Useful tool to chunk a large unwieldy packet capture file. Comes bundled with Wireshark.
"c:/program files (x86)/wireshark/editcap.exe" -c 20000 dropped_packets_capture.pcapng split.pcapng
Sunday, October 2, 2016
TSHARK - wireshark bundled CLI tool
Useful command line tool bundled with wireshark. Less resource intensive than GUI based Wireshark, with many parameters for quick custom made captures.
List local computer interfaces with tshark -d
Quick capture directed to screen tshark -i 8
Quick capture direct to a file tshark -i 8 -w c:\users\richard\allpkts.pcapng
Monitor ping statistics Sevice Respons Times tshark -i 8 -qz icmp,srt
Filter a packet capture file for a particular ip address and create a smaller packet capture file
"c:/program files (x86)/wireshark/tshark.exe" -r dropped_packets_capture.pcapng - Y "ip.addr==192.168.72.177" -w filtered.pcapng
Full tshark command description here
https://www.wireshark.org/docs/man-pages/tshark.html
Useful command line tool bundled with wireshark. Less resource intensive than GUI based Wireshark, with many parameters for quick custom made captures.
List local computer interfaces with tshark -d
Quick capture directed to screen tshark -i 8
Quick capture direct to a file tshark -i 8 -w c:\users\richard\allpkts.pcapng
Monitor ping statistics Sevice Respons Times tshark -i 8 -qz icmp,srt
Filter a packet capture file for a particular ip address and create a smaller packet capture file
"c:/program files (x86)/wireshark/tshark.exe" -r dropped_packets_capture.pcapng - Y "ip.addr==192.168.72.177" -w filtered.pcapng
Full tshark command description here
https://www.wireshark.org/docs/man-pages/tshark.html
Monday, August 15, 2016
Palo Alto
Palo Alto Fundamentals
PA Licensing. Based on yearly subscriptions
- Threat Protection: IPS,Anti-Virus, Anti Spyware
- URL Filtering: Web categorisation filtering
- Virtual System: Multiple Virtual Firewall Contexts
- Software Support: Required for Cisco TAC like support
- Wildfire : Crowdsourced Security Intelligence
- Global Protect: Consistent Global User Policy Enforcement
Ground Up Configuration Steps
1)
Enable WAN access for any management services
that are not available out of the management Interface. (this is the
default/out of box policy) e.g. NTP or DNS
Device -> Services -> Services Features
2)
Activate Licenses
Device Mangement -> Licences and Support
3)
Configure Zones
Network -> Zones -> Add
4)
Configure Virtual Router
Network -> Virtual Routers -> Add
5)
Configure Interfaces
assign to Zone, Virtual
Router and add IP address
6)
Create a Management Profile
Network -> Interface Management
7)
Apply Management Profile to interface under
advanced tab
Tuesday, March 15, 2016
Changing Severity of Cisco Syslog Messages
Steps to Modify severity of syslog messages.
This can be achieved with the Cisco’s Embedded Syslog
Manager
Example:
Access list log messages are written by default with level 6
severity – informational
There was a requirement to increase the severity of these
messages level 3. This was achieved with the use of a tcl script and cisco’s
embedded syslog manager
TCL SCRIPT
# severityincr.tcl Increases the severity level of a syslog
message.
# Requires two arguments,
first the mnemonic and
# second the new severity
level.
# E.g., STATECHANGE 3
if { [string length $::orig_msg] == 0} {
return ""
}
if { [info exists ::cli_args] } {
set args [split $::cli_args]
if { [ string compare -nocase [lindex $args 0] $::mnemonic ] == 0 } {
set ::severity [lindex $args 1]
set sev_index [ string first [lindex $args 0] $::orig_msg ]
if { $sev_index >= 2 } {
incr sev_index -2
return [string replace $::orig_msg $sev_index $sev_index [lindex $args
1]]
}
}
}
return $::orig_msg
TCL script was copied
to router flash to enable local access
Copy tftp disk0:10.100.100.1 severityincr.tcl
Logging filter was
applied to router
Logging buffer filtered
Logging host 192.168.x.x filtered
Logging filter disk0:severityincr.tcl args IPACCESSLOGP 3
Log message following
change!
Subscribe to:
Posts (Atom)
