Sunday, October 2, 2016

EDITCAP - wireshark bundled CLI tool

Useful tool to chunk a large unwieldy packet capture file. Comes bundled with Wireshark.

"c:/program files (x86)/wireshark/editcap.exe" -c 20000 dropped_packets_capture.pcapng split.pcapng

TSHARK - wireshark bundled CLI tool

Useful command line tool bundled with wireshark. Less resource intensive than GUI based Wireshark, with many parameters for quick custom made captures.

List local computer interfaces with  tshark -d

 Quick capture directed to screen  tshark -i 8

Quick capture direct to a file tshark -i 8 -w c:\users\richard\allpkts.pcapng

 Monitor ping statistics Sevice Respons Times  tshark -i 8 -qz icmp,srt

Filter a packet capture file for a particular ip address and create a smaller packet capture file
 "c:/program files (x86)/wireshark/tshark.exe" -r dropped_packets_capture.pcapng - Y "ip.addr==" -w filtered.pcapng

Full tshark command description here

Monday, August 15, 2016

Palo Alto

Palo Alto Fundamentals

PA Licensing. Based on yearly subscriptions

  1. Threat Protection:      IPS,Anti-Virus, Anti Spyware
  2. URL Filtering:             Web categorisation filtering
  3. Virtual System:           Multiple Virtual Firewall Contexts
  4. Software Support:      Required for Cisco TAC like support
  5. Wildfire  :                    Crowdsourced Security Intelligence
  6. Global Protect:           Consistent Global User Policy Enforcement  

Ground Up Configuration Steps

      1)    Enable WAN access for any management services that are not available out of the              management Interface. (this is the default/out of box policy) e.g. NTP or DNS

Device -> Services -> Services Features
      2)    Activate Licenses
Device Mangement -> Licences and Support
      3)    Configure Zones
Network -> Zones -> Add

      4)    Configure Virtual Router
Network -> Virtual Routers -> Add

      5)    Configure Interfaces
                  assign to Zone, Virtual Router  and add IP address

      6)    Create a Management Profile
Network -> Interface Management 
      7)    Apply Management Profile to interface under advanced tab


Tuesday, March 15, 2016

Changing Severity of Cisco Syslog Messages

Steps to Modify severity of syslog messages.

This can be achieved with the Cisco’s Embedded Syslog Manager


Access list log messages are written by default with level 6 severity – informational

There was a requirement to increase the severity of these messages level 3. This was achieved with the use of a tcl script and cisco’s embedded syslog manager


# severityincr.tcl  Increases the severity level of a syslog message.

#                   Requires two arguments, first the mnemonic and

#                   second the new severity level.

#                   E.g., STATECHANGE 3

if { [string length $::orig_msg] == 0} {

   return ""


if { [info exists ::cli_args] } {

    set args [split $::cli_args]

    if { [ string compare -nocase [lindex $args 0] $::mnemonic ] == 0 } {

        set ::severity [lindex $args 1]

        set sev_index [ string first [lindex $args 0] $::orig_msg ]

        if {  $sev_index >= 2 } {

           incr sev_index -2

           return [string replace $::orig_msg $sev_index $sev_index [lindex $args 1]]




return $::orig_msg

TCL script was copied to router flash to enable local access

Copy tftp disk0: severityincr.tcl

Logging filter was applied to router

Logging buffer filtered

Logging host 192.168.x.x filtered

Logging filter disk0:severityincr.tcl args IPACCESSLOGP 3

Log message following change!