Record network traffic on the Endpoint Detection and Response (SEDR) appliance

book

Article ID: 178946

calendar_today

Updated On:

Products

Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

A network traffic recording is needed as evidence to diagnose a network related symptom related to SEDR appliance.

The SEDR CLI includes the standard tcpdump command as well as getpcap, a custom ATP command which uploads all files with the .pcap extension in /home/admin/ to an FTP or SCP server. Starting with SEDR 4.2, you can now download the pcap from the web interface.

Environment

In order to capture the tcp stream on an SEDR appliance, you will need to know which interface to record. Here is a table showing the different ports based on the Appliance model:

Appliance model Hardware version Management port Monitor1 / WAN 1 Monitor2 / LAN 1 Monitor3 / WAN 2 Monitor4 / LAN 2
8880 R730 eth0 eth7 eth6 eth5 eth4
8880 R720 eth0 eth7 eth6 eth5 eth4
8840 R330 eth0 eth3 eth2 N/A N/A
8840 R220 eth0 eth2 eth3 N/A N/A
VM N/A eth0 eth1 eth2 N/A N/A

Resolution

Once you have determined which ethernet port you will be capturing, you will run the tcpdump command. If you want to capture all network traffic, you can use the '--interface all' argument. Here is an example:

tcpdump -i eth0 -w /home/admin/capture.pcap

This will begin capturing all packets traversing that ethernet port. After you have reproduced the issue or run the test you needed, press Ctrl-C to stop the capture. If you need to run other CLI commands, you can open a duplicate SSH session and run those in the other session while the capture is running.

To copy the captures to a local SCP server in their environment, you can use the getpcap command as explained in the Endpoint Detection and Response Administration Guide and online Help.

getpcap command:

Description: Copy *.pcap files from /home/admin on an ATP appliance to a remote host running sshd. A .pcap file is a text file output from the tcpdump command, and can be used to analyze tcp/ip traffic.

Option        Description
$
<user>      Specify a user on a remote host. You are prompted to enter the password for that user.
$
<host>      Specify the host name, FQDN, or IP address of the remote host.
$
<path>      Specify the path on the remote host for the .pcap files.

Example: getpcap [email protected]$10.0.4.55:$/pcaps/

The files will then be uploaded to provided server. You can then open them in a packet capture analysis tool such as Wireshark.

SEDR 4.2 and later:

Starting with SEDR 4.2, you can now save the pcap file to the /home/admin/transfers folder. Here is an example tcpdump command:

tcpdump -i eth4 -w /home/admin/transfers/capture.pcap

Once the capture is ended, you can navigate to Settings -> Global to download the file. Scroll to the bottom and choose Download, then provide the pcap file name (capture.pcap in the above example).