In order to capture the tcp stream on an SEDR appliance, you will need to know which interface to record. Here is a table showing the different ports based on the Appliance model and Virtual Machine (VM):
Appliance model | Hardware version | Management port | Monitor1 / WAN 1 | Monitor2 / LAN 1 | Monitor3 / WAN 2 | Monitor4 / LAN 2 |
---|---|---|---|---|---|---|
8880 | R730 | eth0 | eth7 | eth6 | eth5 | eth4 |
8880 | R720 | eth0 | eth7 | eth6 | eth5 | eth4 |
8840 | R330 | eth0 | eth3 | eth2 | N/A | N/A |
8840 | R220 | eth0 | eth2 | eth3 | N/A | N/A |
VM | N/A | eth0 | eth1 | eth2 | N/A | N/A |
Once you have determined which ethernet port you will be capturing, you run the tcpdump command. If you want to capture all network traffic, you can use the '--interface all' argument.
Example:
tcpdump -i eth0 -w /home/admin/transfers/capture.pcap
or
tcpdump --interface all -w /home/admin/transfers/capture.pcap
Packet capture begins immediately after executing the command. To stop the capture after duplicating the issue, simply by press CTRL-C
.ll packets traversing that ethernet port. After you have reproduced the issue or run the test you needed, press Ctrl-C to stop the capture. If you need to run other CLI commands, you can open a duplicate SSH session and run those in the other session while the capture is running.
To copy the captures to a local SCP server in their environment, you can use the getpcap command as explained in the Endpoint Detection and Response Administration Guide and online Help.
getpcap command:
Description: Copy *.pcap files from /home/admin on an appliance to a remote host running sshd. A .pcap file is a text file output from the tcpdump command, and can be used to analyze tcp/ip traffic.Option Description
<user> Specify a user on a remote host. You are prompted to enter the password for that user.
<host> Specify the host name, FQDN, or IP address of the remote host.
<path> Specify the path on the remote host for the .pcap files.
Example: getpcap [email protected]:~/pcaps/
The files will then be uploaded to provided server. You can then open them in a packet capture analysis tool such as Wireshark.
SEDR 4.2 and later:
Starting with SEDR 4.2, you can now save the pcap file to the /home/admin/transfers folder. Here is an example tcpdump command:
tcpdump -i eth4 -w /home/admin/transfers/capture.pcap
or
tcpdump -i any -w /home/admin/transfers/capture.pcap
Once the capture is ended, you can navigate to Settings -> Global to download the file. Scroll to the bottom and choose Download, then provide the pcap file name (capture.pcap in the above example).