Record network traffic on the Endpoint Detection and Response (SEDR) appliance
Article ID: 178946
Updated On:
Products
Issue/Introduction
A network traffic recording is needed as evidence to diagnose a network related symptom related to SEDR appliance.
The SEDR CLI includes the standard tcpdump command as well as getpcap, a custom ATP command which uploads all files with the .pcap extension in /home/admin/ to an FTP or SCP server. Starting with SEDR 4.2, you can now download the pcap from the web interface.
Environment
In order to capture the tcp stream on an SEDR appliance, you will need to know which interface to record. Here is a table showing the different ports based on the Appliance model:
| Appliance model | Hardware version | Management port | Monitor1 / WAN 1 | Monitor2 / LAN 1 | Monitor3 / WAN 2 | Monitor4 / LAN 2 |
|---|---|---|---|---|---|---|
| 8880 | R730 | eth0 | eth7 | eth6 | eth5 | eth4 |
| 8880 | R720 | eth0 | eth7 | eth6 | eth5 | eth4 |
| 8840 | R330 | eth0 | eth3 | eth2 | N/A | N/A |
| 8840 | R220 | eth0 | eth2 | eth3 | N/A | N/A |
| VM | N/A | eth0 | eth1 | eth2 | N/A | N/A |
Resolution
Once you have determined which ethernet port you will be capturing, you will run the tcpdump command. If you want to capture all network traffic, you can use the '--interface all' argument. Here is an example:
tcpdump -i eth0 -w /home/admin/capture.pcap
This will begin capturing all packets traversing that ethernet port. After you have reproduced the issue or run the test you needed, press Ctrl-C to stop the capture. If you need to run other CLI commands, you can open a duplicate SSH session and run those in the other session while the capture is running.
To copy the captures to a local SCP server in their environment, you can use the getpcap command as explained in the Endpoint Detection and Response Administration Guide and online Help.
getpcap command:
Description: Copy *.pcap files from /home/admin on an ATP appliance to a remote host running sshd. A .pcap file is a text file output from the tcpdump command, and can be used to analyze tcp/ip traffic.Option Description
$ <user> Specify a user on a remote host. You are prompted to enter the password for that user.
$ <host> Specify the host name, FQDN, or IP address of the remote host.
$ <path> Specify the path on the remote host for the .pcap files.
Example: getpcap [email protected]$10.0.4.55:$/pcaps/
The files will then be uploaded to provided server. You can then open them in a packet capture analysis tool such as Wireshark.
SEDR 4.2 and later:
Starting with SEDR 4.2, you can now save the pcap file to the /home/admin/transfers folder. Here is an example tcpdump command:
tcpdump -i eth4 -w /home/admin/transfers/capture.pcap
Once the capture is ended, you can navigate to Settings -> Global to download the file. Scroll to the bottom and choose Download, then provide the pcap file name (capture.pcap in the above example).
Feedback
