Search This Blog

Monday, March 26, 2012

Fortigate packet capture to pcap file


In Fortinet Fortigate firewall appliance series we can use diagnose sniffer packet command to capture traffic in very similar way to tcpdump.

One of the things that are missing is the option to save or export the data into a file for future investigation; Fortinet has made a workaround for this issue by converting the console output into pcap file using small utility. 

In the following post I will explain how to capture, export and convert traffic from Fortigate FW to pcap file for Wireshark to process:
      1.       Login into the FGT appliance using terminal client (PuTTY or SecureCRT)
      
      2.       If the applicant configured with VDOMs enter the appropriate VDOM where you want to capture the traffic.
FGT# config vdom
FGT(vdom)#edit <VDOM_NAME>
      
      3.       Start logging the current session
3.1   In SecureCRT click File->Log Session, type a name and choose a place to save  the file:


3.2   In PuTTY, on the configuration screen, choose the following:

     4.       Back to the FGT appliance, run the command:
# diagnose sniffer packet <interface> <'filter'> <verbose> <count> a

For example:
# diagnose sniffer packet internal ‘host 192.168.10.1’ 4

Interface - any interface on the appliance or just use ‘any’ for all interfaces

Filter - much the same as with tcpdump/wireshark (see examples)

Verbose -verbose levels in detail:
1: print header of packets
2: print header and data from IP of packets
3: print header and data from Ethernet of packets
4: print header of packets with interface name
5: print header and data from IP of packets with interface name
6: print header and data from Ethernet of packets with interface name

Note that a pcap file need at least verbose level 3

Count – the number of packets to collect before stop capture. This is optional and the capture can be always stopped with CTRL+C

A – This option displays absolute time stamps



Examples:
# diagnose sniffer packet any 'src host 192.168.10.1 and dst host  
  192.168.10.254' 4
# diagnose sniffer packet any 'icmp' 1
# diagnose sniffer packet any 'host 192.168.10.1 and tcp port 80' 6
Match TTL = 1
# diagnose sniffer packet port2 "ip[8:1] = 0x01"

Match Source IP address = 192.168.1.2:
# diagnose sniffer packet internal "(ether[26:4]=0xc0a80102)"

Match Source MAC = 00:09:0f:89:10:ea
# diagnose sniffer packet internal "(ether[6:4]=0x00090f89) and (ether[10:2]=0x10ea)"

Match Destination MAC = 00:09:0f:89:10:ea
# diagnose sniffer packet internal "(ether[0:4]=0x00090f89) and (ether[4:2]=0x10ea)"

Match ARP packets only
# diagnose sniffer packet internal "ether proto 0x0806"

TCP or UDP flags can be addressed using the following:

Match packets with RST flag set:
# diagnose sniffer packet internal "tcp[13] & 4 != 0"

Match packets with SYN flag set:
# diagnose sniffer packet internal "tcp[13] & 2 != 0"

Match packets with SYN-ACK flag set:
# diagnose sniffer packet internal "tcp[13] = 18"

      5.       Stop the logging session (SecureCRT or PuTTY)

      6.       Go to Fortinet site at URL: http://kb.fortinet.com/kb/documentLink.do?externalID=11186&languageId=
And download fgt2eth.pl or fgt2eth.zip utility according to your OS.

      7.       Extract the file fgt2eth.zip 

      8.       Copy the text file, captured using the logging session, into the folder where fgt2eth.exe file  has extracted to.

      9.       Open CMD and go to the folder and run the following command:
Fgt2eth.exe –in <LOG_FILE_NAME> -out <FILENAME.pcap>

      10.   After finishing you will have the pcap file in the utility folder.





Sunday, March 25, 2012

Cisco RITE - packet capture on IOS

RITE (router IP Traffic Export) allows you to configure your router to export IP packets received on multiple, simultaneous WAN or LAN interfaces. The unaltered IP packets are exported on a single LAN or VLAN interface, thereby, easing deployment of protocol analyzers and monitoring devices.


IP traffic capture is supported only on the Cisco 1841, Cisco 2800 series, and Cisco 3800 series integrated services routers.

Steps to configure RITE for local capture:
1.       Create a capture profile:
Router(config)#ip traffic-export profile TEST mode capture
Router(conf-rite)#bidirectional
Router(conf-rite)#length [128|256|512]
Router(conf-rite)#incoming [access-list|sample]
Router(conf-rite)#outgoing [access-list|sample]
Router(conf-rite)#exit
2.       Apply the RITE profile to an interface:
Router(config)#interface fastethernet 0/1
Router(config-if)#ip traffic-export apply TEST size [1024-2147483647]

3.       Start capture:
Router# traffic-export interface fastEthernet 0/1 start

4.       After desired period stop the capture:
Router# traffic-export interface fastEthernet 0/1 stop

5.        Copy the capture file from the buffer to a TFTP/FTP server:
Router# traffic-export interface fastEthernet 0/1 copy [tftp|ftp]

Steps to configure RITE for export traffic to specific host:
1.       Create a capture profile:
Router(config)#ip traffic-export profile TEST mode export
Router(conf-rite)#bidirectional
Router(conf-rite)#length [128|256|512]
Router(conf-rite)#incoming [access-list|sample]
Router(conf-rite)#outgoing [access-list|sample]
Router(conf-rite)#mac-address h.h.h (Host MAC address)
Router(conf-rite)#interface fastethernet 0/0 (Host interface)
Router(conf-rite)#exit
2.       Apply the RITE profile to an interface:
Router(config)#interface fastethernet 0/1
Router(config-if)#ip traffic-export apply TEST

3.       Start capture:
Router# traffic-export interface fastEthernet 0/1 start

4.       After desired period stop the capture:
Router# traffic-export interface fastEthernet 0/1 stop 

Notes:
incoming and outgoing are used t filter packets based on ACLs
 

Saturday, March 3, 2012

OSPFv3 Config


This time I will configure OSPFv3 network, I will use the following network topology:


Since I realize that I might need to configure router as frame-relay switch, in the exam, I don’t use the GNS built-in frame-relay switch anymore.

 So the following setup is very clear and simple beside the fact that R1 and R2 are connected through frame-relay cloud in NBMA mode and not in PtP  (which is much easier to config). Also all IPv6 addresses are derived using EUI-64.

So the FRS config:
frame-relay switching
 !
interface Serial0/0
 no ip address
 encapsulation frame-relay
 clock rate 128000
 frame-relay interface-dlci 102
  load-interval 30
 frame-relay intf-type dce
 frame-relay route 102 interface Serial0/1 201
!
interface Serial0/1
 no ip address
 encapsulation frame-relay
 clock rate 128000
 frame-relay interface-dlci 201
  load-interval 30
 frame-relay intf-type dce
 frame-relay route 201 interface Serial0/0 102

R1 Config:
ipv6 unicast-routing
!
interface FastEthernet0/0
 no ip address
 speed 100
 full-duplex
 ipv6 address 2001:FE:13:13::/64 eui-64
 ipv6 ospf 1 area 13
!
interface Serial0/0
 ip address 10.1.12.1 255.255.255.0
 encapsulation frame-relay
 ipv6 address 2001:FE:12:12::/64 eui-64
 ipv6 ospf neighbor FE80::C201:1BFF:FEC8:0
 ipv6 ospf 1 area 0
 clock rate 2000000
 no arp frame-relay
 frame-relay map ipv6 FE80::C201:1BFF:FEC8:0 102 broadcast
 frame-relay interface-dlci 102
 no frame-relay inverse-arp
!
ipv6 router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes

R2 Config:
ipv6 unicast-routing
!   
interface FastEthernet0/0
 no ip address
 speed 100
 full-duplex
 ipv6 address 2001:FE:24:24::/64 eui-64
 ipv6 ospf 1 area 24
!
interface Serial0/0
 ip address 10.1.12.2 255.255.255.0
 encapsulation frame-relay
 ipv6 address 2001:FE:12:12::/64 eui-64
 ipv6 ospf neighbor FE80::C200:1BFF:FEC8:0
 ipv6 ospf 1 area 0
 clock rate 2000000
 frame-relay map ipv6 FE80::C200:1BFF:FEC8:0 201 broadcast
 frame-relay interface-dlci 201
!
ipv6 router ospf 1
 router-id 2.2.2.2
 log-adjacency-changes

R3 Config:
ipv6 unicast-routing
!        
interface FastEthernet0/0
 no ip address
 speed 100
 full-duplex
 ipv6 address 2001:FE:13:13::/64 eui-64
 ipv6 address FC01:DB8:74:B::/64 eui-64
 ipv6 ospf 1 area 13
!
ipv6 router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes

R4 Config:
ipv6 unicast-routing
!
interface FastEthernet0/0
 no ip address
 speed 100
 full-duplex
 ipv6 address 2001:FE:24:24::/64 eui-64
 ipv6 ospf 1 area 24
!
ipv6 router ospf 1
 router-id 4.4.4.4
 log-adjacency-changes

Points of interest in this lab:
The Frame-relay connection between R1 and R2 is done using NBMA which dictate LSA flooding using unicast hence a neighbor statement should be configured, but unlike IPv4, in IPv6 we need to configure this statement using the link-local IPv6 and not the interface IPv6 which in this case it's global-unicast address. Also frame-relay IPv6 static maps should be configured.

OSPFv3 is configured directly on the interface but in order to achieve adjacency we will need to configure router-id, which done under ipv6 router ospf process.