-channel)
            M - Not in use. Min-links not met
    --------------------------------------------------------------------------------
    Group Port-       Type     Protocol  Member Ports
          Channel
    --------------------------------------------------------------------------------
    1     Po1(SU)     Eth      LACP      Eth1/3(P)    Eth1/3(P)   
    1. 建立擷取階段作業:
    firepower# scope packet-capture 
    firepower /packet-capture # create session cap1
    firepower /packet-capture/session* # create phy-port Eth1/2
    firepower /packet-capture/session/phy-port* # set app ftd
    firepower /packet-capture/session/phy-port* # set app-identifier ftd1
    firepower /packet-capture/session/phy-port* # set subinterface 205
    firepower /packet-capture/session/phy-port* # up
    firepower /packet-capture/session* # enable
    firepower /packet-capture/session* # commit
    firepower /packet-capture/session #

    對於埠通道子介面,請為每個埠通道成員介面建立一個資料包捕獲:

    For port channel interfaces, create a data package for each port channel member interface to capture:

    firepower#  scope packet-capture 
    firepower /packet-capture # create filter vlan207
    firepower /packet-capture/filter* # set ovlan 207
    firepower /packet-capture/filter* # up
    firepower /packet-capture* # create session cap1
    firepower /packet-capture/session*  create phy-port Eth1/3
    firepower /packet-capture/session/phy-port* # set app ftd
    firepower /packet-capture/session/phy-port* # set app-identifier ftd1
    firepower /packet-capture/session/phy-port* # set subinterface 207    
    firepower /packet-capture/session/phy-port* # up
    firepower /packet-capture/session* # create phy-port Eth1/4
    firepower /packet-capture/session/phy-port* # set app ftd           
    firepower /packet-capture/session/phy-port* # set app-identifier ftd1
    firepower /packet-capture/session/phy-port* # set subinterface 207    
    firepower /packet-capture/session/phy-port* # up
    firepower /packet-capture/session* # enable
    firepower /packet-capture/session* # commit
    firepower /packet-capture/session #

    驗證

    Verify/strong>

    FCM

    驗證介面名稱,確保Operational Status為up且File Size (in bytes)增加:

    Validation of the interface , ensuring that Operational Status is for the group and that File Size (in bytes) adds:

    fcm_s5_t1_eth_1_2_205_1

    在FXOS CLI上配置的埠通道子介面捕獲在FCM上也可以看到;但是,無法編輯這些捕獲:

    Port interfaces configured on FXOS CLI can also be found on FCM; however, it is not possible to edit these catches:

    fcm_s5_t1_po1_207_1

    FXOS CLI

    驗證scope packet-capture中的捕獲詳細資訊:

    More detailed information on the capture in copet-capture:

    firepower# scope packet-capture 
    firepower /packet-capture # show session cap1

    Traffic Monitoring Session:
        Packet Capture Session Name: cap1
        Session: 1
        Admin State: Enabled
        Oper State: Up
        Oper State Reason: Active
        Config Success: Yes
        Config Fail Reason:
        Append Flag: Overwrite
        Session Mem Usage: 256  MB
        Session Pcap Snap Len: 1518  Bytes
        Error Code: 0
        Drop Count: 0

    Physical ports involved in Packet Capture:
        Slot Id: 1
        Port Id: 2
        Pcapfile: /workspace/packet-capture/session-1/cap1-ethernet-1-2-0.pcap
        Pcapsize: 9324  bytes
        Filter:
        Sub Interface: 205
        Application Instance Identifier: ftd1
        Application Name: ftd

    帶有成員介面Ethernet1/3和Ethernet1/4的Port-channel 1:

    Port-channel 1/3 and Ethernet 1/4 with member interfaces:

    firepower# scope packet-capture 
    firepower /packet-capture # show session cap1

    Traffic Monitoring Session:
        Packet Capture Session Name: cap1
        Session: 1
        Admin State: Enabled
        Oper State: Up
        Oper State Reason: Active
        Config Success: Yes
        Config Fail Reason:
        Append Flag: Overwrite
        Session Mem Usage: 256  MB
        Session Pcap Snap Len: 1518  Bytes
        Error Code: 0
        Drop Count: 0

    Physical ports involved in Packet Capture:
        Slot Id: 1
        Port Id: 3
        Pcapfile: /workspace/packet-capture/session-1/cap1-ethernet-1-3-0.pcap
        Pcapsize: 160  bytes
        Filter:
        Sub Interface: 207
        Application Instance Identifier: ftd1
        Application Name: ftd
        Slot Id: 1
        Port Id: 4
        Pcapfile: /workspace/packet-capture/session-1/cap1-ethernet-1-4-0.pcap
        Pcapsize: 624160  bytes
        Filter:
        Sub Interface: 207
        Application Instance Identifier: ftd1
        Application Name: ftd

    收集捕獲檔案

    collects capture files

    按照收集Firepower 4100/9300內部交換機捕獲檔案部分中的步驟操作。

    Collecter of Firepower 4100/9300 internal switchboards in accordance with of the file.

    捕獲檔案分析

    capture file analysis

    使用資料包捕獲檔案讀取器應用程式打開捕獲檔案。選擇第一個資料包並檢查要點:

    Open the capture file using the file reader application. Select the first package and check the point:

    1. 僅捕獲ICMP回應請求資料包。捕獲每個資料包並顯示2次。
    2. 原始資料包報頭具有VLAN標籤205
    3. 內部交換機插入用於辨識輸入介面Ethernet1/2的其他埠VLAN標籤102
    4. 內部開關插入一個附加VN標籤。

    pcap_s5_t1_eth1_2_205_1

    選擇第二個資料包並檢查要點:

    Select the second package and check the point:

    1. 僅捕獲ICMP回應請求資料包。捕獲每個資料包並顯示2次。
    2. 原始資料包報頭具有VLAN標籤205

    pcap_s5_t1_eth1_2_205_2

    現在開啟Portchannel1.207的擷取檔案。選擇第一個資料包並檢查要點

    Opens the Portchannel 1.207 extraction file now. Select the first package and check the point

    1. 僅捕獲ICMP回應請求資料包。捕獲每個資料包並顯示2次。
    2. 原始資料包報頭具有VLAN標籤207
    3. 內部交換機插入一個額外的埠VLAN標籤1001,用於辨識輸入介面Portchannel1。
    4. 內部開關插入一個附加VN標籤。

    pcap_s5_t1_po1_207_1

    選擇第二個資料包並檢查要點:

    Select the second package and check the point:

    1. 僅捕獲ICMP回應請求資料包。捕獲每個資料包並顯示2次。
    2. 原始資料包報頭具有VLAN標籤207。

    pcap_s5_t1_po1_207_2

    說明

    Help

    在前端介面上設定封包擷取時,交換器會同時擷取每個封包兩次:

    When you set a package on the front interface, the switch will take each package twice at the same time:

    • 在插入埠VLAN標籤之後。
    • 在插入VN標籤之後。

    按照操作順序,VN標籤在比埠VLAN標籤插入更晚的階段插入。但在捕獲檔案中,帶有VN標籤的資料包比帶有埠VLAN標籤的資料包顯示得更早。此外,對於子介面,在捕獲檔案中,每秒資料包不包含埠VLAN標籤。

    In accordance with the operating order, the VN tag is inserted in a later stage than the port VLAN tag. However, in the capture file, the data package with the VN tag is displayed earlier than the data package with the port VLAN tag. Moreover, for the submedia, in the capture file, the data package does not contain the port VLAN tag.

    此表格總結列出作業:

    The summary of this table lists the homework:

    工作

    捕獲點

    /strang'

    捕獲的資料包中的內部埠VLAN

    The inside port of the captured kit VLAN

    方向

    捕獲的流量

    captured traffic

    在子介面Ethernet1/2.205上配置並檢驗資料包捕獲

    Configure and verify data pack capture on submedial Ethernet 1/2.205

    Ethernet1/2.205

    102

    僅限入口

    Access only

    從主機192.0.2.100到主機198.51.100.100的ICMP回應請求

    From host 192.02.100 to host 198.51.10.100 ICMP response

    在帶有成員介面Ethernet1/3和Ethernet1/4的Portchannel1子介面上配置並檢驗資料包捕獲

    Configure and verify data pack capture on Portchannel 1 interface with Ethernet1/3 and Ethernet1/4

    Ethernet1/3

    Ethernet1/4

    1001

    僅限入口

    Access only

    從192.168.207.100到主機192.168.207.102的ICMP回應請求

    From 192.168.207.100 to host ICMP 192.168.206.102 to respond to requests

    使用FCM和CLI在帶有過濾器的介面Ethernet1/2上配置並驗證資料包捕獲。

    Use FCM and CLI to configure and verify data pack captures on the Ethernet1/2 interface with filters.

    拓撲、資料包流和捕獲點

    pings, data packs, catch points

    ch_4k_9k_flow_s4_t1_eth1_2_1

    組態

    /strang'

    FCM

    按照FCM上的以下步驟,為從主機192.0.2.100到主機198.51.100.100的ICMP回應請求資料包配置捕獲過濾器,並將其應用於介面Ethernet1/2上的資料包捕獲:

    In accordance with the following steps on FCM, ICMP packages from host 192.02.100 to host 198.51.10.100 have been configured to capture filters and have been used for the package on interface Ethernet 1/2:

    1. 使用Tools > Packet Capture > Filter List > Add Filter建立捕獲過濾器。

      Create filters using Tools & gt; Packet Capture & gt; Filter List & gt; Add Filter.

    2. 指定Filter Name, Protocol, Source IPv4, Destination IPv4,然後按一下Save:

    fcm_s4_t1_filter_icmp

    1. 使用Tools > Packet Capture > Capture Session建立新的捕獲會話

    fcm_s_all_cap_session

    1. 選擇Ethernet1/2,提供會話名稱,應用捕獲過濾器並按一下Save and Run以啟用捕獲

    fcm_s4_t1_filter_icmp_eth1_2_save_run

    FXOS CLI

    按照FXOS CLI上的以下步驟配置背板介面上的資料包捕獲:

    The following steps on FXOS CLI were used to configure the data packs on the backboard interface:

    1. 辨識應用程式型別和辨識碼:
    firepower# scope ssa
    firepower /ssa#  show app-instance
    App Name   Identifier Slot ID    Admin State Oper State       Running Version Startup Version Deploy Type Turbo Mode Profile Name Cluster State   Cluster Role
    ---------- ---------- ---------- ----------- ---------------- --------------- --------------- ----------- ---------- ------------ --------------- ------------
    ftd        ftd1       1          Enabled     Online           7.2.0.82        7.2.0.82        Native      No                      Not Applicable  None

    2. 在https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml中確定IP協定號。在本例中,ICMP協定號是1。

    2. The IP protocol number is defined in . In this case, the ICMP protocol number is 1.

    3. 建立擷取階段作業:

    3. Establishment of the extraction phase:

    1. firepower# scope packet-capture 
      firepower /packet-capture # create filter filter_icmp
      firepower /packet-capture/filter* # set destip 198.51.100.100
      firepower /packet-capture/filter* # set protocol 1
      firepower /packet-capture/filter* # set srcip 192.0.2.100
      firepower /packet-capture/filter* # exit
      firepower /packet-capture* # create session cap1
      firepower /packet-capture/session* # create phy-port Ethernet1/2
      firepower /packet-capture/session/phy-port* # set app ftd
      firepower /packet-capture/session/phy-port* # set app-identifier ftd1
      firepower /packet-capture/session/phy-port* # set filter filter_icmp
      firepower /packet-capture/session/phy-port* # exit
      firepower /packet-capture/session* # enable
      firepower /packet-capture/session* # commit
      firepower /packet-capture/session #

    驗證

    Verify/strong>

    FCM

    驗證介面名稱,確保Operational Status為up且File Size (in bytes)增加:

    Validation of the interface , ensuring that Operational Status is for the group and that File Size (in bytes) adds:

    fcm_s4_t1_filter_icmp_verify

    Tools > Packet Capture > Capture Session中,驗證介面名稱和過濾器,確保Operational Status為up且File Size (bytes)增加:

    In Tools & gt; Packet Capture & gt; Capture Session, verify interface names and filtersOperial StatusFile Size(bytes) add:

    fcm_s4_t1_eth_1_2_pcap_verify

    FXOS CLI

    驗證scope packet-capture中的捕獲詳細資訊:

    More detailed information on the capture in copet-capture:

    firepower# scope packet-capture 
    firepower /packet-capture # show filter detail

    Configure a filter for packet capture:
        Name: filter_icmp
        Protocol: 1
        Ivlan: 0
        Ovlan: 0
        Src Ip: 192.0.2.100
        Dest Ip: 198.51.100.100
        Src MAC: 00:00:00:00:00:00
        Dest MAC: 00:00:00:00:00:00
        Src Port: 0
        Dest Port: 0
        Ethertype: 0
        Src Ipv6: ::
        Dest Ipv6: ::
    firepower /packet-capture # show session cap1

    Traffic Monitoring Session:
        Packet Capture Session Name: cap1
        Session: 1
        Admin State: Enabled
        Oper State: Up
        Oper State Reason: Active
        Config Success: Yes
        Config Fail Reason:
        Append Flag: Overwrite
        Session Mem Usage: 256  MB
        Session Pcap Snap Len: 1518  Bytes
        Error Code: 0
        Drop Count: 0

    Physical ports involved in Packet Capture:
        Slot Id: 1
        Port Id: 2
        Pcapfile: /workspace/packet-capture/session-1/cap1-ethernet-1-2-0.pcap
        Pcapsize: 213784  bytes
        Filter: filter_icmp
        Sub Interface: 0
        Application Instance Identifier: ftd1
        Application Name: ftd

    收集捕獲檔案

    collects capture files

    按照收集Firepower 4100/9300內部交換機捕獲檔案部分中的步驟操作。

    Collecter of Firepower 4100/9300 internal switchboards in accordance with of the file.

    捕獲檔案分析

    capture file analysis

    使用資料包捕獲檔案讀取器應用程式打開捕獲檔案。選擇第一個資料包並檢查要點

    Open the capture file using the file reader application. Select the first package and check the point

    1. 僅捕獲ICMP回應請求資料包。捕獲每個資料包並顯示2次。
    2. 原始資料包報頭沒有VLAN標籤。
    3. 內部交換機插入用於辨識輸入介面Ethernet1/2的其他埠VLAN標籤102
    4. 內部開關插入一個附加VN標籤。

    pcap_s4_t1_eth1_2_1

    選擇第二個資料包,並檢查要點:

    Select the second package and check the point:

    1. 僅捕獲ICMP回應請求資料包。捕獲每個資料包並顯示2次。
    2. 原始資料包報頭沒有VLAN標籤。
    3. 內部交換機插入用於辨識輸入介面Ethernet1/2的其他埠VLAN標籤102

    pcap_s4_t1_eth1_2_2

    說明

    Help

    在前端介面上設定封包擷取時,交換器會同時擷取每個封包兩次:

    When you set a package on the front interface, the switch will take each package twice at the same time:

    • 在插入埠VLAN標籤之後。
    • 在插入VN標籤之後。

    按照操作順序,VN標籤在比埠VLAN標籤插入更晚的階段插入。但在捕獲檔案中,帶有VN標籤的資料包比帶有埠VLAN標籤的資料包顯示得更早。

    In the operating order, the VN tag is inserted at a later stage than the port VLAN tag. However, in the capture file, the bag with the VN tag is displayed earlier than the bag with the port VLAN tag.

    應用捕獲過濾器時,僅捕獲與入口方向上的過濾器匹配的資料包。

    When the filter is captured, only the package matching the filter in the direction of the entrance is captured.

    此表格總結列出作業:

    The summary of this table lists the homework:

    工作

    捕獲點

    /strang'

    捕獲的資料包中的內部埠VLAN

    The inside port of the captured kit VLAN

    方向

    使用者篩選

    User Selection

    捕獲的流量

    captured traffic

    在前介面Ethernet1/2上使用過濾器配置並檢驗資料包捕獲

    Used filter configuration and verified data pack capture on front Ethernet1/2

    Ethernet1/2

    102

    僅限入口

    Access only

    協定:ICMP

    Agreed: ICMP

    來源:192.0.2.100

    Source: 192.2.2.100

    目的地: 198.51.100.100

    Destination: 198.51.10.100

    從主機192.0.2.100到主機198.51.100.100的ICMP回應請求

    From host 192.02.100 to host 198.51.10.100 ICMP response

    FCM

    按照FCM上的以下步驟收集內部交換機捕獲檔案:

    Collect internal switchboard capture files according to the following steps on FCM:

    1. 按一下Disable Session按鈕停止活動捕獲:

    fcm_cap_stop

    1. 確保運行狀態為DOWN - Session_Admin_Shut:

    fcm_cap_stop_oper_down

    1. 按一下Download以下載捕獲檔案:

    fcm_cap_download

    對於埠通道介面,請對每個成員介面重複此步驟。

    For port interfaces, repeat this step for each member.

    FXOS CLI

    按照FXOS CLI上的以下步驟收集捕獲檔案:

    Collect capture files according to the following steps on FXOS CLI:

    1. 停止活動捕獲:
    firepower# scope packet-capture 
    firepower /packet-capture # scope session cap1
    firepower /packet-capture/session # disable
    firepower /packet-capture/session* # commit
    firepower /packet-capture/session # up
    firepower /packet-capture # show session cap1 detail

    Traffic Monitoring Session:
        Packet Capture Session Name: cap1
        Session: 1
        Admin State: Disabled
        Oper State: Down
        Oper State Reason: Admin Disable
        Config Success: Yes
        Config Fail Reason:
        Append Flag: Overwrite
        Session Mem Usage: 256  MB
        Session Pcap Snap Len: 1518  Bytes
        Error Code: 0
        Drop Count: 0

    Physical ports involved in Packet Capture:
        Slot Id: 1
        Port Id: 2
        Pcapfile: /workspace/packet-capture/session-1/cap1-ethernet-1-2-0.pcap
        Pcapsize: 115744  bytes
        Filter:
        Sub Interface: 0
        Application Instance Identifier: ftd1
        Application Name: ftd
    1. local-mgmt命令作用域上傳捕獲檔案:
    firepower# connect local-mgmt
    firepower(local-mgmt)# copy /packet-capture/session-1/cap1-ethernet-1-2-0.pcap ?
      ftp:        Dest File URI
      http:       Dest File URI
      https:      Dest File URI
      scp:        Dest File URI
      sftp:       Dest File URI
      tftp:       Dest File URI
      usbdrive:   Dest File URI
      volatile:   Dest File URI
      workspace:  Dest File URI

    firepower(local-mgmt)# copy /packet-capture/session-1/cap1-ethernet-1-2-0.pcap ftp://ftpuser@10.10.10.1/cap1-ethernet-1-2-0.pcap
    Password:

    對於埠通道介面,請為每個成員介面複製捕獲檔案。

    For port interfaces, copy files for each member interface.

    有關與Firepower 4100/9300內部交換機捕獲相關的準則和限制,請參閱Cisco Firepower 4100/9300 FXOS機箱管理器配置指南Cisco Firepower 4100/9300 FXOS CLI配置指南故障排除一章的資料包捕獲部分。

    For guidelines and restrictions relating to the capture of the Firepower 4100/9300 internal switchboard, please refer to Cisco Firepower 4100/9300 FXOS box manager configuration guidelines or Cisco Firepower 4100/9300 FXOS CLI configuration guidelines > .

    這是基於TAC案例中資料包捕獲使用情況的最佳實踐清單:

    This is the best list of applications based on data pack capture in the TAC case:

    • 瞭解指南和限制。
    • 捕獲所有埠通道成員介面上的資料包並分析所有捕獲檔案。
    • 使用擷取篩選條件.
    • 考慮配置捕獲過濾器時NAT對資料包IP地址的影響。
    • 增加或減少用於指定幀大小的Snap Len,以防其與預設值1518位元組不同。較短的大小導致捕獲的資料包數量增加,反之亦然。
    • 視需要調整緩衝區大小
    • 請注意FCM或FXOS CLI上的Drop Count。一旦達到緩衝區大小限制,丟棄計數計數器就會增加。
    • 在Wireshark上使用過濾器!vntag以僅顯示不帶VN標籤的資料包。這對於在前端介面資料包捕獲檔案中隱藏VN標籤資料包很有用。
    • 在Wireshark上使用frame.number&1過濾器僅顯示奇數幀。這對於隱藏背板介面資料包捕獲檔案中的重複資料包很有用。
    • 對於TCP之類的協定,Wireshark預設應用著色規則,以不同顏色顯示具有特定條件的資料包。如果由於捕獲檔案中存在重複的資料包而導致內部交換機捕獲,則資料包可能會以誤報的方式進行著色和標籤。如果分析資料包捕獲檔案並應用任何過濾器,則將顯示的資料包導出到新檔案並打開新檔案。

    與Firepower 4100/9300不同,安全防火牆3100/4200上的內部交換機捕獲透過capture <name> switch命令在應用程式命令列介面上配置,其中switch選項指定捕獲在內部交換機上配置。

    Unlike Firepower 4100/9300, the internal switchboard on the security firewall 3100/4200 has been captured through capture & lt; name > switch commands configured on the application command interface, where switch options specify that the catch is configured on the internal switchboard.

    以下是具有switch選項的capture命令:

    The following is the order of capture with the option switch:

    > capture cap_sw switch ?
      buffer         Configure size of capture buffer, default is 256MB
      ethernet-type  Capture Ethernet packets of a particular type, default is IP
      interface      Capture packets on a specific interface
      ivlan          Inner Vlan
      match          Capture packets based on match criteria
      ovlan          Outer Vlan
      packet-length  Configure maximum length to save from each packet, default is
                     64 bytes
      real-time      Display captured packets in real-time. Warning: using this
                     option with a slow console connection may result in an
                     excessive amount of non-displayed packets due to performance
                     limitations.
      stop           Stop packet capture
      trace          Trace the captured packets
      type           Capture packets based on a particular type
      <cr>

    資料包捕獲配置的一般步驟如下:

    The general steps taken to capture the package are as follows:

    1. 指定入口介面:

    交換機捕獲配置接受輸入介面nameif。使用者可以指定資料介面名稱、內部上行鏈路或管理介面:

    The switcher capture configuration accepts the interface nameif. The user can specify a data interface name, an internal uplink or an administrative interface:

    > capture capsw switch interface ?
    Available interfaces to listen:
      in_data_uplink1  Capture packets on internal data uplink1 interface
      in_mgmt_uplink1  Capture packets on internal mgmt uplink1 interface
      inside           Name of interface Ethernet1/1.205

      management       Name of interface Management1/1


    安全防火牆4200支援雙向捕獲。除非另有指定,否則預設值為ingress


    The security firewall 4200 supports two-way capture. Unless otherwise specified, the default value is ingress:

    > capture capi switch interface inside direction
      both     To capture switch bi-directional traffic
      egress   To capture switch egressing traffic
      ingress  To capture switch ingressing traffic

    此外,安全防火牆4245具有2個內部資料和2個管理上行鏈路介面:

    In addition, security firewall 4245 has 2 internal data and 2 management uplinks:

    > capture capsw switch interface
      eventing         Name of interface Management1/2
      in_data_uplink1  Capture packets on internal data uplink1 interface
      in_data_uplink2  Capture packets on internal data uplink2 interface
      in_mgmt_uplink1  Capture packets on internal mgmt uplink1 interface
      in_mgmt_uplink2  Capture packets on internal mgmt uplink2 interface
      management       Name of interface Management1/1
    1. 指定乙太網幀EtherType。預設EtherType為IP。ethernet-type選項值指定EtherType:
    > capture capsw switch interface inside ethernet-type ?
      802.1Q    
      <0-65535>  Ethernet type
      arp       
      ip        
      ip6       
      pppoed    
      pppoes    
      rarp      
      sgt       
      vlan    
    1. 指定匹配條件。捕獲匹配選項指定匹配條件:
    > capture capsw switch interface inside match ?
      <0-255>  Enter protocol number (0 - 255)
      ah      
      eigrp   
      esp     
      gre     
      icmp    
      icmp6   
      igmp    
      igrp    
      ip      
      ipinip  
      ipsec   
      mac      Mac-address filter
      nos     
      ospf    
      pcp     
      pim     
      pptp    
      sctp    
      snp     
      spi      SPI value
      tcp     
      udp     
      <cr>
    1. 指定其他可選引數,例如緩衝區大小、資料包長度等。
    2. 啟用捕獲。no capture <name> switch stop命令會啟用捕獲
    > capture capsw switch interface inside match ip 
    > no capture capsw switch stop
    1. 驗證捕獲詳細資訊:
    • 管理狀態為enabled,操作狀態為up和活動。
    • 資料包捕獲檔案大小 Pcapsize增加。
    • show capture <cap_name>的輸出中捕獲的資料包數非零。
    • 擷取路徑Pcapfile。捕獲的資料包將自動儲存在/mnt/disk0/packet-capture/資料夾中。
    • 捕獲條件。軟體將根據捕獲條件自動建立捕獲過濾器。
    > show capture capsw   
    27 packet captured on disk using switch capture
    Reading of capture file from disk is not supported

    > show capture capsw  detail
    Packet Capture info
      Name:              capsw
      Session:           1
      Admin State:       enabled
      Oper State:        up
      Oper State Reason: Active
      Config Success:    yes
      Config Fail Reason:
      Append Flag:       overwrite
      Session Mem Usage: 256
      Session Pcap Snap Len: 1518
      Error Code:        0
      Drop Count:        0

    Total Physical ports involved in Packet Capture: 1
    Physical port:
      Slot Id:           1
      Port Id:           1
      Pcapfile:          /mnt/disk0/packet-capture/sess-1-capsw-ethernet-1-1-0.pcap
      Pcapsize:          18838
      Filter:            capsw-1-1

    Packet Capture Filter Info
      Name:              capsw-1-1
      Protocol:          0
      Ivlan:             0
      Ovlan:             205
      Src Ip:            0.0.0.0
      Dest Ip:           0.0.0.0
      Src Ipv6:          ::
      Dest Ipv6:         ::
      Src MAC:           00:00:00:00:00:00
      Dest MAC:          00:00:00:00:00:00
      Src Port:          0
      Dest Port:         0
      Ethertype:         0

    Total Physical breakout ports involved in Packet Capture: 0
    0 packet captured on disk using switch capture
    Reading of capture file from disk is not supported
    1. 必要時停止捕獲:
    > capture capsw switch stop 
    > show capture capsw detail
    Packet Capture info
      Name:              capsw
      Session:           1
      Admin State:       disabled
      Oper State:        down
      Oper State Reason: Session_Admin_Shut
      Config Success:    yes
      Config Fail Reason:
      Append Flag:       overwrite
      Session Mem Usage: 256
      Session Pcap Snap Len: 1518
      Error Code:        0
      Drop Count:        0
    Total Physical ports involved in Packet Capture: 1

    Physical port:
      Slot Id:           1
      Port Id:           1
      Pcapfile:          /mnt/disk0/packet-capture/sess-1-capsw-ethernet-1-1-0.pcap
      Pcapsize:          24
      Filter:            capsw-1-1

    Packet Capture Filter Info
      Name:              capsw-1-1
      Protocol:          0
      Ivlan:             0
      Ovlan:             205
      Src Ip:            0.0.0.0
      Dest Ip:           0.0.0.0
      Src Ipv6:          ::
      Dest Ipv6:         ::
      Src MAC:           00:00:00:00:00:00
      Dest MAC:          00:00:00:00:00:00
      Src Port:          0
      Dest Port:         0
      Ethertype:         0

    Total Physical breakout ports involved in Packet Capture: 0
    0 packet captured on disk using switch capture
    Reading of capture file from disk is not supported

    8. 收集擷取檔案。按照收集安全防火牆內部交換機捕獲檔案部分中的步驟操作。

    在安全防火牆軟體版本7.4中,FMC或FDM不支援內部交換機捕獲配置。在ASA軟體版本9.18(1)及更高版本中,可以在ASDM版本7.18.1.x及更高版本中配置內部交換機捕獲。

    In version 7.4 of the security firewall software, FMC or FDM does not support in-house switch capture. In version 9.18 (1) and above of the ASA software, inside switch capture can be configured in version 7.18.1.x and above of the ASDM software.

    這些場景包括安全防火牆3100/4200內部交換機捕獲的常見使用案例。

    These scenes include common usage cases captured by the security firewall 3100/4200 inside the switchboard.

    使用FTD或ASA CLI在介面Ethernet1/1或Portchannel1介面上配置和驗證資料包捕獲。兩個介面都具有nameif inside

    Configure and authenticate the data packs using the FTD or ASA CLI interface 1/1 or Portchannel1. Both interfaces have the nameif inside.

    拓撲、資料包流和捕獲點

    pings, data packs, catch points

    安全防火牆3100:

    Security firewall 3100:

    ch_3k_flow_s1_t1_eth1_1_port_all

    具有雙向捕獲功能的安全防火牆4200:

    Safety firewall 4200 with two-way capture function:

    ch_4200_flow_s1_t1_eth1_1_port_all

    組態

    /strang'

    在ASA或FTD CLI上執行以下步驟,在介面Ethernet1/1或Port-channel1上配置資料包捕獲:

    Run the following steps on ASA or FTD CLI and configure the data pack on interface Ethernet1/1 or Port-channel1:

    1. 驗證nameif:
    > show nameif 
    Interface                Name                     Security
    Ethernet1/1              inside                     0
    Ethernet1/2              outside                    0
    Management1/1            diagnostic                 0
    > show nameif 
    Interface                Name                     Security
    Port-channel1            inside                    0
    Ethernet1/2              outside                    0
    Management1/1            diagnostic                 0
    1. 建立擷取階段作業
    > capture capsw switch interface inside

    安全防火牆4200支援捕獲方向性:

    Security firewall 4200 supports capture directional:

    > capture capsw switch interface inside direction ?
    both To capture switch bi-directional traffic
    egress To capture switch egressing traffic
    ingress To capture switch ingressing traffic

    > capture capsw switch interface inside direction both
    1. 啟用擷取階段作業:
    > no capture capsw switch stop

    驗證

    Verify/strong>

    驗證捕獲會話名稱、管理和操作狀態、介面插槽和識別符號。確保Pcapsize值(以位元組為單位)增加且捕獲的資料包數非零:

    Verify to capture session names, management and operating status, interface slots and identifiers. Ensure that the value of Pcapsize (in bytes) is increased and the number of packages captured is not zero:

    > show capture capsw detail
    Packet Capture info
      Name:              capsw
      Session:           1
      Admin State:       enabled
      Oper State:        up
      Oper State Reason: Active
      Config Success:    yes
      Config Fail Reason:
      Append Flag:       overwrite
      Session Mem Usage: 256
      Session Pcap Snap Len: 1518
      Error Code:        0
      Drop Count:        0

    Total Physical ports involved in Packet Capture: 1

    Physical port:
      Slot Id:           1
      Port Id:           1
      Pcapfile:          /mnt/disk0/packet-capture/sess-1-capsw-ethernet-1-1-0.pcap
      Pcapsize:          12653
      Filter:            capsw-1-1

    Packet Capture Filter Info
      Name:              capsw-1-1
      Protocol:          0
      Ivlan:             0
      Ovlan:             0
      Src Ip:            0.0.0.0
      Dest Ip:           0.0.0.0
      Src Ipv6:          ::
      Dest Ipv6:         ::
      Src MAC:           00:00:00:00:00:00
      Dest MAC:          00:00:00:00:00:00
      Src Port:          0
      Dest Port:         0
      Ethertype:         0

    Total Physical breakout ports involved in Packet Capture: 0

    79 packets captured on disk using switch capture

    Reading of capture file from disk is not supported

    安全防火牆4200:

    Security firewall 4200:

    > show cap capsw detail
    Packet Capture info
      Name:              capsw
      Session:           1
      Admin State:       enabled
      Oper State:        up
      Oper State Reason: Active
      Config Success:    yes
      Config Fail Reason:
      Append Flag:       overwrite
      Session Mem Usage: 256
      Session Pcap Snap Len: 1518
      Error Code:        0
      Drop Count:        0

    Total Physical ports involved in Packet Capture: 1

    Physical port:
      Slot Id:           1
      Port Id:           1
      Pcapfile:          /mnt/disk0/packet-capture/sess-1-capsw-ethernet-1-1-0.pcap
      Pcapsize:          0
      Direction:         both
      Drop:              disable
      Filter:            capsw-1-1

    Packet Capture Filter Info
      Name:              capsw-1-1
      Protocol:          0
      Ivlan:             0
      Ovlan:             0
      Src Ip:            0.0.0.0
      Dest Ip:           0.0.0.0
      Src Ipv6:          ::
      Dest Ipv6:         ::
      Src MAC:           00:00:00:00:00:00
      Dest MAC:          00:00:00:00:00:00
      Src Port:          0
      Dest Port:         0
      Ethertype:         0

    Total Physical breakout ports involved in Packet Capture: 0
    33 packet captured on disk using switch capture

    Reading of capture file from disk is not supported

    對於Port-channel1,捕獲在所有成員介面上配置:

    For Port-channel1, capture is configured on all member interfaces:

    > show capture capsw detail 
    Packet Capture info
      Name:              capsw
      Session:           1
      Admin State:       enabled
      Oper State:        up
      Oper State Reason: Active
      Config Success:    yes
      Config Fail Reason:
      Append Flag:       overwrite
      Session Mem Usage: 256
      Session Pcap Snap Len: 1518
      Error Code:        0
      Drop Count:        0

    Total Physical ports involved in Packet Capture: 2

    Physical port:
      Slot Id:           1
      Port Id:           4
      Pcapfile:          /mnt/disk0/packet-capture/sess-1-capsw-ethernet-1-4-0.pcap
      Pcapsize:          28824
      Filter:            capsw-1-4

    Packet Capture Filter Info
      Name:              capsw-1-4
      Protocol:          0
      Ivlan:             0
      Ovlan:             0
      Src Ip:            0.0.0.0
      Dest Ip:           0.0.0.0
      Src Ipv6:          ::
      Dest Ipv6:         ::
      Src MAC:           00:00:00:00:00:00
      Dest MAC:          00:00:00:00:00:00
      Src Port:          0
      Dest Port:         0
      Ethertype:         0

    Physical port:
      Slot Id:           1
      Port Id:           3
      Pcapfile:          /mnt/disk0/packet-capture/sess-1-capsw-ethernet-1-3-0.pcap
      Pcapsize:          18399
      Filter:            capsw-1-3

    Packet Capture Filter Info
      Name:              capsw-1-3
      Protocol:          0
      Ivlan:             0
      Ovlan:             0
      Src Ip:            0.0.0.0
      Dest Ip:           0.0.0.0
      Src Ipv6:          ::
      Dest Ipv6:         ::
      Src MAC:           00:00:00:00:00:00
      Dest MAC:          00:00:00:00:00:00
      Src Port:          0
      Dest Port:         0
      Ethertype:         0

    Total Physical breakout ports involved in Packet Capture: 0

    56 packet captured on disk using switch capture

    Reading of capture file from disk is not supported

    可以在FXOS local-mgmt命令外殼中透過show portchannel summary 命令驗證埠通道成員介面:

    A port channel interface can be verified through the FXOS local-mgmt command shell via how portchannel submary command channel interface:

    > connect fxos 

    firewall# connect local-mgmt
    firewall(local-mgmt)# show portchannel summary
    Flags:  D - Down        P - Up in port-channel (members)
    I - Individual  H - Hot-standby (LACP only)
    s - Suspended   r - Module-removed
    S - Switched    R - Routed
    U - Up (port-channel)
    M - Not in use. Min-links not met
    -------------------------------------------------------------------------------
    Group Port-       Type     Protocol  Member Ports
          Channel
    --------------------------------------------------------------------------------
    1     Po1(U)      Eth      LACP      Eth1/3(P)    Eth1/4(P)   

    LACP KeepAlive Timer:
    --------------------------------------------------------------------------------
          Channel  PeerKeepAliveTimerFast
    --------------------------------------------------------------------------------
    1     Po1(U)      False         

    Cluster LACP Status:
    --------------------------------------------------------------------------------
          Channel  ClusterSpanned  ClusterDetach  ClusterUnitID  ClusterSysID
    --------------------------------------------------------------------------------
    1     Po1(U)      False          False          0            clust  

    要訪問ASA上的FXOS,請運行connect fxos admin命令。如果是多情景,請在管理情景中運行命令。

    To interview FXOS on ASA, run the command contract fxos admin command. If there are multiple scenarios, run the command in the management scenario.

    收集捕獲檔案

    collects capture files

    按照收集安全防火牆內部交換機捕獲檔案部分中的步驟操作。 

    Collect security firewall internal switches according to to capture step operations in part of the file . & nbsp;

    捕獲檔案分析

    capture file analysis

    使用資料包捕獲檔案讀取器應用程式打開Ethernet1/1的捕獲檔案。在本示例中,分析安全防火牆3100上捕獲的資料包。選擇第一個資料包並檢查要點:

    Use the data pack to capture the file reader application to open the Ethernet1/1 capture file. In this example, analyze the package captured on the safety firewall 3100. Select the first package and check the point:

    1. 僅捕獲ICMP回應請求資料包。
    2. 原始資料包報頭沒有VLAN標籤。

    pcap_3k_s1_t1_eth1_1_1

    打開Portchannel1成員介面的捕獲檔案。選擇第一個資料包並檢查要點:

    Opens the capture file of the Portchannel1 interface. Select the first package and check the point:

    1. 僅捕獲ICMP回應請求資料包。
    2. 原始資料包報頭沒有VLAN標籤。

    pcap_3k_s1_t1_po1_eth1_4_1

    說明

    Help

    交換器擷取是在介面Ethernet1/1或Portchannel1上設定。

    Swap capture is set on interface Ethernet1/1 or Portchannel1.

    此表格總結列出作業:

    The summary of this table lists the homework:

    工作

    捕獲點

    /strang'

    內部篩選器

    Internal Selector

    方向

    捕獲的流量

    captured traffic

    在介面Ethernet1/1上配置並檢驗資料包捕獲

    Configure and verify data pack capture on interface Ethernet1/1

    Ethernet1/1

    None

    僅限入口*

    Access only*

    從主機192.0.2.100到主機198.51.100.100的ICMP回應請求

    From host 192.02.100 to host 198.51.10.100 ICMP response

    在介面Portchannel1上配置並檢驗帶有成員介面Ethernet1/3和Ethernet1/4的資料包捕獲

    Configure and test data pack capture on interface Portchannel1 with user interfaces Ethernet1/3 and Ethernet1/4

    Ethernet1/3

    Ethernet1/4

    None

    僅限入口*

    Access only*

    從主機192.0.2.100到主機198.51.100.100的ICMP回應請求

    From host 192.02.100 to host 198.51.10.100 ICMP response

    * 與3100不同,安全防火牆4200支援雙向(入口和出口)捕獲。

    * Unlike 3100, the security firewall 4200 backstops two-way (entry and exit) captures.

    使用FTD或ASA CLI配置和驗證子介面Ethernet1/1.205或Portchannel1.205上的資料包捕獲。兩個子介面都有nameif inside

    You can use the FTD or ASA CLI to configure and authenticate the data packs on the Ethernet 1/1.205 or Portchannel 1.205. Both have the nameif inside.

    拓撲、資料包流和捕獲點

    pings, data packs, catch points

    安全防火牆3100:

    Security firewall 3100:

    ch_3k_flow_s2_t1_eth1_1_205ch_3k_flow_s2_t1_po1_205

    安全防火牆4200:

    Security firewall 4200:

    ch_4200_flow_s2_t1_eth1_1_205ch_4200_flow_s2_t1_po1_205

    組態

    /strang'

    在ASA或FTD CLI上執行以下步驟,在介面Ethernet1/1或Port-channel1上配置資料包捕獲:

    Run the following steps on ASA or FTD CLI and configure the data pack on interface Ethernet1/1 or Port-channel1:

    1. 驗證nameif:
    > show nameif
    Interface                Name                     Security
    Ethernet1/1.205          inside                     0
    Ethernet1/2              outside                    0
    Management1/1            diagnostic                 0
    > show nameif
    Interface                Name                     Security
    Port-channel1.205        inside                     0
    Ethernet1/2              outside                    0
    Management1/1            diagnostic                 0
    1. 建立擷取階段作業:
    > capture capsw switch interface inside

    安全防火牆4200支援捕獲方向性:

    Security firewall 4200 supports capture directional:

    > capture capsw switch interface inside direction ?
    both To capture switch bi-directional traffic
    egress To capture switch egressing traffic
    ingress To capture switch ingressing traffic

    > capture capsw switch interface inside direction both

    3. 啟用擷取階段作業:

    3. Initiation of extraction phase:

    > no capture capsw switch stop

    驗證

    Verify/strong>

    驗證捕獲會話名稱、管理和操作狀態、介面插槽和識別符號。確保Pcapsize值(以位元組為單位)增加且捕獲的資料包數非零:

    Verify to capture session names, management and operating status, interface slots and identifiers. Ensure that the value of Pcapsize (in bytes) is increased and the number of packages captured is not zero:

    > show capture capsw detail
    Packet Capture info
      Name:              capsw
      Session:           1
      Admin State:       enabled
      Oper State:        up
      Oper State Reason: Active
      Config Success:    yes
      Config Fail Reason:
      Append Flag:       overwrite
      Session Mem Usage: 256
      Session Pcap Snap Len: 1518
      Error Code:        0
      Drop Count:        0

    Total Physical ports involved in Packet Capture: 1

    Physical port:
      Slot Id:           1
      Port Id:           1
      Pcapfile:          /mnt/disk0/packet-capture/sess-1-capsw-ethernet-1-1-0.pcap
      Pcapsize:          6360
      Filter:            capsw-1-1

    Packet Capture Filter Info
      Name:              capsw-1-1
      Protocol:          0
      Ivlan:             0
      Ovlan:             205
      Src Ip:            0.0.0.0
      Dest Ip:           0.0.0.0
      Src Ipv6:          ::
      Dest Ipv6:         ::
      Src MAC:           00:00:00:00:00:00
      Dest MAC:          00:00:00:00:00:00
      Src Port:          0
      Dest Port:         0
      Ethertype:         0

    Total Physical breakout ports involved in Packet Capture: 0

    46 packets captured on disk using switch capture

    Reading of capture file from disk is not supported

    在這種情況下,會建立一個外部VLAN Ovlan=205的過濾器並應用於介面。

    In this case, an external VLANOvlan=205

    對於Port-channel1,在所有成員介面上配置了帶過濾器Ovlan=205的捕獲:

    For Port-channel1, captures with filter Ovlan=205 have been placed on all member interfaces:

    > show capture capsw detail 
    Packet Capture info
      Name:              capsw
      Session:           1
      Admin State:       enabled
      Oper State:        up
      Oper State Reason: Active
      Config Success:    yes
      Config Fail Reason:
      Append Flag:       overwrite
      Session Mem Usage: 256
      Session Pcap Snap Len: 1518
      Error Code:        0
      Drop Count:        0

    Total Physical ports involved in Packet Capture: 2

    Physical port:
      Slot Id:           1
      Port Id:           4
      Pcapfile:          /mnt/disk0/packet-capture/sess-1-capsw-ethernet-1-4-0.pcap
      Pcapsize:          23442
      Filter:            capsw-1-4

    Packet Capture Filter Info
      Name:              capsw-1-4
      Protocol:          0
      Ivlan:             0
      Ovlan:             205
      Src Ip:            0.0.0.0
      Dest Ip:           0.0.0.0
      Src Ipv6:          ::
      Dest Ipv6:         ::
      Src MAC:           00:00:00:00:00:00
      Dest MAC:          00:00:00:00:00:00
      Src Port:          0
      Dest Port:         0
      Ethertype:         0

    Physical port:
      Slot Id:           1
      Port Id:           3
      Pcapfile:          /mnt/disk0/packet-capture/sess-1-capsw-ethernet-1-3-0.pcap
      Pcapsize:          5600
      Filter:            capsw-1-3

    Packet Capture Filter Info
      Name:              capsw-1-3
      Protocol:          0
      Ivlan:             0
      Ovlan:             205
      Src Ip:            0.0.0.0
      Dest Ip:           0.0.0.0
      Src Ipv6:          ::
      Dest Ipv6:         ::
      Src MAC:           00:00:00:00:00:00
      Dest MAC:          00:00:00:00:00:00
      Src Port:          0
      Dest Port:         0
      Ethertype:         0

    Total Physical breakout ports involved in Packet Capture: 0

    49 packet captured on disk using switch capture

    Reading of capture file from disk is not supported

    可以在FXOS local-mgmt命令外殼中透過show portchannel summary 命令驗證埠通道成員介面:

    A port channel interface can be verified through the FXOS local-mgmt command shell via how portchannel submary command channel interface:

    > connect fxos 

    firewall# connect local-mgmt
    firewall(local-mgmt)# show portchannel summary
    Flags:  D - Down        P - Up in port-channel (members)
    I - Individual  H - Hot-standby (LACP only)
    s - Suspended   r - Module-removed
    S - Switched    R - Routed
    U - Up (port-channel)
    M - Not in use. Min-links not met
    -------------------------------------------------------------------------------
    Group Port-       Type     Protocol  Member Ports
          Channel
    --------------------------------------------------------------------------------
    1     Po1(U)      Eth      LACP      Eth1/3(P)    Eth1/4(P)   

    LACP KeepAlive Timer:
    --------------------------------------------------------------------------------
          Channel  PeerKeepAliveTimerFast
    --------------------------------------------------------------------------------
    1     Po1(U)      False         

    Cluster LACP Status:
    --------------------------------------------------------------------------------
          Channel  ClusterSpanned  ClusterDetach  ClusterUnitID  ClusterSysID
    --------------------------------------------------------------------------------
    1     Po1(U)      False          False          0            clust  

    要訪問ASA上的FXOS,請運行connect fxos admin命令。如果是多情景,請在管理情景中運行此命令。

    To interview FXOS on ASA, run the command contract fxos admin command. If there are multiple scenarios, run this command in the management scenario.

    收集捕獲檔案

    collects capture files

    按照收集安全防火牆內部交換機捕獲檔案部分中的步驟操作。 

    Collect security firewall internal switches according to to capture step operations in part of the file . & nbsp;

    捕獲檔案分析

    capture file analysis

    使用資料包捕獲檔案讀取器應用程式打開Ethernet1/1.205的捕獲檔案。在本示例中,分析安全防火牆3100上捕獲的資料包。選擇第一個資料包並檢查要點:

    Use the data pack to capture the file reader application to open the Ethernet 1/1.205 capture file. In this example, analyze the package captured on the safety firewall 3100. Select the first package and check the point:

    1. 僅捕獲ICMP回應請求資料包。
    2. 原始資料包報頭具有VLAN標籤205

    pcap_3k_s2_t1_eth1_1_205

    打開Portchannel1成員介面的捕獲檔案。選擇第一個資料包並檢查要點:

    Opens the capture file of the Portchannel1 interface. Select the first package and check the point:

    1. 僅捕獲ICMP回應請求資料包。
    2. 原始資料包報頭具有VLAN標籤205

    pcap_3k_s2_t1_po1_eth1_4_205

    說明

    Help

    使用與外部VLAN 205匹配的過濾器在子介面Ethernet1/1.205或Portchannel1.205上配置交換機捕獲。

    A filter matching the external VLAN 205 is used to configure a switchboard capture on the submedian Ethernet 1/1.205 or Portchannel 1.205.

    此表格總結列出作業:

    The summary of this table lists the homework:

    工作

    捕獲點

    /strang'

    內部篩選器

    Internal Selector

    方向

    捕獲的流量

    captured traffic

    在子介面Ethernet1/1.205上配置並檢驗資料包捕獲

    Configure and verify data pack capture on submedial Ethernet 1/1.205

    Ethernet1/1

    外部VLAN 205

    External VLAN 205

    僅限入口*

    Access only*

    從主機192.0.2.100到主機198.51.100.100的ICMP回應請求

    From host 192.02.100 to host 198.51.10.100 ICMP response

    在子介面Portchannel1.205上配置並檢驗帶有成員介面Ethernet1/3和Ethernet1/4的資料包捕獲

    Configure and test data packs with user interfaces Ethernet1/3 and Ethernet1/4 on the submedial Portchannel 1.205

    Ethernet1/3

    Ethernet1/4

    外部VLAN 205

    External VLAN 205

    僅限入口*

    Access only*

    從主機192.0.2.100到主機198.51.100.100的ICMP回應請求

    From host 192.02.100 to host 198.51.10.100 ICMP response

    * 與3100不同,安全防火牆4200支援雙向(入口和出口)捕獲。

    * Unlike 3100, the security firewall 4200 backstops two-way (entry and exit) captures.

    安全防火牆3100有2個內部介面:

    Security firewall 3100 has two internal interfaces:

    • in_data_uplink1 -將應用程式連線到內部交換機。
    • in_mgmt_uplink1 - 為管理連線(例如到管理介面的SSH)或管理連線(也稱為sftunnel)在FMC和FTD之間提供專用資料包路徑。

    Secure Firewall 4200最多有4個內部介面:

    Secure Firewall 4200 with up to four internal interfaces:

    • in_data_uplink1in_data_uplink2(僅限4245) -這些介面將應用程式連線到內部交換機。對於4245,資料包在2個上行鏈路介面之間實現負載均衡。
    • in_mgmt_uplink1in_mgmt_uplink2 -這些介面為管理連線(例如到管理介面的SSH)或FMC與FTD之間的管理連線(也稱為sftunnel)提供專用資料包路徑。安全防火牆4200支援2個管理介面。

    任務1

    Task 1 / strong / strong / strong / / strong / / strong / / strong / / strong / / strong / / strong / / strong / / strong / / strong / / strong / / strong / / strong

    使用FTD或ASA CLI在上行鏈路介面in_data_uplink1上配置和驗證資料包捕獲。

    Configure and authenticate the data package using the FTD or ASA CLI on the upper-link interface in_data_uplink1.

    拓撲、資料包流和捕獲點

    pings, data packs, catch points

    安全防火牆3100:

    Security firewall 3100:

    ch_3k_flow_s3_t1

    安全防火牆4200:

    Security firewall 4200:

    ch_4200_flow_s3_t1

    組態

    /strang'

    在ASA或FTD CLI上執行以下步驟,在in_data_uplink1介面上配置資料包捕獲:

    The following steps were carried out on ASA or FTD CLI to configure the package on the in_data_uplink1 interface:

    1. 建立擷取階段作業:
    > capture capsw switch interface in_data_uplink1

    安全防火牆4200支援捕獲方向性:

    Security firewall 4200 supports capture directional:

    > capture capsw switch interface in_data_uplink1 direction ?
    both To capture switch bi-directional traffic
    egress To capture switch egressing traffic
    ingress To capture switch ingressing traffic

    > capture capsw switch interface in_data_uplink1 direction both

    2. 啟用捕獲會話:

    2. Enable capture sessions:

    > no capture capsw switch stop

    驗證

    Verify/strong>

    驗證捕獲會話名稱、管理和操作狀態、介面插槽和識別符號。確保Pcapsize值(以位元組為單位)增加且捕獲的資料包數非零:

    Verify to capture session names, management and operating status, interface slots and identifiers. Ensure that the value of Pcapsize (in bytes) is increased and the number of packages captured is not zero:

    >  show capture capsw detail 
    Packet Capture info
      Name:              capsw
      Session:           1
      Admin State:       enabled
      Oper State:        up
      Oper State Reason: Active
      Config Success:    yes
      Config Fail Reason:
      Append Flag:       overwrite
      Session Mem Usage: 256
      Session Pcap Snap Len: 1518
      Error Code:        0
      Drop Count:        0

    Total Physical ports involved in Packet Capture: 1

    Physical port:
      Slot Id:           1
      Port Id:           18
      Pcapfile:          /mnt/disk0/packet-capture/sess-1-capsw-data-uplink1.pcap
      Pcapsize:          7704
      Filter:            capsw-1-18

    Packet Capture Filter Info
      Name:              capsw-1-18
      Protocol:          0
      Ivlan:             0
      Ovlan:             0
      Src Ip:            0.0.0.0
      Dest Ip:           0.0.0.0
      Src Ipv6:          ::
      Dest Ipv6:         ::
      Src MAC:           00:00:00:00:00:00
      Dest MAC:          00:00:00:00:00:00
      Src Port:          0
      Dest Port:         0
      Ethertype:         0

    Total Physical breakout ports involved in Packet Capture: 0

    66 packets captured on disk using switch capture

    Reading of capture file from disk is not supported

    在這種情況下,會在具有內部ID 18的介面上建立捕獲,內部ID是Secure Firewall 3130上的in_data_uplink1介面。FXOS local-mgmt命令外殼中的show portmanager switch status命令顯示介面ID

    In this case, a catch will be established on an interface with internal ID 18, which is an in_data_uplink1 interface on Secure Fireall 3130. The command from FXOS local-mgmt commands show interface ID how portmanager switch status

    > connect fxos 

    firewall# connect local-mgmt
    firewall(local-mgmt)# show portmanager switch status
    Dev/Port         Mode        Link   Speed  Duplex  Loopback Mode  Port Manager
    ---------  ----------------  -----  -----  ------  -------------  ------------
    0/1             SGMII         Up     1G     Full    None           Link-Up      
    0/2             SGMII         Up     1G     Full    None           Link-Up      
    0/3             SGMII         Up     1G     Full    None           Link-Up      
    0/4             SGMII         Up     1G     Full    None           Link-Up      
    0/5             SGMII        Down    1G     Half    None           Mac-Link-Down
    0/6             SGMII        Down    1G     Half    None           Mac-Link-Down
    0/7             SGMII        Down    1G     Half    None           Mac-Link-Down
    0/8             SGMII        Down    1G     Half    None           Mac-Link-Down
    0/9           1000_BaseX     Down    1G     Full    None           Link-Down    
    0/10          1000_BaseX     Down    1G     Full    None           Link-Down    
    0/11          1000_BaseX     Down    1G     Full    None           Link-Down    
    0/12          1000_BaseX     Down    1G     Full    None           Link-Down    
    0/13          1000_BaseX     Down    1G     Full    None           Link-Down    
    0/14          1000_BaseX     Down    1G     Full    None           Link-Down    
    0/15          1000_BaseX     Down    1G     Full    None           Link-Down    
    0/16          1000_BaseX     Down    1G     Full    None           Link-Down    
    0/17          1000_BaseX      Up     1G     Full    None           Link-Up      
    0/18             KR2          Up     50G    Full    None           Link-Up      
    0/19              KR          Up     25G    Full    None           Link-Up      
    0/20              KR          Up     25G    Full    None           Link-Up      
    0/21             KR4         Down    40G    Full    None           Link-Down    
    0/22             n/a         Down    n/a    Full    N/A            Reset        
    0/23             n/a         Down    n/a    Full    N/A            Reset        
    0/24             n/a         Down    n/a    Full    N/A            Reset        
    0/25          1000_BaseX     Down    1G     Full    None           Link-Down    
    0/26             n/a         Down    n/a    Full    N/A            Reset        
    0/27             n/a         Down    n/a    Full    N/A            Reset        
    0/28             n/a         Down    n/a    Full    N/A            Reset        
    0/29          1000_BaseX     Down    1G     Full    None           Link-Down    
    0/30             n/a         Down    n/a    Full    N/A            Reset        
    0/31             n/a         Down    n/a    Full    N/A            Reset        
    0/32             n/a         Down    n/a    Full    N/A            Reset        
    0/33          1000_BaseX     Down    1G     Full    None           Link-Down    
    0/34             n/a         Down    n/a    Full    N/A            Reset        
    0/35             n/a         Down    n/a    Full    N/A            Reset        
    0/36             n/a         Down    n/a    Full    N/A            Reset         

    要訪問ASA上的FXOS,請運行connect fxos admin命令。如果是多情景,請在管理情景中運行此命令。

    To interview FXOS on ASA, run the command contract fxos admin command. If there are multiple scenarios, run this command in the management scenario.

    收集捕獲檔案

    collects capture files

    按照收集安全防火牆內部交換機捕獲檔案部分中的步驟操作。 

    Collect security firewall internal switches according to to capture step operations in part of the file . & nbsp;

    捕獲檔案分析

    capture file analysis

    使用資料包捕獲檔案讀取器應用程式打開介面in_data_uplink1的捕獲檔案。在本示例中,分析安全防火牆3100上捕獲的資料包。

    Opens the catch file for interface in_data_uplink1 using the file reader application. In this example, analyse the package captured on the safety firewall 3100.

    檢查要點-在本例中,捕獲ICMP回應請求和應答資料包。這些是從應用傳送到內部交換機的資料包。

    Check points - In this case, get an ICMP response request and answer package. These are the packages that are sent from the application to the internal switchboard.

    pcap_3k_s3_t1_data_uplink

    說明

    Help

    當在上行鏈路介面上配置交換機捕獲時,僅捕獲從應用傳送到內部交換機的資料包。不會捕獲傳送到應用程式的資料包。

    When equipped with a switchboard capture on the upper link interface, only the package sent from the application to the internal switchboard is captured. The package sent to the application is not captured.

    此表格總結列出作業:

    The summary of this table lists the homework:

    工作

    捕獲點

    /strang'

    內部篩選器

    Internal Selector

    方向

    捕獲的流量

    captured traffic

    在in_data_uplink1上行鏈路介面上配置並檢驗資料包捕獲

    Configure and verify data pack capture on the line link interface on in_data_uplink1

    in_data_uplink1

    None

    僅限入口*

    Access only*

    從主機192.0.2.100到主機198.51.100.100的ICMP回應請求

    From host 192.02.100 to host 198.51.10.100 ICMP response

    從主機198.51.100.100到主機192.0.2.100的ICMP回應應答

    ICMP response from host 198.51.10.100 to host 192.02.100

    * 與3100不同,安全防火牆4200支援雙向(入口和出口)捕獲。

    * Unlike 3100, the security firewall 4200 backstops two-way (entry and exit) captures.

    任務2

    Mission 2/strong

    使用FTD或ASA CLI在上行鏈路介面in_mgmt_uplink1上配置和驗證資料包捕獲。僅捕獲管理平面連線的資料包。

    uses the FTD or ASA CLI to configure and authenticate the data packets on the upper link interface in_mgmt_uplink1.

    拓撲、資料包流和捕獲點

    pings, data packs, catch points

    安全防火牆3100:

    Security firewall 3100:

    ch_3k_flow_s3_t2

    安全防火牆4200:

    Security firewall 4200:

    ch_4200_flow_s3_t2

    組態

    /strang'

    在ASA或FTD CLI上執行以下步驟,在in_mgmt_uplink1介面上配置資料包捕獲:

    The following steps were carried out on ASA or FTD CLI to configure the data package on the interface in_mgmt_uplink1:

    1. 建立擷取階段作業:
    > capture capsw switch interface in_mgmt_uplink1

    安全防火牆4200支援捕獲方向性:

    Security firewall 4200 supports capture directional:

    > capture capsw switch interface in_mgmt_uplink1 direction ?
    both To capture switch bi-directional traffic
    egress To capture switch egressing traffic
    ingress To capture switch ingressing traffic

    > capture capsw switch interface in_mgmt_uplink1 direction both

    2. 啟用擷取階段作業:

    2. Initiation of extraction phase:

    > no capture capsw switch stop

    驗證

    Verify/strong>

    驗證捕獲會話名稱、管理和操作狀態、介面插槽和識別符號。確保Pcapsize值(以位元組為單位)增加且捕獲的資料包數非零:

    Verify to capture session names, management and operating status, interface slots and identifiers. Ensure that the value of Pcapsize (in bytes) is increased and the number of packages captured is not zero:

    > show capture capsw detail 
    Packet Capture info
      Name:              capsw
      Session:           1
      Admin State:       enabled
      Oper State:        up
      Oper State Reason: Active
      Config Success:    yes
      Config Fail Reason:
      Append Flag:       overwrite
      Session Mem Usage: 256
      Session Pcap Snap Len: 1518
      Error Code:        0
      Drop Count:        0

    Total Physical ports involved in Packet Capture: 1

    Physical port:
      Slot Id:           1
      Port Id:           19
      Pcapfile:          /mnt/disk0/packet-capture/sess-1-capsw-mgmt-uplink1.pcap
      Pcapsize:          137248
      Filter:            capsw-1-19

    Packet Capture Filter Info
      Name:              capsw-1-19
      Protocol:          0
      Ivlan:             0
      Ovlan:             0
      Src Ip:            0.0.0.0
      Dest Ip:           0.0.0.0
      Src Ipv6:          ::
      Dest Ipv6:         ::
      Src MAC:           00:00:00:00:00:00
      Dest MAC:          00:00:00:00:00:00
      Src Port:          0
      Dest Port:         0
      Ethertype:         0

    Total Physical breakout ports involved in Packet Capture: 0

    281 packets captured on disk using switch capture

    Reading of capture file from disk is not supported

    在這種情況下,會在介面上使用內部ID 19建立捕獲,內部ID 19是安全防火牆3130上的in_mgmt_uplink1介面。FXOS local-mgmt命令外殼中的show portmanager switch status命令顯示介面ID:

    In this case, an internal ID 19 will be used to create a catch on the interface. The internal ID 19 is the interface ID on the security firewall 3130 at in_mgmt_uplink1. The FXOS local-mgmt command command command show portmanager witch status command shows the interface ID:

    > connect fxos 

    firewall# connect local-mgmt
    firewall(local-mgmt)# show portmanager switch status
    Dev/Port         Mode        Link   Speed  Duplex  Loopback Mode  Port Manager
    ---------  ----------------  -----  -----  ------  -------------  ------------
    0/1             SGMII         Up     1G     Full    None           Link-Up      
    0/2             SGMII         Up     1G     Full    None           Link-Up      
    0/3             SGMII         Up     1G     Full    None           Link-Up      
    0/4             SGMII         Up     1G     Full    None           Link-Up      
    0/5             SGMII        Down    1G     Half    None           Mac-Link-Down
    0/6             SGMII        Down    1G     Half    None           Mac-Link-Down
    0/7             SGMII        Down    1G     Half    None           Mac-Link-Down
    0/8             SGMII        Down    1G     Half    None           Mac-Link-Down
    0/9           1000_BaseX     Down    1G     Full    None           Link-Down    
    0/10          1000_BaseX     Down    1G     Full    None           Link-Down    
    0/11          1000_BaseX     Down    1G     Full    None           Link-Down    
    0/12          1000_BaseX     Down    1G     Full    None           Link-Down    
    0/13          1000_BaseX     Down    1G     Full    None           Link-Down    
    0/14          1000_BaseX     Down    1G     Full    None           Link-Down    
    0/15          1000_BaseX     Down    1G     Full    None           Link-Down    
    0/16          1000_BaseX     Down    1G     Full    None           Link-Down    
    0/17          1000_BaseX      Up     1G     Full    None           Link-Up      
    0/18             KR2          Up     50G    Full    None           Link-Up      
    0/19              KR          Up     25G    Full    None           Link-Up      
    0/20              KR          Up     25G    Full    None           Link-Up      
    0/21             KR4         Down    40G    Full    None           Link-Down    
    0/22             n/a         Down    n/a    Full    N/A            Reset        
    0/23             n/a         Down    n/a    Full    N/A            Reset        
    0/24             n/a         Down    n/a    Full    N/A            Reset        
    0/25          1000_BaseX     Down    1G     Full    None           Link-Down    
    0/26             n/a         Down    n/a    Full    N/A            Reset        
    0/27             n/a         Down    n/a    Full    N/A            Reset        
    0/28             n/a         Down    n/a    Full    N/A            Reset        
    0/29          1000_BaseX     Down    1G     Full    None           Link-Down    
    0/30             n/a         Down    n/a    Full    N/A            Reset        
    0/31             n/a         Down    n/a    Full    N/A            Reset        
    0/32             n/a         Down    n/a    Full    N/A            Reset        
    0/33          1000_BaseX     Down    1G     Full    None           Link-Down    
    0/34             n/a         Down    n/a    Full    N/A            Reset        
    0/35             n/a         Down    n/a    Full    N/A            Reset        
    0/36             n/a         Down    n/a    Full    N/A            Reset        

    要訪問ASA上的FXOS,請運行connect fxos admin命令。如果是多情景,請在管理情景中運行此命令。

    To interview FXOS on ASA, run the command contract fxos admin command. If there are multiple scenarios, run this command in the management scenario.

    收集捕獲檔案

    collects capture files

    按照收集安全防火牆內部交換機捕獲檔案部分中的步驟操作。 

    & nbsp;

    捕獲檔案分析

    capture file analysis

    使用資料包捕獲檔案讀取器應用程式打開介面in_mgmt_uplink1的捕獲檔案。在本示例中,分析安全防火牆3100上捕獲的資料包。

    Opens the capture file using the data pack to capture file readers application for interface in_mgmt_uplink1. In this example, analyse the data packs captured on the safety firewall 3100.

    檢查要點-在這種情況下,僅顯示來自管理IP地址192.0.2.200的資料包。例如SSH、Sftunnel或ICMP回應應答資料包。這些資料包是從應用管理介面透過內部交換機傳送到網路的。

    Check points - In this case, only data packages from the IP management address 192.02.200 are shown. For example, SSH, Sftunnel, or ICMP response kits. These kits are sent through the application management interface via the internal switchboard to the Internet.

    pcap_3k_s3_t2_mgmt_上行鏈路

    pcap_3k_s3_t2_mgmt_upperlink

    說明

    Help

    在管理上行鏈路介面上配置交換機捕獲時,僅捕獲從應用管理介面傳送的入口資料包。不會捕獲發往應用程式管理介面的資料包。

    When you configure a switchboard capture on the upper line link interface, only the access package sent from the application management interface is captured. The package sent to the application management interface is not captured.

    此表格總結列出作業:

    The summary of this table lists the homework:

    工作

    捕獲點

    /strang'

    內部篩選器

    Internal Selector

    方向

    捕獲的流量

    captured traffic

    在管理上行鏈路介面上配置並檢驗資料包捕獲

    Configure and verify data pack capture on the managed line link interface

    in_mgmt_uplink1

    None

    僅限入口*

    Access only*

    (透過內部交換機從管理介面連線到網路)

    (from managing interface to network via internal switchboard)

    從FTD管理IP位址192.0.2.200到主機192.0.2.100的ICMP回應回覆

    From FTD management IP address 192.02.200 to host ICMP response 192.02.100

    從FTD管理IP位址192.0.2.200到FMC IP位址192.0.2.101的Sftunnel

    From FTD management IP address 192.02.200 to FMC IP address 192.02.101 Sftunnel

    從FTD管理IP位址192.0.2.200到主機192.0.2.100的SSH

    From FTD managing IP address 192.02.200 to host 192.02.100 SSH

    * 與3100不同,安全防火牆4200支援雙向(入口和出口)捕獲。

    * Unlike 3100, the security firewall 4200 backstops two-way (entry and exit) captures.

    內部交換機資料包捕獲過濾器的配置方式與資料平面捕獲的配置方式相同。使用ethernet-typematch選項配置過濾器。

    The internal switch box is configured to capture filters in the same way as the data level. The filters are configured using the options ethnet-type and match.

    組態

    /strang'

    在ASA或FTD CLI上執行以下步驟,使用與來自主機198.51.100.100的ARP幀或ICMP資料包匹配的過濾器配置資料包捕獲(介面Ethernet1/1):

    Execute the following steps on ASA or FTD CLI, using filter configuration kits matching ARP or ICMP data packs of 198.51.10.100 for the Autonomous Machine (Ethernet1/1):

    1. 驗證nameif:
    > show nameif 
    Interface                Name                     Security
    Ethernet1/1              inside                     0
    Ethernet1/2              outside                    0
    Management1/1            diagnostic                 0
    1. 為ARP或ICMP建立捕獲會話:
    > capture capsw switch interface inside ethernet-type arp
    > capture capsw switch interface inside match icmp 198.51.100.100 

    驗證

    Verify/strong>

    驗證捕獲會話名稱和過濾器。以十進位制表示,Ethertype值為2054,十六進位制表示為0x0806

    Validate capture session names and filters. In decimals, the Ethertype value is 2054 and the hexadecimal value is 0x0806:

    > show capture capsw detail
    Packet Capture info
    Name:              capsw
      Session:           1
      Admin State:       disabled
      Oper State:        down
      Oper State Reason: Session_Admin_Shut
      Config Success:    yes
      Config Fail Reason:
      Append Flag:       overwrite
      Session Mem Usage: 256
      Session Pcap Snap Len: 1518
      Error Code:        0
      Drop Count:        0

    Total Physical ports involved in Packet Capture: 1

    Physical port:
      Slot Id:           1
      Port Id:           1
      Pcapfile:          /mnt/disk0/packet-capture/sess-1-capsw-ethernet-1-1-0.pcap
      Pcapsize:          0
      Filter:            capsw-1-1

    Packet Capture Filter Info
      Name:              capsw-1-1
      Protocol:          0
      Ivlan:             0
      Ovlan:             0
      Src Ip:            0.0.0.0
      Dest Ip:           0.0.0.0
      Src Ipv6:          ::
      Dest Ipv6:         ::
      Src MAC:           00:00:00:00:00:00
      Dest MAC:          00:00:00:00:00:00
      Src Port:          0
      Dest Port:         0
      Ethertype:         2054

    Total Physical breakout ports involved in Packet Capture: 0

    0 packet captured on disk using switch capture

    Reading of capture file from disk is not supported

    這是對ICMP過濾器的驗證。IP協定1是ICMP:

    This is an ICMP filter. IP protocol 1 is ICMP:

    > show capture capsw detail
    Packet Capture info
      Name:              capsw
      Session:           1
      Admin State:       disabled
      Oper State:        down
      Oper State Reason: Session_Admin_Shut
      Config Success:    yes
      Config Fail Reason:
      Append Flag:       overwrite
      Session Mem Usage: 256
      Session Pcap Snap Len: 1518
      Error Code:        0
      Drop Count:        0

    Total Physical ports involved in Packet Capture: 1

    Physical port:
      Slot Id:           1
      Port Id:           1
      Pcapfile:          /mnt/disk0/packet-capture/sess-1-capsw-ethernet-1-1-0.pcap
      Pcapsize:          0
      Filter:            capsw-1-1

    Packet Capture Filter Info
      Name:              capsw-1-1
      Protocol:          1
      Ivlan:             0
      Ovlan:             0
      Src Ip:            198.51.100.100
      Dest Ip:           0.0.0.0
      Src Ipv6:          ::
      Dest Ipv6:         ::
      Src MAC:           00:00:00:00:00:00
      Dest MAC:          00:00:00:00:00:00
      Src Port:          0
      Dest Port:         0
      Ethertype:         0

    Total Physical breakout ports involved in Packet Capture: 0

    0 packets captured on disk using switch capture

    Reading of capture file from disk is not supported

    使用ASA或FTD CLI收集內部交換機捕獲檔案。在FTD上,也可透過CLI的copy命令將擷取檔案匯出到透過資料或診斷介面可存取的目標。

    Collects files from internal exchanges using ASA or FTD CLI. On the FTD, you can also export the seized files to the target that is accessible through the data or diagnostic interface via the CLI's copy command.

    或者,您可以在專家模式下將檔案複製到/ngfw/var/common中,然後透過File Download選項從FMC中下載該檔案。

    Alternatively, you can copy the file in expert mode to /ngfw/var/common and download the file from the FMC through File Download options.

    對於埠通道介面,請確保從所有成員介面收集資料包捕獲檔案。

    For port interfaces, make sure that files are collected from all members.

    ASA

    按照以下步驟在ASA CLI上收集內部交換機捕獲檔案:

    Collect internal switchboard capture files on ASA CLI in accordance with the following steps:

    1. 停止捕獲:
    asa# capture capsw switch stop
    1. 確認擷取工作階段已停止,並記下擷取檔案名稱。
    asa# show capture capsw detail
    Packet Capture info
      Name:              capsw
      Session:           1
      Admin State:       disabled
      Oper State:        down
      Oper State Reason: Session_Admin_Shut
      Config Success:    yes
      Config Fail Reason:
      Append Flag:       overwrite
      Session Mem Usage: 256
      Session Pcap Snap Len: 1518
      Error Code:        0
      Drop Count:        0

    Total Physical ports involved in Packet Capture: 1

    Physical port:
      Slot Id:           1
      Port Id:           1
      Pcapfile:          /mnt/disk0/packet-capture/sess-1-capsw-ethernet-1-1-0.pcap
      Pcapsize:          139826
      Filter:            capsw-1-1

    Packet Capture Filter Info
      Name:              capsw-1-1
      Protocol:          0
      Ivlan:             0
      Ovlan:             0
      Src Ip:            0.0.0.0
      Dest Ip:           0.0.0.0
      Src Ipv6:          ::
      Dest Ipv6:         ::
      Src MAC:           00:00:00:00:00:00
      Dest MAC:          00:00:00:00:00:00
      Src Port:          0
      Dest Port:         0
      Ethertype:         0

    Total Physical breakout ports involved in Packet Capture: 0

    886 packets captured on disk using switch capture

    Reading of capture file from disk is not supported
    1. 使用CLI的copy命令將檔案導出到遠端目標:

      Using CLI's copy command to direct the file to a remote target:

    asa# copy flash:/packet-capture/sess-1-capsw-ethernet-1-1-0.pcap ?
      cluster:        Copy to cluster: file system
      disk0:          Copy to disk0: file system
      disk1:          Copy to disk1: file system
      flash:          Copy to flash: file system
      ftp:            Copy to ftp: file system
      running-config  Update (merge with) current system configuration
      scp:            Copy to scp: file system
      smb:            Copy to smb: file system
      startup-config  Copy to startup configuration
      system:         Copy to system: file system
      tftp:           Copy to tftp: file system

    asa# copy flash:/packet-capture/sess-1-capsw-ethernet-1-1-0.pcap tftp://198.51.100.10/
    Source filename [/packet-capture/sess-1-capsw-ethernet-1-1-0.pcap]?
    Destination filename [sess-1-capsw-ethernet-1-1-0.pcap]?
    Copy in progress...C
    139826 bytes copied in 0.532 secs

    FTD

    按照以下步驟收集FTD CLI上的內部交換器擷取檔案,並將其複製到透過資料或診斷介面可存取的伺服器:

    Collect files from the FTD CLI internal switches and copy them to servers accessible through data or diagnostic interfaces as follows:

    1. 轉到診斷CLI:
    > system support diagnostic-cli 
    Attaching to Diagnostic CLI ... Click 'Ctrl+a then d' to detach.
    Type help or '?' for a list of available commands.

    firepower> enable
    Password: <-- Enter
    firepower#
    1. 停止捕獲:
    firepower# capture capi switch stop
    1. 確認擷取作業階段已停止,並記下擷取檔案名稱:
    firepower# show capture capsw detail
    Packet Capture info
      Name:              capsw
      Session:           1
      Admin State:       disabled
      Oper State:        down
      Oper State Reason: Session_Admin_Shut
      Config Success:    yes
      Config Fail Reason:
      Append Flag:       overwrite
      Session Mem Usage: 256
      Session Pcap Snap Len: 1518
      Error Code:        0
      Drop Count:        0

    Total Physical ports involved in Packet Capture: 1
    Physical port:
      Slot Id:           1
      Port Id:           1
      Pcapfile:          /mnt/disk0/packet-capture/sess-1-capsw-ethernet-1-1-0.pcap
      Pcapsize:          139826
      Filter:            capsw-1-1

    Packet Capture Filter Info
      Name:              capsw-1-1
      Protocol:          0
      Ivlan:             0
      Ovlan:             0
      Src Ip:            0.0.0.0
      Dest Ip:           0.0.0.0
      Src Ipv6:          ::
      Dest Ipv6:         ::
      Src MAC:           00:00:00:00:00:00
      Dest MAC:          00:00:00:00:00:00
      Src Port:          0
      Dest Port:         0
      Ethertype:         0

    Total Physical breakout ports involved in Packet Capture: 0

    886 packets captured on disk using switch capture

    Reading of capture file from disk is not supported
    1. 使用CLI的copy命令將檔案導出到遠端目標。
    firepower# copy flash:/packet-capture/sess-1-capsw-ethernet-1-1-0.pcap ?
      cluster:        Copy to cluster: file system
      disk0:          Copy to disk0: file system
      disk1:          Copy to disk1: file system
      flash:          Copy to flash: file system
      ftp:            Copy to ftp: file system
      running-config  Update (merge with) current system configuration
      scp:            Copy to scp: file system
      smb:            Copy to smb: file system
      startup-config  Copy to startup configuration
      system:         Copy to system: file system
      tftp:           Copy to tftp: file system

    firepower# copy flash:/packet-capture/sess-1-capsw-ethernet-1-1-0.pcap tftp://198.51.100.10/
    Source filename [/packet-capture/sess-1-capsw-ethernet-1-1-0.pcap]?
    Destination filename [sess-1-capsw-ethernet-1-1-0.pcap]?
    Copy in progress...C
    139826 bytes copied in 0.532 secs

    按照上的以下步驟透過檔案下載選項從FMC收集捕獲檔案:

    Download files at the following step:

    1. 停止捕獲:
    > capture capsw switch stop
    1. 確認擷取作業階段已停止,並記下檔案名稱和擷取檔案的完整路徑:
    > show capture capsw detail
    Packet Capture info
      Name:              capsw
      Session:           1
      Admin State:       disabled
      Oper State:        down
      Oper State Reason: Session_Admin_Shut
      Config Success:    yes
      Config Fail Reason:
      Append Flag:       overwrite
      Session Mem Usage: 256
      Session Pcap Snap Len: 1518
      Error Code:        0
      Drop Count:        0

    Total Physical ports involved in Packet Capture: 1

    Physical port:
      Slot Id:           1
      Port Id:           1
      Pcapfile:          /mnt/disk0/packet-capture/sess-1-capsw-ethernet-1-1-0.pcap
      Pcapsize:          139826
    Filter:            capsw-1-1

    Packet Capture Filter Info
      Name:              capsw-1-1
      Protocol:          0
      Ivlan:             0
      Ovlan:             0
      Src Ip:            0.0.0.0
      Dest Ip:           0.0.0.0
      Src Ipv6:          ::
      Dest Ipv6:         ::
      Src MAC:           00:00:00:00:00:00
      Dest MAC:          00:00:00:00:00:00
      Src Port:          0
      Dest Port:         0
      Ethertype:         0

    Total Physical breakout ports involved in Packet Capture: 0
    886 packets captured on disk using switch capture
    Reading of capture file from disk is not supported
    1. 轉到專家模式並切換到根模式:
    > expert
    admin@firepower:~$ sudo su
    root@firepower:/home/admin
    1. 將捕獲檔案複製到/ngfw/var/common/:
    root@KSEC-FPR3100-1:/home/admin cp /mnt/disk0/packet-capture/sess-1-capsw-ethernet-1-1-0.pcap /ngfw/var/common/
    root@KSEC-FPR3100-1:/home/admin ls -l /ngfw/var/common/sess*
    -rwxr-xr-x 1 root admin 139826 Aug  7 20:14 /ngfw/var/common/sess-1-capsw-ethernet-1-1-0.pcap
    -rwxr-xr-x 1 root admin     24 Aug  6 21:58 /ngfw/var/common/sess-1-capsw-ethernet-1-3-0.pcap
    1. 在FMC上,選擇Devices > File Download

    fmc_file_download_1

    1. 選擇FTD、提供擷取檔案名稱,然後按一下Download

    fmc_file_download_2

    準則和限制:

    • 支援多個交換機捕獲配置會話,但一次只能啟用一個交換機捕獲會話。嘗試啟用2個或多個擷取工作階段會導致錯誤「ERROR: Failed to enable session, as limit of 1 active packet capture sessions reached」。
    • 無法刪除活動的交換機捕獲。
    • 無法在應用程式上讀取交換器擷取。使用者必須匯出檔案。
    • 某些資料層面捕獲選項(如轉儲、解碼、資料包編號、跟蹤和其他選項)不支援交換機捕獲。
    • 在多情景ASA中,交換機在資料介面上的捕獲是在使用者情景中配置的。僅在管理情景中支援交換機在in_data_uplink1和in_mgmt_uplink1介面上捕獲。

    這是基於TAC案例中資料包捕獲使用情況的最佳實踐清單:

    This is the best list of applications based on data pack capture in the TAC case:

    • 瞭解指南和限制。
    • 使用擷取篩選條件.
    • 考慮配置捕獲過濾器時NAT對資料包IP地址的影響。
    • 增大或減小指定幀大小的packet-length,以備與預設值1518位元組不同時使用。較短的大小導致捕獲的資料包數量增加,反之亦然。
    • 根據需要調整緩衝區大小。
    • 請注意show cap <cap_name> detail 命令輸出中的Drop Count。一旦達到緩衝區大小限制,丟棄計數計數器就會增加。
    美化布局示例

    欧易(OKX)最新版本

    【遇到注册下载问题请加文章最下面的客服微信】永久享受返佣20%手续费!

    APP下载   全球官网 大陆官网

    币安(Binance)最新版本

    币安交易所app【遇到注册下载问题请加文章最下面的客服微信】永久享受返佣20%手续费!

    APP下载   官网地址

    火币HTX最新版本

    火币老牌交易所【遇到注册下载问题请加文章最下面的客服微信】永久享受返佣20%手续费!

    APP下载   官网地址
    文字格式和图片示例

    注册有任何问题请添加 微信:MVIP619 拉你进入群

    弹窗与图片大小一致 文章转载注明

    分享:

    扫一扫在手机阅读、分享本文

    发表评论
    平台列表
    美化布局示例

    欧易(OKX)

      全球官网 大陆官网

    币安(Binance)

      官网

    火币(HTX)

      官网

    Gate.io

      官网

    Bitget

      官网

    deepcoin

      官网
    热门文章
    • 区块链社区有哪些?区块链社区是什么?

      区块链社区有哪些?区块链社区是什么?
      展开全文...
    • 0.00006694个比特币等于多少人民币/美金

      0.00006694个比特币等于多少人民币/美金
      0.00006694比特币等于多少人民币?根据比特币对人民币的最新汇率,0.00006694比特币等于4.53424784美元/32.5436 16人民币。比特币(BTC)美元(USDT)人民币(CNY)0.000066944.53424784【比特币密码】32.82795436 16比特币对人民币的最新汇率为:490408.64 CNY(1比特币=490408.64人民币)(1美元=7.24人民币)(0.00006694USDT=0.0004846456 CNY)汇率更新时...
    • 0.00003374个比特币等于多少人民币/美金

      0.00003374个比特币等于多少人民币/美金
      0.00003374比特币等于多少人民币?根据比特币对人民币的最新汇率,0.00003374比特币等于2.2826 1222美元/16.5261124728人民币。比特币(BTC)美元(USDT)人民币(CNY)0.00003374克洛克-0/22216.5261124728比特币对人民币的最新汇率为:489807.72 CNY(1比特币=489807.72人民币)(1美元=7.24人民币)(0.00003374USDT=0.0002442776 CNY)。汇率更新于2024...
    • 0.00015693个比特币等于多少人民币/美金

      0.00015693个比特币等于多少人民币/美金
      0.000 15693比特币等于多少人民币?根据比特币对人民币的最新汇率,0.000 15693比特币等于10.6 1678529美元/76.86554996人民币。比特币(BTC)【比特币价格翻倍】美元(USDT)人民币(CNY)0.000/克洛克-0/5693【数字货币矿机】10.6 167852976.8655254996比特币对人民币的最新汇率为:489,807.72 CNY(1比特币= 489,807.72人民币)(1美元=7.24人民币)(0.00015693 U...
    • 带你进入一次元宇宙,让你亲身体会如何在元宇宙中抓住自己的机会

      带你进入一次元宇宙,让你亲身体会如何在元宇宙中抓住自己的机会
      元宇宙是个怎样的世界?鑫哥今天带你进入一次元宇宙。今天用最简单明了的语言来解释一下元宇宙,还有如何利用元宇宙实现财富自由。What kind of world is Yuan cosmos? Brother Jin took you into the Yuan cosmos today. Today, explain the Yuan cosmos in the simplest language, and how to use the Yuan cosmos for the...
    标签列表