Sunday, October 2, 2016

EDITCAP - wireshark bundled CLI tool

Useful tool to chunk a large unwieldy packet capture file. Comes bundled with Wireshark.

"c:/program files (x86)/wireshark/editcap.exe" -c 20000 dropped_packets_capture.pcapng split.pcapng

TSHARK - wireshark bundled CLI tool

Useful command line tool bundled with wireshark. Less resource intensive than GUI based Wireshark, with many parameters for quick custom made captures.

List local computer interfaces with  tshark -d

 Quick capture directed to screen  tshark -i 8

Quick capture direct to a file tshark -i 8 -w c:\users\richard\allpkts.pcapng

 Monitor ping statistics Sevice Respons Times  tshark -i 8 -qz icmp,srt

Filter a packet capture file for a particular ip address and create a smaller packet capture file
 "c:/program files (x86)/wireshark/tshark.exe" -r dropped_packets_capture.pcapng - Y "ip.addr==" -w filtered.pcapng

Full tshark command description here

Monday, August 15, 2016

Palo Alto

Palo Alto Fundamentals

PA Licensing. Based on yearly subscriptions

  1. Threat Protection:      IPS,Anti-Virus, Anti Spyware
  2. URL Filtering:             Web categorisation filtering
  3. Virtual System:           Multiple Virtual Firewall Contexts
  4. Software Support:      Required for Cisco TAC like support
  5. Wildfire  :                    Crowdsourced Security Intelligence
  6. Global Protect:           Consistent Global User Policy Enforcement  

Ground Up Configuration Steps

      1)    Enable WAN access for any management services that are not available out of the              management Interface. (this is the default/out of box policy) e.g. NTP or DNS

Device -> Services -> Services Features
      2)    Activate Licenses
Device Mangement -> Licences and Support
      3)    Configure Zones
Network -> Zones -> Add

      4)    Configure Virtual Router
Network -> Virtual Routers -> Add

      5)    Configure Interfaces
                  assign to Zone, Virtual Router  and add IP address

      6)    Create a Management Profile
Network -> Interface Management 
      7)    Apply Management Profile to interface under advanced tab


Tuesday, March 15, 2016

Changing Severity of Cisco Syslog Messages

Steps to Modify severity of syslog messages.

This can be achieved with the Cisco’s Embedded Syslog Manager


Access list log messages are written by default with level 6 severity – informational

There was a requirement to increase the severity of these messages level 3. This was achieved with the use of a tcl script and cisco’s embedded syslog manager


# severityincr.tcl  Increases the severity level of a syslog message.

#                   Requires two arguments, first the mnemonic and

#                   second the new severity level.

#                   E.g., STATECHANGE 3

if { [string length $::orig_msg] == 0} {

   return ""


if { [info exists ::cli_args] } {

    set args [split $::cli_args]

    if { [ string compare -nocase [lindex $args 0] $::mnemonic ] == 0 } {

        set ::severity [lindex $args 1]

        set sev_index [ string first [lindex $args 0] $::orig_msg ]

        if {  $sev_index >= 2 } {

           incr sev_index -2

           return [string replace $::orig_msg $sev_index $sev_index [lindex $args 1]]




return $::orig_msg

TCL script was copied to router flash to enable local access

Copy tftp disk0: severityincr.tcl

Logging filter was applied to router

Logging buffer filtered

Logging host 192.168.x.x filtered

Logging filter disk0:severityincr.tcl args IPACCESSLOGP 3

Log message following change!

Sunday, January 11, 2015

Nexus Virtual Port Channel

Enable required vpc and lacp features and assign a VPC domain id
feature vpc
feature lacp
vpc domain 1

Create L3 peer keepalive adjacency between 7K1 and 7K2 

peer-keepalive destination source vrf default

peer-keepalive destination source vrf default

Create L2 peer link between 7K1 and 7K2
7K1/2 {peer link}

int e2/25-26
switchport mode trunk
spanning-tree port type network
speed 10000         {peer links need to be 10 gig links!}
channel-group 20 mode active

int po20
switchport mode trunk
spanning-tree port type network
vpc peer-link

int e2/25-26
no shut

Now configure downstream port channels to 5Ks
7K1/2{port channel}
int e2/27
switchport mode trunk
channel-group 10 mode active

int p10
vpc 10

int e2/28
switchport mode trunk
channel-group 11 mode active

int p11
vpc 11

Now configure upstream port channels from 5Ks to 7KS. Normal Port Channel config.
5K1/2{port channel}
int e2/27
switchport mode trunk
channel-group 10 mode active

int p10
switchport mode trunk

int e2/28
switchport mode trunk
channel-group 11 mode active
int p11
switchport mode trunk

Verification commands

show vpc  {check 'peer adjacency formed ok', and 'peer is alive' over the L3 link. one device will be the vpc primary and other will be secondary.}

show vpc after bringing up  keepalives between management addresses. Note config consistency status is 'failed' as no peer link is configured
show vpc after bringing up the peer link

show cfs peers {CFS - Cisco Fabric Services protocol transports configuration synch info across the peer link for VPC} 
show port-channel usage 
show vpc consistency-parameters
N.B. If any consistency checks fail the secondary device will shut down vpc paired interfaces